Project

General

Profile

Actions
Copy link

Bug #72322

closed

Javascript error on deleting dce section with RTE

Added by Steffen Mevius almost 9 years ago. Updated about 7 years ago.

Status:
Closed
Priority:
Must have
Assignee:
Nicole Cordes
Category:
FormEngine aka TCEforms
Target version:
6.2.17
Start date:
2015-12-18
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
6.2
PHP Version:
5.5
Tags:
rtehtmlarea dce tceform
Complexity:
Is Regression:
No
Sprint Focus:

Description

With the Update from 6.2.14 to 6.2.16 an error occur, when you click on the delete Icon of a section, in a DCE.

Reproduce:
1. Create DCE, section with RTE-Field in it
2. Insert DCE on new page with some sections and save
3. Now try to delete section, a javascript error occur

The onclick-method for delete has wrong escaped Javascript code.

Changing typo3/sysext/rtehtmlarea/Classes/RteHtmlAreaBase.php Line 1338 back to the change of 6.2.14 its working as expected. To have still the new Security fix following is working:

change:
return 'if (RTEarea[' . GeneralUtility::quoteJSvalue($textareaId) . ']) { RTEarea[' . GeneralUtility::quoteJSvalue($textareaId) . '].deleted = true;}';
to
return 'if (RTEarea["' . GeneralUtility::quoteJSvalue($textareaId) . '"]) { RTEarea["' . GeneralUtility::quoteJSvalue($textareaId) . '"].deleted = true;}';

Actions
Copy link
 #1

Updated by Nicole Cordes almost 9 years ago

  • Status changed from New to Needs Feedback

Hi Steffen,

1) Thank you for your report.
2) What is a dce element? If it is about the extension http://typo3.org/extensions/repository/view/dce, than it should be fixed in there.

The code provided produces wrong javascript code, because the text area id is double quoted now:
return 'if (RTEarea["'TextAreaId'"]) { RTEarea["'TextAreaId'"].deleted = true;}';

Actions
Copy link
 #2

Updated by Helmut Hummel almost 9 years ago

Steffen Mevius wrote:

The onclick-method for delete has wrong escaped Javascript code.

Can you please elaborate? How does the code look like that is broken for you?
As Nicole mentioned already, your suggested fix would be wrong.

Actions
Copy link
 #3

Updated by Steffen Mevius almost 9 years ago

Yes my fix is wrong, although its working in this case.
Javascript Code with 6.2.16 (not working)

<a href="#" onclick="if (confirm(&quot;Are you sure?&quot;)){if
 (RTEarea[\'data_tt_content__1804__pi_flexform__data__sheet0__lDEF__settings.teasers__el__10__container_teasers__el__text__vDEF_\']) {
 RTEarea[\'data_tt_content__1804__pi_flexform__data__sheet0__lDEF__settings.teasers__el__10__container_teasers__el__text__vDEF_\'].deleted =
 true;};$(&quot;ID-b6b580a3be-6438e62d6b&quot;).hide();setActionStatus(&quot;ID-b6b580a3be&quot;);} return false;"><span title="Delete" class="t3-icon t3-icon-actions
 t3-icon-actions-edit t3-icon-edit-delete">&nbsp;</span></a>

Code with 6.2.14 (working)

<a href="#" onclick="if (confirm(&quot;Are you sure?&quot;)){if
 (RTEarea[&quot;data_tt_content__1804__pi_flexform__data__sheet0__lDEF__settings.teasers__el__10__container_teasers__el__text__vDEF_&quot;]) {
 RTEarea[&quot;data_tt_content__1804__pi_flexform__data__sheet0__lDEF__settings.teasers__el__10__container_teasers__el__text__vDEF_&quot;].deleted =
 true;};$(&quot;ID-9f39d971ef-076f9c0665&quot;).hide();setActionStatus(&quot;ID-9f39d971ef&quot;);} return false;"><span title="Delete" class="t3-icon t3-icon-actions
 t3-icon-actions-edit t3-icon-edit-delete">&nbsp;</span></a>

in 6.2.14 the function looked like:

return 'if (RTEarea["' . $textareaId . '"]) { RTEarea["' . $textareaId . '"].deleted = true;}';

Actions
Copy link
 #4

Updated by Oliver Hader almost 9 years ago

I can confirm the behavior in FlexForm sections...
The reason for that is double encoding of the $this->additionalJS_delete variable in FormEngine.

Triggering the escaping function goes back to this commit:
https://github.com/TYPO3/TYPO3.CMS/commit/86fa65404cee8cdcb0b2f6ea1ceb93d29a44fd26#diff-bdafc485fb8c374144dcf1165186aeceR2660

Actions
Copy link
 #5

Updated by Nicole Cordes almost 9 years ago

IMHO we should remove the function GeneralUtility::slashJS()

in typo3_src/typo3/sysext/backend/Classes/Form/FormEngine.php:3385
$output = str_replace('/*###REMOVE###*/', GeneralUtility::slashJS(htmlspecialchars(implode('', $this->additionalJS_delete))), $output);

Actions
Copy link
 #6

Updated by Gerrit Code Review almost 9 years ago

  • Status changed from Needs Feedback to Under Review

Patch set 1 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/45356

Actions
Copy link
 #7

Updated by Oliver Hader almost 9 years ago

I'm not sure whether security-wise it's still sufficient to remove the quoteJS, but encode the single-quote with htmlspecialchars():

The result would be something like this:

<a href="#" onclick="if (confirm(&quot;Are you sure?&quot;)){
if (RTEarea[&#039;data_tt_content__825__pi_flexform__data__sheet0__lDEF__settings.section__el__1__container_section__el__text__vDEF_&#039;])...

see https://review.typo3.org/#/c/45356/

Actions
Copy link
 #8

Updated by Gerrit Code Review almost 9 years ago

Patch set 2 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/45356

Actions
Copy link
 #9

Updated by Gerrit Code Review almost 9 years ago

Patch set 3 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/45356

Actions
Copy link
 #10

Updated by Gerrit Code Review almost 9 years ago

Patch set 4 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/45356

Actions
Copy link
 #11

Updated by Oliver Hader almost 9 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions
Copy link
 #12

Updated by Riccardo De Contardi about 7 years ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF