TYPO3 Core

See the documentation on imageLinkWrap in the tsref: http://typo3.org/documentation/document-library/references/doc_core_tsref/4.1.0/view/5/3/.

Follow the example listed for creating a popup image with a javascript style close link and a black background:

1.imageLinkWrap = 1
    1.imageLinkWrap {
      enable = 1
      bodyTag = <BODY bgColor=black>
      wrap = <A href="javascript:close();"> | </A>
      width = 800m
      height = 600
      JSwindow = 1
      JSwindow.newWindow = 1
      JSwindow.expand = 17,20
    }

In IE8 it triggers a warning "Internet Explorer has modified this page to help prevent cross-site scripting. Click here for more information..." error. (There isn't really any more information.) It strips the black background and the <a> tag including the call to window.close().

In Safari 5, the link just doesn't do anything. Even though there are no errors.

I think it might be that IE sees the encoded HTML code in the link to index.php?eID=tx_cms_showpic URL that is generated. I realize this is safe because the md5 checksum prevents modified code from being passed, but IE or Safari do not know this.

See: http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx
Also, Safari 5 mentions an XSS Auditor: http://support.apple.com/kb/DL1046
It seems like Chrome is talking about adding one too.

It looks like we'll need a new way of implementing this feature. Any ideas?

(issue imported from #M14858)