From ac0ec24580c0ca5eacb26f67f02dcc5cdb2a0658 Mon Sep 17 00:00:00 2001
From: Oliver Hader <oliver@typo3.org>
Date: Sat, 18 Apr 2020 00:41:33 +0200
Subject: [PATCH] [TASK] Avoid using form elements in clipboard and element
 history module

Using HTML form elements without actually making use of typical consumers
(input, textarea, select, ...) seems to be superfluous.

Resolves: #91101
Releases: master
Change-Id: I37a6647f162a8b1f3f8394ad04458830abca0e26
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64222
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Josef Glatz <josefglatz@gmail.com>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
---
 typo3/sysext/backend/Classes/Clipboard/Clipboard.php     | 9 ++++-----
 .../ContentElement/ElementHistoryController.php          | 3 +--
 .../Private/Partials/Clipboard/CopymodeSelector.html     | 4 ++--
 .../Private/Partials/RecordHistory/Settings.html         | 7 +++----
 .../Resources/Private/Templates/Clipboard/Main.html      | 5 +++--
 5 files changed, 13 insertions(+), 15 deletions(-)

diff --git a/typo3/sysext/backend/Classes/Clipboard/Clipboard.php b/typo3/sysext/backend/Classes/Clipboard/Clipboard.php
index 7abcff50364f..87aeb9fd0ef9 100644
--- a/typo3/sysext/backend/Classes/Clipboard/Clipboard.php
+++ b/typo3/sysext/backend/Classes/Clipboard/Clipboard.php
@@ -261,11 +261,10 @@ class Clipboard
     {
         $languageService = $this->getLanguageService();
         $elementCount = count($this->elFromTable($this->fileMode ? '_FILE' : ''));
-        // Copymode Selector menu
-        $copymodeUrl = GeneralUtility::linkThisScript();
-
-        $this->view->assign('actionCopyModeUrl', htmlspecialchars(GeneralUtility::quoteJSvalue($copymodeUrl . '&CB[setCopyMode]=')));
-        $this->view->assign('actionCopyModeUrl1', htmlspecialchars(GeneralUtility::quoteJSvalue($copymodeUrl . '&CB[setCopyMode]=1')));
+        // CopyMode Selector menu
+        $copyModeUrl = GeneralUtility::linkThisScript();
+        $this->view->assign('actionCopyModeUrl', $copyModeUrl . '&CB[setCopyMode]=#clip_head');
+        $this->view->assign('actionCopyModeUrl1', $copyModeUrl . '&CB[setCopyMode]=1#clip_head');
         $this->view->assign('currentMode', $this->currentMode());
         $this->view->assign('elementCount', $elementCount);
 
diff --git a/typo3/sysext/backend/Classes/Controller/ContentElement/ElementHistoryController.php b/typo3/sysext/backend/Classes/Controller/ContentElement/ElementHistoryController.php
index cbc8e91ddea0..9aa64d877d3a 100644
--- a/typo3/sysext/backend/Classes/Controller/ContentElement/ElementHistoryController.php
+++ b/typo3/sysext/backend/Classes/Controller/ContentElement/ElementHistoryController.php
@@ -151,7 +151,6 @@ class ElementHistoryController
             }
         }
 
-        $this->view->assign('TYPO3_REQUEST_URI', $normalizedParams->getRequestUrl());
         $this->view->assign('editLock', $this->editLock);
 
         // Setting up the buttons and markers for docheader
@@ -275,7 +274,7 @@ class ElementHistoryController
 
         foreach ($selector as $key => $values) {
             foreach ($values as $singleKey => $singleVal) {
-                $selector[$key][$singleKey]['scriptUrl'] = htmlspecialchars(GeneralUtility::quoteJSvalue($scriptUrl . '&settings[' . $key . ']=' . $singleKey));
+                $selector[$key][$singleKey]['scriptUrl'] = $scriptUrl . '&settings[' . $key . ']=' . $singleKey;
             }
         }
         $this->view->assign('settings', $selector);
diff --git a/typo3/sysext/backend/Resources/Private/Partials/Clipboard/CopymodeSelector.html b/typo3/sysext/backend/Resources/Private/Partials/Clipboard/CopymodeSelector.html
index bf96693f1590..2dbe21b2291d 100644
--- a/typo3/sysext/backend/Resources/Private/Partials/Clipboard/CopymodeSelector.html
+++ b/typo3/sysext/backend/Resources/Private/Partials/Clipboard/CopymodeSelector.html
@@ -11,7 +11,7 @@
         <span class="caret"></span>
     </button>
     <ul class="dropdown-menu" aria-labelledby="copymodeSelector">
-        <li><a href="#" onclick="document.getElementById('clipboard_form').method='POST'; document.getElementById('clipboard_form').action={actionCopyModeUrl}; document.getElementById('clipboard_form').submit(); return true;">{f:translate(key: 'LLL:EXT:core/Resources/Private/Language/locallang_misc.xlf:moveElements')}</a></li>
-        <li><a href="#" onclick="document.getElementById('clipboard_form').method='POST'; document.getElementById('clipboard_form').action={actionCopyModeUrl1}; document.getElementById('clipboard_form').submit(); return true;">{f:translate(key: 'LLL:EXT:core/Resources/Private/Language/locallang_misc.xlf:copyElements')}</a></li>
+        <li><a href="{actionCopyModeUrl}">{f:translate(key: 'LLL:EXT:core/Resources/Private/Language/locallang_misc.xlf:moveElements')}</a></li>
+        <li><a href="{actionCopyModeUrl1}">{f:translate(key: 'LLL:EXT:core/Resources/Private/Language/locallang_misc.xlf:copyElements')}</a></li>
     </ul>
 </div>
diff --git a/typo3/sysext/backend/Resources/Private/Partials/RecordHistory/Settings.html b/typo3/sysext/backend/Resources/Private/Partials/RecordHistory/Settings.html
index e7084ad2860d..d15542de7f5e 100644
--- a/typo3/sysext/backend/Resources/Private/Partials/RecordHistory/Settings.html
+++ b/typo3/sysext/backend/Resources/Private/Partials/RecordHistory/Settings.html
@@ -5,7 +5,7 @@
             <a href="{fullHistoryUrl}" class="btn btn-default" style="margin-bottom: 5px;">{f:translate(key: 'LLL:EXT:backend/Resources/Private/Language/locallang_show_rechis.xlf:elementHistory_link')}</a>
         </f:if>
     </f:if>
-    <form name="settings" action="{TYPO3_REQUEST_URI}" method="post">
+    <div id="element-history-settings">
         <div class="row">
             <div class="col-sm-12 col-md-6 col-lg-4">
                 <div class="panel panel-default">
@@ -54,8 +54,7 @@
                                         </button>
                                         <ul class="dropdown-menu" aria-labelledby="copymodeSelector">
                                             <f:for each="{values}" as="singleValue" key="singleKey">
-                                                <li><a href="#"
-                                                            onclick="document.settings.method='POST'; document.settings.action={singleValue.scriptUrl}; document.settings.submit()">
+                                                <li><a href="{singleValue.scriptUrl}">
                                                     <f:if condition="{f:translate(key: 'LLL:EXT:backend/Resources/Private/Language/locallang_show_rechis.xlf:{singleValue.value}')}">
                                                         <f:then>{f:translate(key: 'LLL:EXT:backend/Resources/Private/Language/locallang_show_rechis.xlf:{singleValue.value}')}</f:then>
                                                         <f:else>{singleValue.value}</f:else>
@@ -71,5 +70,5 @@
                 </div>
             </div>
         </div>
-    </form>
+    </div>
 </div>
diff --git a/typo3/sysext/backend/Resources/Private/Templates/Clipboard/Main.html b/typo3/sysext/backend/Resources/Private/Templates/Clipboard/Main.html
index 0eb2d2639031..7a2a98708696 100644
--- a/typo3/sysext/backend/Resources/Private/Templates/Clipboard/Main.html
+++ b/typo3/sysext/backend/Resources/Private/Templates/Clipboard/Main.html
@@ -1,4 +1,5 @@
-<form action="" id="clipboard_form">
+<f:comment><!-- "clipboard_form" is kept for backward compatibility reasons, it's actually not a form anymore --></f:comment>
+<div id="clipboard_form">
     <a name="clip_head"></a>
     <div class="row">
         <div class="col-sm-12">
@@ -30,4 +31,4 @@
             </div>
         </div>
     </div>
-</form>
+</div>
-- 
GitLab