[SECURITY] Disallow javascript & data scheme in URL link handler
URLs defined using TYPO3's internal t3://url/?url=... notation are now hardened against using `javascript:` and`data:` URL schemes. Resolves: #88476 Releases: master, 9.5, 8.7 Security-Commit: 1a873c662524a62b192661da45d27e223e517d18 Security-Bulletin: TYPO3-CORE-SA-2019-015 Change-Id: Ia9ca8784a1779492762e5a36fcb1ada67bb6c56a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61141 Tested-by:Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
Showing
- typo3/sysext/core/Classes/LinkHandling/UrlLinkHandler.php 5 additions, 2 deletionstypo3/sysext/core/Classes/LinkHandling/UrlLinkHandler.php
- typo3/sysext/core/Tests/Unit/LinkHandling/UrlLinkHandlerTest.php 16 additions, 1 deletion...ysext/core/Tests/Unit/LinkHandling/UrlLinkHandlerTest.php
- typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php 1 addition, 1 deletion.../frontend/Classes/ContentObject/ContentObjectRenderer.php
Please register or sign in to comment