Project

General

Profile

Actions

Bug #23474

closed

includeCSS path-string pass htmlspecialchars twice

Added by Arno Dudek about 14 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Should have
Category:
-
Target version:
-
Start date:
2010-08-28
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

There is an issue by including an external CSS file with parameters. I use it in a ViewHelper class in this way:

$GLOBALS['TSFE']->pSetup[$position][$key] = $path;
$GLOBALS['TSFE']->pSetup[$position][$key . '.'] = array(
'media' => $media,
[…]
);

$path looks like:
http://localhost/?type=123456788&cHash=a7a8da9a0538718db5b98d003bfedd6e […]

The output is:
http://localhost/?type=123456788&cHash=a7a8da9a0538718db5b98d003bfedd6e […]

You'll see the path-string pass htmlspecialchars twice:
1. class.tslib_pagegen.php line 546
2. class.t3lib_pagerenderer.php line 1105

solution replace in class.tslib_pagegen.php line 546
htmlspecialchars($ss),
to
$ss,

lg ad

(issue imported from #M15587)


Files

patch_15587.diff (4.89 KB) patch_15587.diff Administrator Admin, 2010-10-29 22:32
Actions #1

Updated by Mikkel Ricky about 14 years ago

Uploaded patch for resolving issue.

in "typo3/sysext/cms/tslib/class.tslib_pagegen.php" all htmlspecialchars calls are removed from method calls to

  • t3lib_PageRenderer::addCssFile
  • t3lib_PageRenderer::addJsLibrary
  • t3lib_PageRenderer::addJsFooterLibrary
  • t3lib_PageRenderer::addJsFile
  • t3lib_PageRenderer::addJsFooterFile

In "t3lib/class.t3lib_pagerenderer.php" additional htmlspecialchars calls are added when rendering html output.

Actions #2

Updated by Steffen Gebert about 14 years ago

But isn't the & supposed to be replaced by & in the output?

So I think it would be okay to remove the htmlspecialchars() in t3lib_pagegen (to handle URLs in PHP without escaped &), but not in t3lib_PageRenderer, as output should be escaped.

All without testing, so just my assumption.

Actions #3

Updated by Mikkel Ricky about 14 years ago

The patch only removes calls to htmlspecialchars() in typo3/sysext/cms/tslib/class.tslib_pagegen.php.

htmlspecialchars() are still used in "t3lib/class.t3lib_pagerenderer.php" when rendering the actual html output, and the patch adds htmlspecialchars() around all attribute values when rendering the output.
For all practical purposes it shouldn't be necessary to send e.g. "media" and "type" attribute values though htmlspecialchars(), but it's better to be safe than sorry.

Actions #4

Updated by Steffen Gebert about 14 years ago

Ah, sorry.. today the patch looks different than last night, I swear :D

Makes sense I think.

Actions #5

Updated by Steffen Kamper about 14 years ago

Committed to svn
4_4 rev 9292
trunk rev 9293

Actions #6

Updated by Benni Mack about 6 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF