Bug #20868
closed
click-enlarge function for images does not work correctly in IE8
Added by Maik Matthias over 14 years ago.
Updated over 5 years ago.
Description
The popup-window generated by the click-enlarge function produces an IE-Error stating that a function was blocked. This function is the submitted javascript-code for closing the popup window. This code is then destroyed by the IE, obviously to prevent XSS-Hacks.
Same problem with Typo3 4.1.10.
I think, it´s not a bug in IE8. Typo3 should not pass javascript-code via url parameters.
A workaround is to disable the "window.close"-function for the IE8-Browser via TS:
- IE8 Bugfix ClickEnlarge-function ###
[browser = msie] && [useragent = Trident/4.0]
plugin.tt_news.displaySingle.image.imageLinkWrap.wrap = |
tt_content.image.20.1.imageLinkWrap.wrap = |
[end]
A better solution is to fix the core-file typo3/sysext/cms/tslib/showpic.php
There the window-close function could be implemented in the body-tag of the output html code for the popup:
<body bgcolor="white" onClick="window.close();">
(issue imported from #M11695)
Files
The reported bug affects the system extension tx_cms_showpic. Have anybody ever tried to click-enlarge an image with IE8? Nobody?
The alert displayed in the popup-window is (in german language): "Diese Seite wurde von Internet Explorer geändert, um das siteübergreifende Scripting zu verhindern".
Workaround:
Modify file typo3/sysext/cms/tslib/ showpic.php
Modify function printContent() so that it looks as following
function printContent() {
header('X-XSS-Protection: 0'); // Disable CSS-Warning in IE8 (Typo3-Bug 11695)
echo $this->content;
}
Thanks Thomas (and Simon) for the workaround.
I solved the problem for me by another workaround long time ago (see on top).
But: This bug still exists on a lot of typo3-sites (including typo3.org!) and should be solved for all in the source-file "showpic.php".
BTW: It can´t be a serious fix to disable security checks. IMHO in this case IE8 is on the rigt way.
Behaviour can get bypassed by disabling the crossite filter of IE8 for the website.
Configure server to send an additional http header -> .htaccess/httpd.conf
<IfModule mod_headers.c>
Header set X-XSS-Protection 0
</IfModule>
Hi Jörg,
as I mentioned before: it can´t be a good advice to disable XSS protection. Doing it for the whole website or the server at all would be the worst decision.
Yet it´s better to workaround this topic by using some lightbox-extension instead. Your customers will appreciate that.
Hi Maik,
you are right :) . just wanted to post another way to handle it, so people can decide by themselves.
Another way to solve this would be to pass the template file name through the URL. This would eliminate the need for the complex "key" business.
Instead of "windowTemplateKey" I could add "windowTemplateFile" as a parameter. Then showpic.php would simply open up that file and use it.
Thoughts?
Another workaround, if my patch isn't a good idea. This workaround requires no modifications to Typo3 Core.
Create a new extension that defines tx_bettershowpic as an eID. This extension would look pretty much exactly like showpic.php, except it would allow you to configure different templates.
Then just set the JSwindow.altUrl = /index.php?eID=tx_bettershowpic
Unset the bodytag and stdwrap properties.
That's it. You have an image pop up that can contain Javascript, but where the javascript isn't passwed through the URL.
Resolved as duplicate of #22990, which has been committed in rev. 8198.
- Status changed from Resolved to Closed
Also available in: Atom
PDF