Bug #69021
closed
Pagetree context menu show preview button returns Invalid CSRF Token
Added by Marc Bauer over 9 years ago.
Updated about 7 years ago.
Description
If you klick at the Pagetree context menu to the button "show preview", a new window is opening and the error message: "The CSRF protection token for the requested module is missing or invalid" is returning.
The error is only if you are in a draft area in workspaces.
In live area there is no error message.
I have found the error in typo3/sysext/backend/Classes/Tree/Pagetree/ExtdirectTreeCommands.php
/**
* Returns the view link of a given node
*
* @param stdClass $nodeData
* @return string
*/
static public function getViewLink($nodeData) {
/** @var $node \TYPO3\CMS\Backend\Tree\Pagetree\PagetreeNode */
$node = GeneralUtility::makeInstance(\TYPO3\CMS\Backend\Tree\Pagetree\PagetreeNode::class, (array)$nodeData);
$javascriptLink = stripslashes(BackendUtility::viewOnClick($node->getId()));
preg_match('/window\\.open\\(\'([^\']+)\'/i', str_replace('u0026','&',$javascriptLink), $match);
return $match[1];
}
The error is that the & in URL will be replaced by \u0026 but the pregmatch will be kill that and the url is only a long string :(
- Status changed from New to Accepted
- Target version set to 7 LTS
- Status changed from Accepted to In Progress
- Assignee set to Oliver Hader
Basically the origin of this is in #66706 and the previous changed in that regard...
Encoding JavaScript data and then removing only slashes to circumvent double encodings is unfortunately not enough as it has been done in the mentioned change.
- Status changed from In Progress to Under Review
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
- Status changed from Resolved to Closed
Also available in: Atom
PDF