Commit 72b3897a authored by Wouter Wolters's avatar Wouter Wolters Committed by Alexander Opitz
Browse files

[TASK] Apply quoteJSvalue or htmlspecialchars to getModuleUrl

Furthermore add BACK_PATH as 3rd argument where appropriate.

Resolves: #64896
Releases: master
Change-Id: Icd52343246c7aa57114f7d3e22f9a16ea65567c9
Reviewed-on: http://review.typo3.org/36697


Reviewed-by: Jigal van Hemert's avatarJigal van Hemert <jigal.van.hemert@typo3.org>
Tested-by: Jigal van Hemert's avatarJigal van Hemert <jigal.van.hemert@typo3.org>
Reviewed-by: Alexander Opitz's avatarAlexander Opitz <opitz.alexander@googlemail.com>
Tested-by: Alexander Opitz's avatarAlexander Opitz <opitz.alexander@googlemail.com>
parent a0fe37a3
......@@ -727,7 +727,12 @@ class ClickMenu {
} else {
$conf = '1==1';
}
$editOnClick = 'if(' . $loc . ' && ' . $conf . ' ){' . $loc . '.location.href=top.TS.PATH_typo3+\'' . BackendUtility::getModuleUrl('tce_db') . '&redirect=\'+top.rawurlencode(' . $this->frameLocation(($loc . '.document')) . '.pathname+' . $this->frameLocation(($loc . '.document')) . '.search)+\'' . '&cmd[' . $table . '][' . $uid . '][delete]=1&prErr=1&vC=' . $this->backendUser->veriCode() . BackendUtility::getUrlToken('tceAction') . '\';};';
$editOnClick = 'if(' . $loc . ' && ' . $conf . ' ){' . $loc . '.location.href=top.TS.PATH_typo3+' .
GeneralUtility::quoteJSvalue(BackendUtility::getModuleUrl('tce_db') . '&redirect=') . '+top.rawurlencode(' .
$this->frameLocation($loc . '.document') . '.pathname+' . $this->frameLocation(($loc . '.document')) . '.search)+' .
GeneralUtility::quoteJSvalue(
'&cmd[' . $table . '][' . $uid . '][delete]=1&prErr=1&vC=' . $this->backendUser->veriCode() . BackendUtility::getUrlToken('tceAction')
) . ';};';
if ($table === 'pages') {
$editOnClick .= 'top.nav.refresh.defer(500, top.nav);';
}
......@@ -798,7 +803,12 @@ class ClickMenu {
public function DB_changeFlag($table, $rec, $flagField, $title) {
$uid = $rec['_ORIG_uid'] ?: $rec['uid'];
$loc = 'top.content.list_frame';
$editOnClick = 'if(' . $loc . '){' . $loc . '.location.href=top.TS.PATH_typo3+\'' . BackendUtility::getModuleUrl('tce_db') . '&redirect=\'' . '+top.rawurlencode(' . $this->frameLocation(($loc . '.document')) . '.pathname+' . $this->frameLocation(($loc . '.document')) . '.search)+\'' . '&data[' . $table . '][' . $uid . '][' . $flagField . ']=' . ($rec[$flagField] ? 0 : 1) . '&prErr=1&vC=' . $this->backendUser->veriCode() . BackendUtility::getUrlToken('tceAction') . '\';};';
$editOnClick = 'if(' . $loc . '){' . $loc . '.location.href=top.TS.PATH_typo3+' .
GeneralUtility::quoteJSvalue(BackendUtility::getModuleUrl('tce_db') . '&redirect=') . '+top.rawurlencode(' .
$this->frameLocation($loc . '.document') . '.pathname+' . $this->frameLocation(($loc . '.document')) . '.search)+\'' .
GeneralUtility::quoteJSvalue(
'&data[' . $table . '][' . $uid . '][' . $flagField . ']=' . ($rec[$flagField] ? 0 : 1) . '&prErr=1&vC=' . $this->backendUser->veriCode() . BackendUtility::getUrlToken('tceAction')
) . ';};';
if ($table === 'pages') {
$editOnClick .= 'top.nav.refresh.defer(500, top.nav);';
}
......@@ -1018,7 +1028,12 @@ class ClickMenu {
} else {
$conf = '1==1';
}
$editOnClick = 'if(' . $loc . ' && ' . $conf . ' ){' . $loc . '.location.href=top.TS.PATH_typo3+\'' . BackendUtility::getModuleUrl('tce_file') . '&redirect=\'+top.rawurlencode(' . $this->frameLocation(($loc . '.document')) . '.pathname+' . $this->frameLocation(($loc . '.document')) . '.search)+\'' . '&file[delete][0][data]=' . rawurlencode($path) . '&vC=' . $this->backendUser->veriCode() . BackendUtility::getUrlToken('tceAction') . '\';};';
$editOnClick = 'if(' . $loc . ' && ' . $conf . ' ){' . $loc . '.location.href=top.TS.PATH_typo3+' .
GeneralUtility::quoteJSvalue(BackendUtility::getModuleUrl('tce_file') . '&redirect=') . '+top.rawurlencode(' .
$this->frameLocation(($loc . '.document')) . '.pathname+' . $this->frameLocation(($loc . '.document')) . '.search)+' .
GeneralUtility::quoteJSvalue(
'&file[delete][0][data]=' . rawurlencode($path) . '&vC=' . $this->backendUser->veriCode() . BackendUtility::getUrlToken('tceAction')
) . ';};';
return $this->linkItem($this->label('delete'), IconUtility::getSpriteIcon('actions-edit-delete'), $editOnClick . 'return false;');
}
......@@ -1117,7 +1132,13 @@ class ClickMenu {
public function dragDrop_copymovepage($srcUid, $dstUid, $action, $into) {
$negativeSign = $into === 'into' ? '' : '-';
$loc = 'top.content.list_frame';
$editOnClick = 'if(' . $loc . '){' . $loc . '.document.location=top.TS.PATH_typo3+"' . BackendUtility::getModuleUrl('tce_db') . '&redirect="+top.rawurlencode(' . $this->frameLocation(($loc . '.document')) . '.pathname+' . $this->frameLocation(($loc . '.document')) . '.search)+"' . '&cmd[pages][' . $srcUid . '][' . $action . ']=' . $negativeSign . $dstUid . '&prErr=1&vC=' . $this->backendUser->veriCode() . BackendUtility::getUrlToken('tceAction') . '";};top.nav.refresh();';
$editOnClick = 'if(' . $loc . '){' . $loc . '.document.location=top.TS.PATH_typo3+' .
GeneralUtility::quoteJSvalue(BackendUtility::getModuleUrl('tce_db') . '&redirect=') . '+top.rawurlencode(' .
$this->frameLocation(($loc . '.document')) . '.pathname+' . $this->frameLocation(($loc . '.document')) . '.search)+' .
GeneralUtility::quoteJSvalue(
'&cmd[pages][' . $srcUid . '][' . $action . ']=' . $negativeSign . $dstUid . '&prErr=1&vC=' .
$this->backendUser->veriCode() . BackendUtility::getUrlToken('tceAction')
) . ';};top.nav.refresh();';
return $this->linkItem($this->label($action . 'Page_' . $into), IconUtility::getSpriteIcon('actions-document-paste-' . $into), $editOnClick . 'return false;', 0);
}
......@@ -1132,7 +1153,13 @@ class ClickMenu {
*/
public function dragDrop_copymovefolder($srcPath, $dstPath, $action) {
$loc = 'top.content.list_frame';
$editOnClick = 'if(' . $loc . '){' . $loc . '.document.location=top.TS.PATH_typo3+"' . BackendUtility::getModuleUrl('tce_file') . '&redirect="+top.rawurlencode(' . $this->frameLocation(($loc . '.document')) . '.pathname+' . $this->frameLocation(($loc . '.document')) . '.search)+"' . '&file[' . $action . '][0][data]=' . $srcPath . '&file[' . $action . '][0][target]=' . $dstPath . '&prErr=1&vC=' . $this->backendUser->veriCode() . BackendUtility::getUrlToken('tceAction') . '";};top.nav.refresh();';
$editOnClick = 'if(' . $loc . '){' . $loc . '.document.location=top.TS.PATH_typo3+' .
GeneralUtility::quoteJSvalue(BackendUtility::getModuleUrl('tce_file') . '&redirect=') . '+top.rawurlencode(' .
$this->frameLocation(($loc . '.document')) . '.pathname+' . $this->frameLocation(($loc . '.document')) . '.search)+' .
GeneralUtility::quoteJSvalue(
'&file[' . $action . '][0][data]=' . $srcPath . '&file[' . $action . '][0][target]=' . $dstPath . '&prErr=1&vC=' .
$this->backendUser->veriCode() . BackendUtility::getUrlToken('tceAction')
) . ';};top.nav.refresh();';
return $this->linkItem($this->label($action . 'Folder_into'), IconUtility::getSpriteIcon('apps-pagetree-drag-move-into'), $editOnClick . 'return false;', 0);
}
......
......@@ -565,15 +565,14 @@ class Clipboard {
* @return string
*/
public function pasteUrl($table, $uid, $setRedirect = TRUE, array $update = NULL) {
$rU = $this->backPath . ($table == '_FILE' ? BackendUtility::getModuleUrl('tce_file') . '&' : BackendUtility::getModuleUrl('tce_db') . '&') .
($setRedirect ? 'redirect=' . rawurlencode(GeneralUtility::linkThisScript(array('CB' => ''))) : '') .
return ($table == '_FILE' ? BackendUtility::getModuleUrl('tce_file', array(), $this->backPath) : BackendUtility::getModuleUrl('tce_db', array(), $this->backPath)) .
($setRedirect ? '&redirect=' . rawurlencode(GeneralUtility::linkThisScript(array('CB' => ''))) : '') .
'&vC=' . $GLOBALS['BE_USER']->veriCode() .
'&prErr=1&uPT=1' .
'&CB[paste]=' . rawurlencode($table . '|' . $uid) .
'&CB[pad]=' . $this->current .
(is_array($update) ? GeneralUtility::implodeArrayForUrl('CB[update]', $update) : '') .
BackendUtility::getUrlToken('tceAction');
return $rU;
}
/**
......@@ -584,8 +583,9 @@ class Clipboard {
* @return string
*/
public function deleteUrl($setRedirect = 1, $file = 0) {
$rU = $this->backPath . ($file ? BackendUtility::getModuleUrl('tce_file') . '&' : BackendUtility::getModuleUrl('tce_db') . '&') . ($setRedirect ? 'redirect=' . rawurlencode(GeneralUtility::linkThisScript(array('CB' => ''))) : '') . '&vC=' . $GLOBALS['BE_USER']->veriCode() . '&prErr=1&uPT=1' . '&CB[delete]=1' . '&CB[pad]=' . $this->current . BackendUtility::getUrlToken('tceAction');
return $rU;
return ($file ? BackendUtility::getModuleUrl('tce_file', array(), $this->backPath) : BackendUtility::getModuleUrl('tce_db', array(), $this->backPath))
. ($setRedirect ? '&redirect=' . rawurlencode(GeneralUtility::linkThisScript(array('CB' => ''))) : '') . '&vC=' . $GLOBALS['BE_USER']->veriCode()
. '&prErr=1&uPT=1' . '&CB[delete]=1' . '&CB[pad]=' . $this->current . BackendUtility::getUrlToken('tceAction');
}
/**
......
......@@ -686,7 +686,7 @@ class EditDocumentController {
if (
' . ($GLOBALS['BE_USER']->jsConfirmation(4) ? 'confirm(' . GeneralUtility::quoteJSvalue($GLOBALS['LANG']->getLL('deleteWarning')) . ')' : '1==1') . '
) {
window.location.href = "' . BackendUtility::getModuleUrl('tce_db') . '&cmd["+table+"]["+id+"][delete]=1' . BackendUtility::getUrlToken('tceAction') . '&redirect="+escape(url)+"&vC=' . $GLOBALS['BE_USER']->veriCode() . '&prErr=1&uPT=1";
window.location.href = ' . GeneralUtility::quoteJSvalue(BackendUtility::getModuleUrl('tce_db') . '&cmd[') . '+table+"]["+id+"][delete]=1' . BackendUtility::getUrlToken('tceAction') . '&redirect="+escape(url)+"&vC=' . $GLOBALS['BE_USER']->veriCode() . '&prErr=1&uPT=1";
}
return false;
}
......
