Project

General

Profile

Actions
Copy link

Bug #71698

closed

Link fields accept inline javascript code

Added by Oliver Hader about 9 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Oliver Hader
Category:
-
Target version:
-
Start date:
2015-11-19
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
6.2
PHP Version:
5.5
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

javascript:alert(1) can be submitted for every link field and will be rendered in the frontend passed through typolink. To circumvent that, the URI scheme and prefix "javascript:" will be disallowed per default. The extension "javascript_handler" allows however to bring back that insecure behavior since some installations might rely on it.

Files

javascript_handler_1.0.0.zip (2.27 KB) javascript_handler_1.0.0.zip Nicole Cordes, 2015-12-15 12:09
Actions
Copy link
 #1

Updated by Oliver Hader about 9 years ago

  • File javascript_handler.zip added
Actions
Copy link
 #2

Updated by Gerrit Code Review about 9 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/44803

Actions
Copy link
 #3

Updated by Gerrit Code Review about 9 years ago

Patch set 2 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/44803

Actions
Copy link
 #4

Updated by Gerrit Code Review about 9 years ago

Patch set 1 for branch TYPO3_6-2 of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/44804

Actions
Copy link
 #5

Updated by Gerrit Code Review about 9 years ago

Patch set 3 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/44803

Actions
Copy link
 #6

Updated by Gerrit Code Review about 9 years ago

Patch set 2 for branch TYPO3_6-2 of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/44804

Actions
Copy link
 #7

Updated by Georg Ringer about 9 years ago

  • Status changed from Under Review to Resolved

merged in release branch

Actions
Copy link
 #8

Updated by Gerrit Code Review about 9 years ago

  • Status changed from Resolved to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/44876

Actions
Copy link
 #9

Updated by Georg Ringer almost 9 years ago

  • Status changed from Under Review to Resolved

merged in release branch

Actions
Copy link
 #10

Updated by Gerrit Code Review almost 9 years ago

  • Status changed from Resolved to Under Review

Patch set 1 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/45265

Actions
Copy link
 #11

Updated by Oliver Hader almost 9 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions
Copy link
 #12

Updated by Gerrit Code Review almost 9 years ago

  • Status changed from Resolved to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/45277

Actions
Copy link
 #13

Updated by Oliver Hader almost 9 years ago

  • Status changed from Under Review to Resolved
Actions
Copy link
 #14

Updated by Nicole Cordes almost 9 years ago

  • File deleted (javascript_handler.zip)
Actions
Copy link
 #16

Updated by Helmut Hummel almost 9 years ago

  • Project changed from 1716 to TYPO3 Core
  • Category deleted (OW-A07: Cross Site Scripting)
  • Is Regression set to No
Actions
Copy link
 #17

Updated by Benni Mack about 6 years ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF