Project

General

Profile

Bug #82054

Updated by Oliver Hader over 7 years ago

The Fluid view-helper f:link.external directly uses the given URI without further sanitizing it as a link. In the TYPO3 core we strip away @javascript:@ and @data:@ URI schemes. This has been integrated into @ContentObjectRender::typoLink@ with the following security bulletin https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-012/ 

 Payload: @<f:link.external uri="{uri}" target="_blank">Some link</f:link.external>@ 
 ELTS effects: affections: 4.5, 6.2

Back