......@@ -146,7 +146,7 @@ class CreateFolderController {
$pageContent = $this->doc->header($GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:file_newfolder.php.pagetitle'));
if ($this->folderObject->checkActionPermission('add')) {
$code = '<form role="form" action="' . BackendUtility::getModuleUrl('tce_file') . '" method="post" name="editform">';
$code = '<form role="form" action="' . htmlspecialchars(BackendUtility::getModuleUrl('tce_file')) . '" method="post" name="editform">';
// Making the selector box for the number of concurrent folder-creations
$this->number = \TYPO3\CMS\Core\Utility\MathUtility::forceIntegerInRange($this->number, 1, 10);
$code .= '
......
......@@ -118,7 +118,7 @@ class EditFileController {
top.goToModule("file_list");
}
');
$this->doc->form = '<form action="' . BackendUtility::getModuleUrl('tce_file') . '" method="post" name="editform">';
$this->doc->form = '<form action="' . htmlspecialchars(BackendUtility::getModuleUrl('tce_file')) . '" method="post" name="editform">';
}
/**
......
......@@ -110,7 +110,7 @@ class FileUploadController {
$this->doc = GeneralUtility::makeInstance(\TYPO3\CMS\Backend\Template\DocumentTemplate::class);
$this->doc->setModuleTemplate('EXT:backend/Resources/Private/Templates/file_upload.html');
$this->doc->backPath = $GLOBALS['BACK_PATH'];
$this->doc->form = '<form action="' . BackendUtility::getModuleUrl('tce_file') . '" method="post" name="editform" enctype="' . $GLOBALS['TYPO3_CONF_VARS']['SYS']['form_enctype'] . '">';
$this->doc->form = '<form action="' . htmlspecialchars(BackendUtility::getModuleUrl('tce_file')) . '" method="post" name="editform" enctype="' . $GLOBALS['TYPO3_CONF_VARS']['SYS']['form_enctype'] . '">';
}
/**
......
......@@ -136,7 +136,7 @@ class RenameFileController {
} else {
$fileIdentifier = $this->fileOrFolderObject->getUid();
}
$pageContent .= '<form action="' . BackendUtility::getModuleUrl('tce_file') . '" method="post" name="editform" role="form">';
$pageContent .= '<form action="' . htmlspecialchars(BackendUtility::getModuleUrl('tce_file')) . '" method="post" name="editform" role="form">';
// Making the formfields for renaming:
$pageContent .= '
......
......@@ -478,7 +478,7 @@ class PageLayoutController {
function deleteRecord(table,id,url) { //
if (confirm(' . GeneralUtility::quoteJSvalue($GLOBALS['LANG']->getLL('deleteWarning')) . ')) {
window.location.href = "' . $GLOBALS['BACK_PATH'] . BackendUtility::getModuleUrl('tce_db') . '&cmd["+table+"]["+id+"][delete]=1&redirect="+escape(url)+"&vC=' . $GLOBALS['BE_USER']->veriCode() . BackendUtility::getUrlToken('tceAction') . '&prErr=1&uPT=1";
window.location.href = ' . GeneralUtility::quoteJSvalue(BackendUtility::getModuleUrl('tce_db', array(), $GLOBALS['BACK_PATH']) . '&cmd[') . '+table+"]["+id+"][delete]=1&redirect="+escape(url)+"&vC=' . $GLOBALS['BE_USER']->veriCode() . BackendUtility::getUrlToken('tceAction') . '&prErr=1&uPT=1";
}
return false;
}
......@@ -651,7 +651,7 @@ class PageLayoutController {
// Alternative template
$this->doc->setModuleTemplate('EXT:backend/Resources/Private/Templates/db_layout_quickedit.html');
// Alternative form tag; Quick Edit submits its content to tce_db.php.
