Bug #82054: f:link.external does not filter insecure URI schemes - TYPO3 Core - TYPO3 Forge

Bug #82054

Updated by Oliver Hader over 7 years ago

The Fluid view-helper f:link.external directly uses the given URI without further sanitizing it as a link. In the TYPO3 core we strip away @javascript:@ and @data:@ URI schemes. This has been integrated into @ContentObjectRender::typoLink@ with the following security bulletin https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-012/ 

 Payload: 
 * @<f:link.external uri="{uri}" target="_blank">Some link</f:link.external>@ 
 * @uri@ variable containing @javascript:alert('XSS')@ 

 ELTS effects: 4.5, 6.2

Back

Project

General

Profile

TYPO3 Core

Bug #82054