[SECURITY] Avoid XSS by correctly encoding typolink results
In order to avoid XSS through typolink, anchor text is encoded correctly to be used in a HTML context. Fallback link texts of links to pages are encoded per default in case lib.parseFunc has not been configured. Resolves: #88635 Releases: master, 9.5, 8.7 Security-Commit: b62f71c4e098156052ff33e775208981c2ef512b Security-Bulletin: TYPO3-CORE-SA-2019-022 Change-Id: I76b0f06ad52a487e1aebc820531c11166ad45117 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62716 Tested-by:Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
Showing
- typo3/sysext/core/Classes/LinkHandling/UrlLinkHandler.php 1 addition, 0 deletionstypo3/sysext/core/Classes/LinkHandling/UrlLinkHandler.php
- typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php 1 addition, 1 deletion.../frontend/Classes/ContentObject/ContentObjectRenderer.php
- typo3/sysext/frontend/Classes/Typolink/AbstractTypolinkBuilder.php 35 additions, 2 deletions...ext/frontend/Classes/Typolink/AbstractTypolinkBuilder.php
- typo3/sysext/frontend/Classes/Typolink/ExternalUrlLinkBuilder.php 1 addition, 1 deletion...sext/frontend/Classes/Typolink/ExternalUrlLinkBuilder.php
- typo3/sysext/frontend/Classes/Typolink/FileOrFolderLinkBuilder.php 1 addition, 1 deletion...ext/frontend/Classes/Typolink/FileOrFolderLinkBuilder.php
- typo3/sysext/frontend/Classes/Typolink/LegacyLinkBuilder.php 2 additions, 2 deletionstypo3/sysext/frontend/Classes/Typolink/LegacyLinkBuilder.php
- typo3/sysext/frontend/Tests/Functional/SiteHandling/Fixtures/TypoLinkScenario.yaml 40 additions, 0 deletions...ts/Functional/SiteHandling/Fixtures/TypoLinkScenario.yaml
- typo3/sysext/frontend/Tests/Functional/SiteHandling/TypoLinkGeneratorTest.php 428 additions, 25 deletions...d/Tests/Functional/SiteHandling/TypoLinkGeneratorTest.php
Please register or sign in to comment