$this->doc->form = '<form action="' . htmlspecialchars($GLOBALS['BACK_PATH'] . BackendUtility::getModuleUrl('tce_db') . '&prErr=1&uPT=1') . '" method="post" enctype="' . $GLOBALS['TYPO3_CONF_VARS']['SYS']['form_enctype'] . '" name="editform" onsubmit="return TBE_EDITOR.checkSubmit(1);">';
$this->doc->form = '<form action="' . htmlspecialchars(BackendUtility::getModuleUrl('tce_db', array(), $GLOBALS['BACK_PATH']) . '&prErr=1&uPT=1') . '" method="post" enctype="' . $GLOBALS['TYPO3_CONF_VARS']['SYS']['form_enctype'] . '" name="editform" onsubmit="return TBE_EDITOR.checkSubmit(1);">';
// Setting up the context sensitive menu:
$this->doc->getContextMenuCode();
// Set the edit_record value for internal use in this function:
......@@ -1121,7 +1121,7 @@ class PageLayoutController {
if (!$this->modTSconfig['properties']['disableIconToolbar']) {
// Move record
if (MathUtility::canBeInterpretedAsInteger($this->eRParts[1])) {
$buttons['move_record'] = '<a href="' . htmlspecialchars($GLOBALS['BACK_PATH'] . BackendUtility::getModuleUrl('move_element') . '&table=' . $this->eRParts[0] . '&uid=' . $this->eRParts[1] . '&returnUrl=' . rawurlencode(GeneralUtility::getIndpEnv('REQUEST_URI'))) . '">' . IconUtility::getSpriteIcon(('actions-' . ($this->eRParts[0] == 'tt_content' ? 'document' : 'page') . '-move'), array('class' => 'c-inputButton', 'title' => $GLOBALS['LANG']->getLL(('move_' . ($this->eRParts[0] == 'tt_content' ? 'record' : 'page')), TRUE))) . '</a>';
$buttons['move_record'] = '<a href="' . htmlspecialchars(BackendUtility::getModuleUrl('move_element', array(), $GLOBALS['BACK_PATH']) . '&table=' . $this->eRParts[0] . '&uid=' . $this->eRParts[1] . '&returnUrl=' . rawurlencode(GeneralUtility::getIndpEnv('REQUEST_URI'))) . '">' . IconUtility::getSpriteIcon(('actions-' . ($this->eRParts[0] == 'tt_content' ? 'document' : 'page') . '-move'), array('class' => 'c-inputButton', 'title' => $GLOBALS['LANG']->getLL(('move_' . ($this->eRParts[0] == 'tt_content' ? 'record' : 'page')), TRUE))) . '</a>';
}
// Edit page properties and page language overlay icons
......
......@@ -89,7 +89,7 @@ class RteController extends AbstractWizardController {
// Need to NOT have the page wrapped in DIV since if we do that we destroy
// the feature that the RTE spans the whole height of the page!!!
$this->doc->divClass = '';
$this->doc->form = '<form action="' . BackendUtility::getModuleUrl('tce_db') . '" method="post" enctype="' . $GLOBALS['TYPO3_CONF_VARS']['SYS']['form_enctype'] . '" name="editform" onsubmit="return TBE_EDITOR.checkSubmit(1);">';
$this->doc->form = '<form action="' . htmlspecialchars(BackendUtility::getModuleUrl('tce_db')) . '" method="post" enctype="' . $GLOBALS['TYPO3_CONF_VARS']['SYS']['form_enctype'] . '" name="editform" onsubmit="return TBE_EDITOR.checkSubmit(1);">';
}
/**
......
......@@ -548,7 +548,7 @@ function jumpToUrl(URL) {
*/
public function issueCommand($params, $redirectUrl = '') {
$redirectUrl = $redirectUrl ? $redirectUrl : GeneralUtility::getIndpEnv('REQUEST_URI');
$commandUrl = $this->backPath . BackendUtility::getModuleUrl('tce_db') . '&' . $params . '&redirect=' . ($redirectUrl == -1 ? '\'+T3_THIS_LOCATION+\'' : rawurlencode($redirectUrl)) . '&vC=' . rawurlencode($GLOBALS['BE_USER']->veriCode()) . BackendUtility::getUrlToken('tceAction') . '&prErr=1&uPT=1';
$commandUrl = BackendUtility::getModuleUrl('tce_db', array(), $this->backPath) . '&' . $params . '&redirect=' . ($redirectUrl == -1 ? '\'+T3_THIS_LOCATION+\'' : rawurlencode($redirectUrl)) . '&vC=' . rawurlencode($GLOBALS['BE_USER']->veriCode()) . BackendUtility::getUrlToken('tceAction') . '&prErr=1&uPT=1';
return $commandUrl;
}
......
......@@ -42,7 +42,7 @@ class PageMovingPagePositionMap extends PagePositionMap {
* @return string Onclick attribute content
*/
public function onClickEvent($pid, $newPagePID) {
return 'window.location.href=\'' . \TYPO3\CMS\Backend\Utility\BackendUtility::getModuleUrl('tce_db') . '&cmd[pages][' . $GLOBALS['SOBE']->moveUid . '][' . $this->moveOrCopy . ']=' . $pid . '&redirect=' . rawurlencode($this->R_URI) . '&prErr=1&uPT=1&vC=' . $GLOBALS['BE_USER']->veriCode() . \TYPO3\CMS\Backend\Utility\BackendUtility::getUrlToken('tceAction') . '\';return false;';
return 'window.location.href=' . \TYPO3\CMS\Core\Utility\GeneralUtility::quoteJSvalue(\TYPO3\CMS\Backend\Utility\BackendUtility::getModuleUrl('tce_db') . '&cmd[pages][' . $GLOBALS['SOBE']->moveUid . '][' . $this->moveOrCopy . ']=' . $pid . '&redirect=' . rawurlencode($this->R_URI) . '&prErr=1&uPT=1&vC=' . $GLOBALS['BE_USER']->veriCode() . \TYPO3\CMS\Backend\Utility\BackendUtility::getUrlToken('tceAction')) . ';return false;';
}
/**
......
......@@ -517,7 +517,7 @@ class PagePositionMap {
}
$location .= '&redirect=' . rawurlencode($this->R_URI);
// returns to prev. page
return 'window.location.href=\'' . $location . '\';return false;';
return 'window.location.href=' . GeneralUtility::quoteJSvalue($location) . ';return false;';
}
/**
......
......@@ -873,8 +873,8 @@ class PageLayoutView extends \TYPO3\CMS\Recordlist\RecordList\AbstractDatabaseRe
}
if ($this->ext_CALC_PERMS & 4 || $this->ext_CALC_PERMS & 2) {
$bArray[1] = $this->getPageLayoutController()->doc->t3Button(
'window.location.href=\'' . $this->backPath . BackendUtility::getModuleUrl('move_element') . '&table=pages&uid=' . $id
. '&returnUrl=' . rawurlencode(GeneralUtility::getIndpEnv('REQUEST_URI')) . '\';',
'window.location.href=' . GeneralUtility::quoteJSvalue(BackendUtility::getModuleUrl('move_element', array(), $this->backPath) . '&table=pages&uid=' . $id
. '&returnUrl=' . rawurlencode(GeneralUtility::getIndpEnv('REQUEST_URI'))) . ';',
$this->getLanguageService()->getLL('move_page')
);
}
......
......@@ -36,7 +36,7 @@ class IssueCommandViewHelper extends \TYPO3\CMS\Fluid\Core\ViewHelper\AbstractVi
*/
public function render($parameters, $redirectUrl = '') {
$redirectUrl = $redirectUrl ?: \TYPO3\CMS\Core\Utility\GeneralUtility::getIndpEnv('REQUEST_URI');
return htmlspecialchars($GLOBALS['BACK_PATH'] . BackendUtility::getModuleUrl('tce_db') . '&' . $parameters . '&redirect=' . ($redirectUrl === '' ? '\' + T3_THIS_LOCATION + \'' : rawurlencode($redirectUrl)) . '&vC=' . rawurlencode($GLOBALS['BE_USER']->veriCode()) . \TYPO3\CMS\Backend\Utility\BackendUtility::getUrlToken('tceAction') . '&prErr=1&uPT=1');
return htmlspecialchars(BackendUtility::getModuleUrl('tce_db', array(), $GLOBALS['BACK_PATH']) . '&' . $parameters . '&redirect=' . ($redirectUrl === '' ? '\' + T3_THIS_LOCATION + \'' : rawurlencode($redirectUrl)) . '&vC=' . rawurlencode($GLOBALS['BE_USER']->veriCode()) . \TYPO3\CMS\Backend\Utility\BackendUtility::getUrlToken('tceAction') . '&prErr=1&uPT=1');
}
}
......@@ -39,7 +39,7 @@ class RemoveUserViewHelper extends \TYPO3\CMS\Fluid\Core\ViewHelper\AbstractView
$redirectUrl = GeneralUtility::getIndpEnv('REQUEST_URI');
$parameters = 'cmd[be_users][' . $backendUser->getUid() . '][delete]=1';
$url = $GLOBALS['BACK_PATH'] . BackendUtility::getModuleUrl('tce_db') . '&' . $parameters . '&redirect=' .
$url = BackendUtility::getModuleUrl('tce_db', array(), $GLOBALS['BACK_PATH']) . '&' . $parameters . '&redirect=' .
($redirectUrl == '' ? '\' + T3_THIS_LOCATION + \'' : rawurlencode($redirectUrl)) . '&vC=' .
rawurlencode($GLOBALS['BE_USER']->veriCode()) . BackendUtility::getUrlToken('tceAction') . '&prErr=1&uPT=1';
return '<a class="btn btn-default" href="' . $url . '" onclick="return confirm(' .
......
......@@ -545,12 +545,12 @@ class QueryView {
$out .= '<a class="btn btn-default" href="#" onClick="top.launchView(\'' . $table . '\',' . $row['uid'] . ',\'' . $GLOBALS['BACK_PATH'] . '\');return false;">' . \TYPO3\CMS\Backend\Utility\IconUtility::getSpriteIcon('status-dialog-information') . '</a>';
$out .= '<a class="btn btn-default" href="#" onClick="' . BackendUtility::editOnClick($params, $GLOBALS['BACK_PATH'], (GeneralUtility::getIndpEnv('REQUEST_URI') . GeneralUtility::implodeArrayForUrl('SET', (array)GeneralUtility::_POST('SET')))) . '">' . \TYPO3\CMS\Backend\Utility\IconUtility::getSpriteIcon('actions-document-open') . '</a>';
} else {
$out .= '<a class="btn btn-default" href="' . GeneralUtility::linkThisUrl(($GLOBALS['BACK_PATH'] . BackendUtility::getModuleUrl('tce_db')), array(
$out .= '<a class="btn btn-default" href="' . GeneralUtility::linkThisUrl(BackendUtility::getModuleUrl('tce_db', arary(), $GLOBALS['BACK_PATH']), array(
('cmd[' . $table . '][' . $row['uid'] . '][undelete]') => '1',
'redirect' => GeneralUtility::linkThisScript(array())
)) . BackendUtility::getUrlToken('tceAction') . '">';
$out .= \TYPO3\CMS\Backend\Utility\IconUtility::getSpriteIcon('actions-edit-restore', array('title' => 'undelete only')) . '</a>';
$out .= '<a class="btn btn-default" href="' . GeneralUtility::linkThisUrl(($GLOBALS['BACK_PATH'] . BackendUtility::getModuleUrl('tce_db')), array(
$out .= '<a class="btn btn-default" href="' . GeneralUtility::linkThisUrl(BackendUtility::getModuleUrl('tce_db', array(), $GLOBALS['BACK_PATH']), array(
('cmd[' . $table . '][' . $row['uid'] . '][undelete]') => '1',
'redirect' => GeneralUtility::linkThisUrl('alt_doc.php', array(
('edit[' . $table . '][' . $row['uid'] . ']') => 'edit',
......
......@@ -909,7 +909,7 @@ class FileList extends AbstractRecordList {
$confirmationCheck = '1 == 1';
}
$removeOnClick = 'if (' . $confirmationCheck . ') { top.content.list_frame.location.href=top.TS.PATH_typo3+\'' . BackendUtility::getModuleUrl('tce_file') .'&file[delete][0][data]=' . rawurlencode($fileOrFolderObject->getCombinedIdentifier()) . '&vC=' . $this->getBackendUser()->veriCode() . BackendUtility::getUrlToken('tceAction') . '&redirect=\'+top.rawurlencode(top.content.list_frame.document.location.pathname+top.content.list_frame.document.location.search);};';
$removeOnClick = 'if (' . $confirmationCheck . ') { top.content.list_frame.location.href=top.TS.PATH_typo3+' . GeneralUtility::quoteJSvalue(BackendUtility::getModuleUrl('tce_file') .'&file[delete][0][data]=' . rawurlencode($fileOrFolderObject->getCombinedIdentifier()) . '&vC=' . $this->getBackendUser()->veriCode() . BackendUtility::getUrlToken('tceAction') . '&redirect=') . '+top.rawurlencode(top.content.list_frame.document.location.pathname+top.content.list_frame.document.location.search);};';
$cells['delete'] = '<a href="#" class="btn btn-default" onclick="' . htmlspecialchars($removeOnClick) . '" title="' . $this->getLanguageService()->sL('LLL:EXT:lang/locallang_core.xlf:cm.delete') . '">' . IconUtility::getSpriteIcon('actions-edit-delete') . '</a>';
} else {
......
......@@ -2490,7 +2490,7 @@ class ElementBrowser {
<!--
Form, for uploading files:
-->
<form action="' . $GLOBALS['BACK_PATH'] . BackendUtility::getModuleUrl('tce_file') . '" method="post" name="editform"'
<form action="' . htmlspecialchars(BackendUtility::getModuleUrl('tce_file', array(), $GLOBALS['BACK_PATH'])) . '" method="post" name="editform"'
. ' id="typo3-uplFilesForm" enctype="' . $GLOBALS['TYPO3_CONF_VARS']['SYS']['form_enctype'] . '">
<table border="0" cellpadding="0" cellspacing="0" id="typo3-uplFiles">
<tr>
......@@ -2561,7 +2561,7 @@ class ElementBrowser {
<!--
Form, for creating new folders:
-->
<form action="' . $GLOBALS['BACK_PATH'] . BackendUtility::getModuleUrl('tce_file') . '" method="post" name="editform2" id="typo3-crFolderForm">
<form action="' . htmlspecialchars(BackendUtility::getModuleUrl('tce_file', array(), $GLOBALS['BACK_PATH'])) . '" method="post" name="editform2" id="typo3-crFolderForm">
<table border="0" cellpadding="0" cellspacing="0" id="typo3-crFolder">
<tr>
<td>' . $this->barheader($lang->sL(
......
......@@ -32,8 +32,8 @@ class DeleteLinkViewHelper extends \TYPO3\CMS\Fluid\Core\ViewHelper\AbstractView
public function render($id) {
$redirectUrl = \TYPO3\CMS\Core\Utility\GeneralUtility::getIndpEnv('REQUEST_URI');
$parameters = 'cmd[sys_note][' . $id . '][delete]=1';
$url = $GLOBALS['BACK_PATH'] . BackendUtility::getModuleUrl('tce_db') . '&' . $parameters . '&redirect=' . ($redirectUrl == '' ? '\' + T3_THIS_LOCATION + \'' : rawurlencode($redirectUrl)) . BackendUtility::getUrlToken('tceAction');
return $url;
$url = BackendUtility::getModuleUrl('tce_db', array(), $GLOBALS['BACK_PATH']) . '&' . $parameters . '&redirect=' . ($redirectUrl == '' ? '\' + T3_THIS_LOCATION + \'' : rawurlencode($redirectUrl)) . BackendUtility::getUrlToken('tceAction');
return htmlspecialchars($url);
}
}
\ No newline at end of file
......@@ -385,7 +385,7 @@ class VersionModuleController extends \TYPO3\CMS\Backend\Module\BaseScriptClass
// Create new:
$content = '
<form action="' . $this->doc->backPath . BackendUtility::getModuleUrl('tce_db') . '" method="post">
<form action="' . htmlspecialchars(BackendUtility::getModuleUrl('tce_db', array(), $this->doc->backPath)) . '" method="post">
' . $GLOBALS['LANG']->getLL('tblHeader_t3ver_label') . ': <input type="text" name="cmd[' . $this->table . '][' . $this->uid . '][version][label]" /><br />
<br /><input type="hidden" name="cmd[' . $this->table . '][' . $this->uid . '][version][action]" value="new" />
<input type="hidden" name="prErr" value="1" />
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment