Bug #69021

Pagetree context menu show preview button returns Invalid CSRF Token

Added by Marc Bauer over 6 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Must have
Assignee:
Category:
Workspaces
Target version:
Start date:
2015-08-13
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
7
PHP Version:
5.6
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

If you klick at the Pagetree context menu to the button "show preview", a new window is opening and the error message: "The CSRF protection token for the requested module is missing or invalid" is returning.

The error is only if you are in a draft area in workspaces.
In live area there is no error message.


Related issues

Related to TYPO3 Core - Bug #69296: Error when adding first new page after fresh installClosed2015-08-24

Actions
Related to TYPO3 Core - Bug #67001: Workspace Pagepreview doesn't work, if the livepage is set to hidden=1Closed2015-05-17

Actions
Related to TYPO3 Core - Bug #39339: Page preview is broken in draft workspace with 4.7.2Closed2012-07-27

Actions
Has duplicate TYPO3 Core - Bug #68859: [Workspace] Broken Preview link on Page tree listClosedJan Runte2015-08-08

Actions
Follows TYPO3 Core - Bug #66706: Context Menu View page icon has too many jsQuoteClosedNicole Cordes2015-05-01

Actions
#1

Updated by Marc Bauer over 6 years ago

I have found the error in typo3/sysext/backend/Classes/Tree/Pagetree/ExtdirectTreeCommands.php

        /**
     * Returns the view link of a given node
     *
     * @param stdClass $nodeData
     * @return string
     */
    static public function getViewLink($nodeData) {
        /** @var $node \TYPO3\CMS\Backend\Tree\Pagetree\PagetreeNode */
        $node = GeneralUtility::makeInstance(\TYPO3\CMS\Backend\Tree\Pagetree\PagetreeNode::class, (array)$nodeData);
        $javascriptLink = stripslashes(BackendUtility::viewOnClick($node->getId()));
        preg_match('/window\\.open\\(\'([^\']+)\'/i', str_replace('u0026','&',$javascriptLink), $match);
        return $match[1];
    }

The error is that the & in URL will be replaced by \u0026 but the pregmatch will be kill that and the url is only a long string :(

#2

Updated by Oliver Hader about 6 years ago

  • Status changed from New to Accepted
  • Target version set to 7 LTS
#3

Updated by Oliver Hader about 6 years ago

  • Status changed from Accepted to In Progress
  • Assignee set to Oliver Hader
#4

Updated by Oliver Hader about 6 years ago

Basically the origin of this is in #66706 and the previous changed in that regard...
Encoding JavaScript data and then removing only slashes to circumvent double encodings is unfortunately not enough as it has been done in the mentioned change.

#5

Updated by Gerrit Code Review about 6 years ago

  • Status changed from In Progress to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/44297

#6

Updated by Oliver Hader about 6 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
#7

Updated by Riccardo De Contardi about 4 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF