From 8974fd23e7e6b4f1747c6e2a0adc11f24e4c2092 Mon Sep 17 00:00:00 2001
From: Oliver Hader <oliver@typo3.org>
Date: Mon, 26 Oct 2015 16:33:20 +0100
Subject: [PATCH] [BUGFIX] Invalid CSRF token on viewing page using page-tree
 context menu

Frontend previews triggered using the context menu of the page-tree are
causing an exception concerning an "invalid CSRF token". The reason for
this is that URL loaded in the context menu are delivered via ExtDirect
and thus are encoded for a JavaScript context. Ampersands are encoded
as well, using the unicode serialization in JSON ('\u0026').

This issue is solved by decoding the value again and thus resolve the
expected URL to be delivered as XHR result.

Resolves: #69021
Releases: master
Change-Id: I5836ae0f3d461f6e3a091c783b9fccd4412eaffb
Reviewed-on: https://review.typo3.org/44297
Reviewed-by: Daniel Goerz <ervaude@gmail.com>
Tested-by: Daniel Goerz <ervaude@gmail.com>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
---
 .../Classes/Tree/Pagetree/ExtdirectTreeCommands.php | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/typo3/sysext/backend/Classes/Tree/Pagetree/ExtdirectTreeCommands.php b/typo3/sysext/backend/Classes/Tree/Pagetree/ExtdirectTreeCommands.php
index 20ea4baec5ab..4473f37cfd80 100644
--- a/typo3/sysext/backend/Classes/Tree/Pagetree/ExtdirectTreeCommands.php
+++ b/typo3/sysext/backend/Classes/Tree/Pagetree/ExtdirectTreeCommands.php
@@ -325,16 +325,21 @@ class ExtdirectTreeCommands
     /**
      * Returns the view link of a given node
      *
-     * @param stdClass $nodeData
+     * @param \stdClass $nodeData
      * @return string
      */
     public static function getViewLink($nodeData)
     {
         /** @var $node \TYPO3\CMS\Backend\Tree\Pagetree\PagetreeNode */
         $node = GeneralUtility::makeInstance(\TYPO3\CMS\Backend\Tree\Pagetree\PagetreeNode::class, (array)$nodeData);
-        $javascriptLink = stripslashes(BackendUtility::viewOnClick($node->getId()));
-        preg_match('/window\\.open\\(\'([^\']+)\'/i', $javascriptLink, $match);
-        return $match[1];
+        $javascriptLink = BackendUtility::viewOnClick($node->getId());
+        $extractedLink = '';
+        if (preg_match('/window\\.open\\(\'([^\']+)\'/i', $javascriptLink, $match)) {
+            // Clean JSON-serialized ampersands ('&')
+            // @see GeneralUtility::quoteJSvalue()
+            $extractedLink = json_decode('"' . trim($match[1], '"') . '"', JSON_HEX_AMP);
+        };
+        return $extractedLink;
     }
 
     /**
-- 
GitLab