Skip to content

Commit

Permalink
[SECURITY] Avoid XSS by correctly encoding typolink results
Browse files Browse the repository at this point in the history 
In order to avoid XSS through typolink, anchor text is encoded
correctly to be used in a HTML context. Fallback link texts of
links to pages are encoded per default in case lib.parseFunc
has not been configured.

Resolves: #88635
Releases: master, 9.5, 8.7
Security-Commit: 57c5eeb93e6df4b1958bcafcd85ada6c7e355d41
Security-Bulletin: TYPO3-CORE-SA-2019-022
Change-Id: I9a415d6b2ed494dac7f4747e25460d95e1f27284
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62704
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
  • Loading branch information
@ohader
ohader committed Dec 17, 2019
1 parent 2ad28eb commit 89f5817
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions Classes/LinkHandling/UrlLinkHandler.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ protected function addHttpSchemeAsFallback(string $url): string
$scheme = parse_url($url, PHP_URL_SCHEME);
if (empty($scheme)) {
$url = 'http://' . $url;
// 'java{TAB}script:' is parsed as empty URL scheme, thus not ending up here
} elseif (in_array(strtolower($scheme), ['javascript', 'data'], true)) {
// deny using insecure scheme's like `javascript:` or `data:` as URL scheme
$url = '';
Expand Down

0 comments on commit 89f5817

Please sign in to comment.