Bug #82054
Updated by Oliver Hader over 7 years ago
The Fluid view-helper f:link.external directly uses the given URI without further sanitizing it as a link. In the TYPO3 core we strip away @javascript:@ and @data:@ URI schemes. This has been integrated into @ContentObjectRender::typoLink@ with the following security bulletin https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-012/ Payload: @<f:link.external uri="{uri}" target="_blank">Some link</f:link.external>@ ELTS effects: affections: 4.5, 6.2