Bug #82054
closed
f:link.external does not filter insecure URI schemes
0%
Description
The Fluid view-helper f:link.external directly uses the given URI without further sanitizing it as a link. In the TYPO3 core we strip away javascript: and data: URI schemes. This has been integrated into ContentObjectRender::typoLink with the following security bulletin https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-012/
<f:link.external uri="{uri}" target="_blank">Some link</f:link.external>urivariable containingjavascript:alert('XSS')
ELTS effects: 4.5, 6.2
Files
Updated by Jigal van Hemert over 6 years ago
- File 82054.diff 82054.diff added
Is this an acceptable solution?
Updated by Helmut Hummel over 6 years ago
Do we need to do anything here at all?
I mean you can perfectly write this in your template:
<a href="{data.foo}">Bar</a>
There is no way on our side to prevent it.
In general the usefulness of <f:link.external> is close to 0.
So I'd rather deprecate the whole view helper instead of trying to fix it somehow.
Updated by Markus Klein over 6 years ago
So I'd rather deprecate the whole view helper instead of trying to fix it somehow.
Full ack!
Updated by Benni Mack over 6 years ago
- Target version set to next-patchlevel
- Affected Version set to 6.2, 7, 8, master
Needs to be fixed in uri.external and link.external by adding the same functionality as in ContentObejctRenderer.php (master line 5248)
if (in_array(strtolower(trim($linkHandlerKeyword)), ['javascript', 'data'], true)) { - do not link it - }
Updated by Oliver Hader over 6 years ago
- Target version changed from next-patchlevel to Release September 2017
Updated by Helmut Hummel over 6 years ago
I still kinda think that this does not need a fix.
ContentObjectRenderer is different because typolink
is very commonly used on user input from editors, where
the scope here rather is integrators/ admins.
If admins use this vh insecurely in a template it is in them
to fix it.
Fixing this here would be breaking for legit usages
if this vh (still wondering the usefulness of it in general
but why would a fixed string url with data: or javascript:
should be denied, while having it in a <a> tag not)
Updated by Helmut Hummel over 6 years ago
I would rather make this public and let "the community" decide whether
we should help admins not shoot in their foot
Updated by Benni Mack over 6 years ago
If we handle it in public, I'm actually for deprecating this viewhelper or actually removing it in v9 completely.
Updated by Oliver Hader over 6 years ago
I think the assumption is correct, that people rather would have used the TypolinkViewHelper instead of the ExternalViewHelper if it's user input in general. Thus, I'd opt for making this issue public then and let the community comment on it.
Updated by Oliver Hader over 6 years ago
- Category deleted (
OW-A07: Cross Site Scripting)
I think the assumption is correct, that people rather would have used the TypolinkViewHelper instead of the ExternalViewHelper if it's user input in general. Thus, I'd opt for making this issue public then and let the community comment on it.
Updated by Oliver Hader over 6 years ago
- Project changed from 1716 to TYPO3 Core
- Target version deleted (
Release September 2017)
Updated by Oliver Hader over 6 years ago
- Status changed from Accepted to Needs Feedback
Updated by Riccardo De Contardi over 6 years ago
I guilty neglected this one for too long - I am of the opinion to remove <f:link.external> too, as I don't remember much benefits respect to a plain <a href="">
Updated by Alexander Opitz about 6 years ago
Do we need proper deprecation here?
Updated by Susanne Moog over 5 years ago
- Sprint Focus set to On Location Sprint
Updated by Benni Mack over 5 years ago
- Target version set to Candidate for Major Version
Let's deprecate this one in v10.0
Updated by Susanne Moog over 4 years ago
- Sprint Focus deleted (
On Location Sprint)
Updated by
Updated by Benni Mack over 2 years ago
- Status changed from Needs Feedback to Closed
This has been deprecated now in TYPO3 v11.