From 5bc7ca9c8c45d28743560015274215e1c61506c9 Mon Sep 17 00:00:00 2001
From: Oliver Hader <oliver@typo3.org>
Date: Thu, 18 Nov 2021 09:00:16 +0100
Subject: [PATCH] [TASK] Avoid inline JavaScript in wizard EditController

Closing a popup window does not use inline JavaScript code anymore.

Resolves: #96019
Releases: master, 11.5
Change-Id: Iea2354e30d51ddcd24d9288fe5fa87b924259c13
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/72222
Tested-by: core-ci <typo3@b13.com>
Tested-by: Torben Hansen <derhansen@gmail.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Torben Hansen <derhansen@gmail.com>
Reviewed-by: Benni Mack <benni@typo3.org>
---
 .../Controller/Wizard/EditController.php      | 20 +++++++++++--
 .../Classes/Utility/BackendUtility.php        |  1 +
 .../Resources/Public/JavaScript/Helper.js     | 30 +++++++++++++++++++
 3 files changed, 49 insertions(+), 2 deletions(-)
 create mode 100644 typo3/sysext/backend/Resources/Public/JavaScript/Helper.js

diff --git a/typo3/sysext/backend/Classes/Controller/Wizard/EditController.php b/typo3/sysext/backend/Classes/Controller/Wizard/EditController.php
index 87abcc1ff87b..ef45f5554124 100644
--- a/typo3/sysext/backend/Classes/Controller/Wizard/EditController.php
+++ b/typo3/sysext/backend/Classes/Controller/Wizard/EditController.php
@@ -27,6 +27,7 @@ use TYPO3\CMS\Core\Http\RedirectResponse;
 use TYPO3\CMS\Core\Utility\ArrayUtility;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 use TYPO3\CMS\Core\Utility\MathUtility;
+use TYPO3\CMS\Core\Utility\PathUtility;
 
 /**
  * Script Class for redirecting a backend user to the editing form when an "Edit wizard" link was clicked in FormEngine somewhere
@@ -34,6 +35,8 @@ use TYPO3\CMS\Core\Utility\MathUtility;
  */
 class EditController extends AbstractWizardController
 {
+    protected const JAVASCRIPT_HELPER = 'EXT:backend/Resources/Public/JavaScript/Helper.js';
+
     /**
      * Wizard parameters, coming from FormEngine linking to the wizard.
      *
@@ -59,11 +62,24 @@ class EditController extends AbstractWizardController
     protected $doClose;
 
     /**
-     * A little JavaScript to close the open window.
+     * HTML markup to close the open window.
      *
      * @var string
      */
-    protected $closeWindow = '<script>close();</script>';
+    protected string $closeWindow;
+
+    public function __construct()
+    {
+        $this->closeWindow = sprintf(
+            '<script %s></script>',
+            GeneralUtility::implodeAttributes([
+                'src' => PathUtility::getAbsoluteWebPath(
+                    GeneralUtility::getFileAbsFileName(self::JAVASCRIPT_HELPER)
+                ),
+                'data-action' => 'window.close',
+            ], true)
+        );
+    }
 
     /**
      * Injects the request object for the current request or subrequest
diff --git a/typo3/sysext/backend/Classes/Utility/BackendUtility.php b/typo3/sysext/backend/Classes/Utility/BackendUtility.php
index 366b49a8a463..259f383d41f3 100644
--- a/typo3/sysext/backend/Classes/Utility/BackendUtility.php
+++ b/typo3/sysext/backend/Classes/Utility/BackendUtility.php
@@ -2436,6 +2436,7 @@ class BackendUtility
      * @param string $addParams Additional parameters to pass to the script.
      * @return string HTML code for input text field.
      * @see getFuncMenu()
+     * @todo not used at least since TYPO3 v9, drop in TYPO3 v12.0
      */
     public static function getFuncInput(
         $mainParams,
diff --git a/typo3/sysext/backend/Resources/Public/JavaScript/Helper.js b/typo3/sysext/backend/Resources/Public/JavaScript/Helper.js
new file mode 100644
index 000000000000..4750af36f7e5
--- /dev/null
+++ b/typo3/sysext/backend/Resources/Public/JavaScript/Helper.js
@@ -0,0 +1,30 @@
+/*
+ * This file is part of the TYPO3 CMS project.
+ *
+ * It is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License, either version 2
+ * of the License, or any later version.
+ *
+ * For the full copyright and license information, please read the
+ * LICENSE.txt file that was distributed with this source code.
+ *
+ * The TYPO3 project - inspiring people to share!
+ */
+/**
+ * @internal Use in TYPO3 core only, API can change at any time!
+ */
+(function() {
+  "use strict";
+
+  if (!document.currentScript) {
+    return false;
+  }
+
+  const scriptElement = document.currentScript;
+  switch (scriptElement.dataset.action) {
+    case 'window.close':
+      window.close();
+      break;
+    default:
+  }
+})();
-- 
GitLab