Bug #72322
closed
Javascript error on deleting dce section with RTE
100%
Description
With the Update from 6.2.14 to 6.2.16 an error occur, when you click on the delete Icon of a section, in a DCE.
Reproduce:
1. Create DCE, section with RTE-Field in it
2. Insert DCE on new page with some sections and save
3. Now try to delete section, a javascript error occur
The onclick-method for delete has wrong escaped Javascript code.
Changing typo3/sysext/rtehtmlarea/Classes/RteHtmlAreaBase.php Line 1338 back to the change of 6.2.14 its working as expected. To have still the new Security fix following is working:
change:
return 'if (RTEarea[' . GeneralUtility::quoteJSvalue($textareaId) . ']) { RTEarea[' . GeneralUtility::quoteJSvalue($textareaId) . '].deleted = true;}';
to
return 'if (RTEarea["' . GeneralUtility::quoteJSvalue($textareaId) . '"]) { RTEarea["' . GeneralUtility::quoteJSvalue($textareaId) . '"].deleted = true;}';
Updated by Nicole Cordes over 8 years ago
- Status changed from New to Needs Feedback
Hi Steffen,
1) Thank you for your report.
2) What is a dce element? If it is about the extension http://typo3.org/extensions/repository/view/dce, than it should be fixed in there.
The code provided produces wrong javascript code, because the text area id is double quoted now:
return 'if (RTEarea["'TextAreaId'"]) { RTEarea["'TextAreaId'"].deleted = true;}';
Updated by Helmut Hummel over 8 years ago
Steffen Mevius wrote:
The onclick-method for delete has wrong escaped Javascript code.
Can you please elaborate? How does the code look like that is broken for you?
As Nicole mentioned already, your suggested fix would be wrong.
Updated by Steffen Mevius over 8 years ago
Yes my fix is wrong, although its working in this case.
Javascript Code with 6.2.16 (not working)
<a href="#" onclick="if (confirm("Are you sure?")){if
(RTEarea[\'data_tt_content__1804__pi_flexform__data__sheet0__lDEF__settings.teasers__el__10__container_teasers__el__text__vDEF_\']) {
RTEarea[\'data_tt_content__1804__pi_flexform__data__sheet0__lDEF__settings.teasers__el__10__container_teasers__el__text__vDEF_\'].deleted =
true;};$("ID-b6b580a3be-6438e62d6b").hide();setActionStatus("ID-b6b580a3be");} return false;"><span title="Delete" class="t3-icon t3-icon-actions
t3-icon-actions-edit t3-icon-edit-delete"> </span></a>
Code with 6.2.14 (working)
<a href="#" onclick="if (confirm("Are you sure?")){if
(RTEarea["data_tt_content__1804__pi_flexform__data__sheet0__lDEF__settings.teasers__el__10__container_teasers__el__text__vDEF_"]) {
RTEarea["data_tt_content__1804__pi_flexform__data__sheet0__lDEF__settings.teasers__el__10__container_teasers__el__text__vDEF_"].deleted =
true;};$("ID-9f39d971ef-076f9c0665").hide();setActionStatus("ID-9f39d971ef");} return false;"><span title="Delete" class="t3-icon t3-icon-actions
t3-icon-actions-edit t3-icon-edit-delete"> </span></a>
in 6.2.14 the function looked like:
return 'if (RTEarea["' . $textareaId . '"]) { RTEarea["' . $textareaId . '"].deleted = true;}';
Updated by Oliver Hader over 8 years ago
I can confirm the behavior in FlexForm sections...
The reason for that is double encoding of the $this->additionalJS_delete variable in FormEngine.
Triggering the escaping function goes back to this commit:
https://github.com/TYPO3/TYPO3.CMS/commit/86fa65404cee8cdcb0b2f6ea1ceb93d29a44fd26#diff-bdafc485fb8c374144dcf1165186aeceR2660
Updated by Nicole Cordes over 8 years ago
IMHO we should remove the function GeneralUtility::slashJS()
in typo3_src/typo3/sysext/backend/Classes/Form/FormEngine.php:3385
$output = str_replace('/*###REMOVE###*/', GeneralUtility::slashJS(htmlspecialchars(implode('', $this->additionalJS_delete))), $output);
Updated by Gerrit Code Review over 8 years ago
- Status changed from Needs Feedback to Under Review
Patch set 1 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/45356
Updated by Oliver Hader over 8 years ago
I'm not sure whether security-wise it's still sufficient to remove the quoteJS, but encode the single-quote with htmlspecialchars():
The result would be something like this:
<a href="#" onclick="if (confirm("Are you sure?")){
if (RTEarea['data_tt_content__825__pi_flexform__data__sheet0__lDEF__settings.section__el__1__container_section__el__text__vDEF_'])...
Updated by Gerrit Code Review over 8 years ago
Patch set 2 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/45356
Updated by Gerrit Code Review over 8 years ago
Patch set 3 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/45356
Updated by Gerrit Code Review over 8 years ago
Patch set 4 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/45356
Updated by Oliver Hader over 8 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 2c7781e6b2fef683e0d5f3d9a47f4214851c29b7.
Updated by Riccardo De Contardi over 6 years ago
- Status changed from Resolved to Closed