Actions
Bug #50929
closed
Don't call rawurlencode() twice on curUrl
Start date:
2013-08-08
Due date:
% Done:
0%
Estimated time:
1.00 h
TYPO3 Version:
6.1
PHP Version:
Tags:
Complexity:
no-brainer
Is Regression:
Yes
Sprint Focus:
Description
In ElementBrowser.php:
$this->setTitle = $this->curUrlArray['title'] != '-' ? rawurlencode($this->curUrlArray['title']) : '';
...
$JScode = '
...
var add_title="' . ($this->setTitle ? '&curUrl[title]=' . rawurlencode($this->setTitle) : '') . '";
...
';
This is for all curUrl attributes. In the end this means that javascript variables are encoded twice and the prefilled form is also encoded even if it shouldn't be.
I've included patch, but I am not sure if it satisfies all the rules.
Files
Updated by Markus Klein over 11 years ago
This double encoding was introduced in a security fix in 2011.
I believe this fix was wrong, since it should protect against XSS. Double encoding of course does the trick, but it would IMHO be better to simply htmlspecialchar the output.
Updated by Jan Spisiak over 11 years ago
Yes, that is the fix that broke it. Well the output into the form is already htmlspecialchar'ed:
<td><input type="text" name="ltitle" class="typo3-link-input" onchange="browse_links_setTitle(this.value);" value="' . htmlspecialchars($this->setTitle) . '" /></td>
But there is also the cur_* variables:
var cur_title="' . ($this->setTitle ? $this->setTitle : '') . '";
These are not rendered, they are just sent through
renderPopup_addLink() back to editor, so should they also be htmlspecialchar'ed ?
Updated by Jan Spisiak about 11 years ago
- Assignee set to Georg Ringer
- Target version changed from 2463 to next-patchlevel
This needs to be fixed, otherwise it renders editing links impossible when using ElementBrowser (Flux uses it).
Updated by Georg Ringer about 11 years ago
- Is Regression set to No
please never assign any issues to someone else then yourself!
Updated by Oliver Hader about 11 years ago
- Target version deleted (
next-patchlevel)
Actions