Commit 73f3f102 authored by Oliver Hader's avatar Oliver Hader Committed by Oliver Hader
Browse files

[BUGFIX] Allow HTML node onclick events in generated frontend markup

`ContentObjectRenderer` and `AbstractMenuContentObject` are still relying
HTML event attribute `onclick` to open new client window instances,
which were (correctly) removed by HTML sanitizer.

In order to keep the functionality, exceptional declarations have been
added, and `vHWin=window.open(...)` substituted by `openPic(...)`.

Resolves: #94866
Releases: master, 11.3, 10.4, 9.5
Change-Id: I961746b3776d12f302933ebb775ab215bdcd85ab
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70584


Tested-by: Benni Mack's avatarBenni Mack <benni@typo3.org>
Tested-by: core-ci's avatarcore-ci <typo3@b13.com>
Tested-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
Reviewed-by: Benni Mack's avatarBenni Mack <benni@typo3.org>
Reviewed-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
parent 5697363a
......@@ -59,6 +59,19 @@ class DefaultSanitizerBuilder extends CommonBuilder
return GeneralUtility::makeInstance(Sanitizer::class, $visitor);
}
protected function createBasicTags(): array
{
/** @var Behavior\Tag[] $tags */
$tags = parent::createBasicTags();
// `... onclick="openPic(...)"` used in ContentObjectRenderer and AbstractMenuContentObject
// @todo get rid of `onclick` since it conflicts with Content-Security-Policy
$tags['a']->addAttrs(
(new Behavior\Attr('onclick'))
->addValues(new Behavior\RegExpAttrValue('#^openPic\(#'))
);
return $tags;
}
protected function createBehavior(): Behavior
{
return parent::createBehavior()
......
......@@ -123,6 +123,16 @@ class DefaultSanitizerBuilderTest extends FunctionalTestCase
// decodes those entities, which is good to have normalized attr values
'<a href="mailto:some.body@test.typo3.org">some.body(at)test.typo3(dot)org</a>',
],
'#058' => [
// `... onclick="openPic(...)"` used in ContentObjectRenderer and AbstractMenuContentObject
'<a href="/" target="FEopenLink" onclick="openPic(\'\/\',\'FEopenLink\',\'width=200,height=300\');return false;">Link</a>',
'<a href="/" target="FEopenLink" onclick="openPic(\'\/\',\'FEopenLink\',\'width=200,height=300\');return false;">Link</a>'
],
'#059' => [
// `... onclick="openPic(...)"` used in ContentObjectRenderer and AbstractMenuContentObject
'<a href="/index.php?eID=tx_cms_showpic" onclick="openPic(\'\/index.php?eID=tx_cms_showpic\u0026file=77\u0026md5=45a4b6287f68a61cf617a470e853d857461bc1d2\u0026parameters%5B0%5D=W10%3D\',\'thePicture\',\'width=1200,height=1799,status=0,menubar=0,=\'); return false;" target="thePicture"><img src="/logo.png"></a>',
'<a href="/index.php?eID=tx_cms_showpic" onclick="openPic(\'\/index.php?eID=tx_cms_showpic\u0026file=77\u0026md5=45a4b6287f68a61cf617a470e853d857461bc1d2\u0026parameters%5B0%5D=W10%3D\',\'thePicture\',\'width=1200,height=1799,status=0,menubar=0,=\'); return false;" target="thePicture"><img src="/logo.png"></a>'
],
'#090' => [
'<p data-bool><span data-bool><strong data-bool>value</strong></span></p>',
'<p data-bool><span data-bool><strong data-bool>value</strong></span></p>'
......
......@@ -5528,8 +5528,9 @@ class ContentObjectRenderer implements LoggerAwareInterface
}
if ($JSwindowParams) {
$onClick = 'vHWin=window.open(' . GeneralUtility::quoteJSvalue($tsfe->baseUrlWrap($finalTagParts['url'])) . ',\'FEopenLink\',' . GeneralUtility::quoteJSvalue($JSwindowParams) . ');vHWin.focus();return false;';
$onClick = 'openPic(' . GeneralUtility::quoteJSvalue($tsfe->baseUrlWrap($finalTagParts['url'])) . ',\'FEopenLink\',' . GeneralUtility::quoteJSvalue($JSwindowParams) . ');return false;';
$tagAttributes['onclick'] = htmlspecialchars($onClick);
$this->getTypoScriptFrontendController()->setJS('openPic');
}
if (!empty($resolvedLinkParameters['class'])) {
......
......@@ -1802,9 +1802,10 @@ abstract class AbstractMenuContentObject
// Open in popup window?
if ($matches[3] && $matches[4]) {
$JSparamWH = 'width=' . $matches[3] . ',height=' . $matches[4] . ($matches[5] ? ',' . substr($matches[5], 1) : '');
$onClick = 'vHWin=window.open('
$onClick = 'openPic('
. GeneralUtility::quoteJSvalue($tsfe->baseUrlWrap($LD['totalURL']))
. ',\'FEopenLink\',' . GeneralUtility::quoteJSvalue($JSparamWH) . ');vHWin.focus();return false;';
. ',\'FEopenLink\',' . GeneralUtility::quoteJSvalue($JSparamWH) . ');return false;';
$tsfe->setJS('openPic');
$LD['target'] = '';
}
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment