From ca0a2c1de29b6b7cc83e71b65f58935559f9f19b Mon Sep 17 00:00:00 2001
From: Wouter Wolters <typo3@wouterwolters.nl>
Date: Mon, 1 Dec 2014 18:55:45 +0100
Subject: [PATCH] [TASK] Add missing htmlspecialchars() or quoteJSvalue() in
ToolbarItems
Resolves: #63489
Releases: master
Change-Id: I6e1d1dfd476a2ea33d81ce918cf6f41a43edade4
Reviewed-on: http://review.typo3.org/34884
Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>
Tested-by: Helmut Hummel <helmut.hummel@typo3.org>
Reviewed-by: Markus Klein <klein.t3@reelworx.at>
Tested-by: Markus Klein <klein.t3@reelworx.at>
---
.../Backend/ToolbarItems/HelpToolbarItem.php | 14 ++++++------
.../ToolbarItems/ShortcutToolbarItem.php | 22 +++++++++----------
.../Backend/ToolbarItems/UserToolbarItem.php | 14 ++++++------
3 files changed, 25 insertions(+), 25 deletions(-)
diff --git a/typo3/sysext/backend/Classes/Backend/ToolbarItems/HelpToolbarItem.php b/typo3/sysext/backend/Classes/Backend/ToolbarItems/HelpToolbarItem.php
index de57df3be00b..1a806e7661a5 100644
--- a/typo3/sysext/backend/Classes/Backend/ToolbarItems/HelpToolbarItem.php
+++ b/typo3/sysext/backend/Classes/Backend/ToolbarItems/HelpToolbarItem.php
@@ -73,14 +73,14 @@ class HelpToolbarItem implements ToolbarItemInterface {
/** @var BackendModule $module */
$moduleIcon = $module->getIcon();
$dropdown[] ='<li'
- . ' id="' . $module->getName() . '"'
- . ' class="typo3-module-menu-item submodule mod-' . $module->getName() . '" '
- . ' data-modulename="' . $module->getName() . '"'
- . ' data-navigationcomponentid="' . $module->getNavigationComponentId() . '"'
- . ' data-navigationframescript="' . $module->getNavigationFrameScript() . '"'
- . ' data-navigationframescriptparameters="' . $module->getNavigationFrameScriptParameters() . '"'
+ . ' id="' . htmlspecialchars($module->getName()) . '"'
+ . ' class="typo3-module-menu-item submodule mod-' . htmlspecialchars($module->getName()) . '" '
+ . ' data-modulename="' . htmlspecialchars($module->getName()) . '"'
+ . ' data-navigationcomponentid="' . htmlspecialchars($module->getNavigationComponentId()) . '"'
+ . ' data-navigationframescript="' . htmlspecialchars($module->getNavigationFrameScript()) . '"'
+ . ' data-navigationframescriptparameters="' . htmlspecialchars($module->getNavigationFrameScriptParameters()) . '"'
. '>';
- $dropdown[] = '<a title="' . htmlspecialchars($module->getDescription()) . '" href="' . $module->getLink() . '" class="dropdown-list-link modlink">';
+ $dropdown[] = '<a title="' . htmlspecialchars($module->getDescription()) . '" href="' . htmlspecialchars($module->getLink()) . '" class="dropdown-list-link modlink">';
$dropdown[] = '<span class="submodule-icon typo3-app-icon"><span><span>' . ($moduleIcon['html'] ?: $moduleIcon['html']) . '</span></span></span>';
$dropdown[] = '<span class="submodule-label">' . htmlspecialchars($module->getTitle()) . '</span>';
$dropdown[] = '</a>';
diff --git a/typo3/sysext/backend/Classes/Backend/ToolbarItems/ShortcutToolbarItem.php b/typo3/sysext/backend/Classes/Backend/ToolbarItems/ShortcutToolbarItem.php
index 4a04d08c94cb..ca166cf41fc1 100644
--- a/typo3/sysext/backend/Classes/Backend/ToolbarItems/ShortcutToolbarItem.php
+++ b/typo3/sysext/backend/Classes/Backend/ToolbarItems/ShortcutToolbarItem.php
@@ -131,8 +131,8 @@ class ShortcutToolbarItem implements ToolbarItemInterface {
foreach ($noGroupShortcuts as $shortcut) {
$shortcutMenu[] = '
- <li class="shortcut" data-shortcutid="' . $shortcut['raw']['uid'] . '">
- <a class="dropdown-list-link dropdown-link-list-add-editdelete" href="#" onclick="' . htmlspecialchars($shortcut['action']) . '; return false;">' .
+ <li class="shortcut" data-shortcutid="' . (int)$shortcut['raw']['uid'] . '">
+ <a class="dropdown-list-link dropdown-link-list-add-editdelete" href="#" onclick="' . htmlspecialchars($shortcut['action']) . ' return false;">' .
$shortcut['icon'] . ' ' .
htmlspecialchars($shortcut['label']) .
'</a>
@@ -149,7 +149,7 @@ class ShortcutToolbarItem implements ToolbarItemInterface {
$shortcutGroup .= '<li class="divider"></li>';
}
$shortcutGroup .= '
- <li class="dropdown-header" id="shortcut-group-' . $groupId . '">
+ <li class="dropdown-header" id="shortcut-group-' . (int)$groupId . '">
' . $groupLabel . '
</li>';
$shortcuts = $this->getShortcutsByGroup($groupId);
@@ -157,8 +157,8 @@ class ShortcutToolbarItem implements ToolbarItemInterface {
foreach ($shortcuts as $shortcut) {
$i++;
$shortcutGroup .= '
- <li class="shortcut" data-shortcutid="' . $shortcut['raw']['uid'] . '" data-shortcutgroup="' . $groupId . '">
- <a class="dropdown-list-link dropdown-link-list-add-editdelete" href="#" onclick="' . $shortcut['action'] . '; return false;">' .
+ <li class="shortcut" data-shortcutid="' . (int)$shortcut['raw']['uid'] . '" data-shortcutgroup="' . (int)$groupId . '">
+ <a class="dropdown-list-link dropdown-link-list-add-editdelete" href="#" onclick="' . htmlspecialchars($shortcut['action']) . ' return false;">' .
$shortcut['icon'] . ' ' .
htmlspecialchars($shortcut['label']) .
'</a>
@@ -291,7 +291,7 @@ class ShortcutToolbarItem implements ToolbarItemInterface {
$shortcut['group'] = $shortcutGroup;
$shortcut['icon'] = $this->getShortcutIcon($row, $shortcut);
$shortcut['iconTitle'] = $this->getShortcutIconTitle($shortcut['label'], $row['module_name'], $row['M_module_name']);
- $shortcut['action'] = 'jump(unescape(\'' . rawurlencode($this->getTokenUrl($row['url'])) . '\'),\'' . $moduleName . '\',\'' . $moduleParts[0] . '\', ' . (int)$pageId . ');';
+ $shortcut['action'] = 'jump(' . GeneralUtility::quoteJSvalue($this->getTokenUrl($row['url'])) . ',' . GeneralUtility::quoteJSvalue($moduleName) . ',' . GeneralUtility::quoteJSvalue($moduleParts[0]) . ', ' . (int)$pageId . ');';
$shortcuts[] = $shortcut;
}
@@ -396,14 +396,14 @@ class ShortcutToolbarItem implements ToolbarItemInterface {
$label = $languageService->sL('LLL:EXT:lang/locallang_misc.xlf:bookmark_group_' . abs($groupId), TRUE);
if (empty($label)) {
// Fallback label
- $label = $languageService->getLL('bookmark_group', 1) . ' ' . abs($groupId);
+ $label = $languageService->getLL('bookmark_group', TRUE) . ' ' . abs($groupId);
}
}
if ($groupId < 0) {
// Global group
$label = $languageService->sL('LLL:EXT:lang/locallang_misc.xlf:bookmark_global', TRUE) . ': ' . (!empty($label) ? $label : abs($groupId));
if ($groupId === self::SUPERGLOBAL_GROUP) {
- $label = $languageService->getLL('bookmark_global', 1) . ': ' . $languageService->getLL('bookmark_all', 1);
+ $label = $languageService->getLL('bookmark_global', TRUE) . ': ' . $languageService->getLL('bookmark_all', TRUE);
}
}
$this->shortcutGroups[$groupId] = $label;
@@ -496,7 +496,7 @@ class ShortcutToolbarItem implements ToolbarItemInterface {
// Determine shortcut type
$url = rawurldecode($url);
$queryParts = parse_url($url);
- $queryParameters = GeneralUtility::explodeUrl2Array($queryParts['query'], 1);
+ $queryParameters = GeneralUtility::explodeUrl2Array($queryParts['query'], TRUE);
// Proceed only if no scheme is defined, as URL is expected to be relative
if (empty($queryParts['scheme'])) {
if (is_array($queryParameters['edit'])) {
@@ -504,10 +504,10 @@ class ShortcutToolbarItem implements ToolbarItemInterface {
$shortcut['recordid'] = key($queryParameters['edit'][$shortcut['table']]);
if ($queryParameters['edit'][$shortcut['table']][$shortcut['recordid']] == 'edit') {
$shortcut['type'] = 'edit';
- $shortcutNamePrepend = $languageService->getLL('shortcut_edit', 1);
+ $shortcutNamePrepend = $languageService->getLL('shortcut_edit', TRUE);
} elseif ($queryParameters['edit'][$shortcut['table']][$shortcut['recordid']] == 'new') {
$shortcut['type'] = 'new';
- $shortcutNamePrepend = $languageService->getLL('shortcut_create', 1);
+ $shortcutNamePrepend = $languageService->getLL('shortcut_create', TRUE);
}
} else {
$shortcut['type'] = 'other';
diff --git a/typo3/sysext/backend/Classes/Backend/ToolbarItems/UserToolbarItem.php b/typo3/sysext/backend/Classes/Backend/ToolbarItems/UserToolbarItem.php
index 2330efdad02e..f8ac23b12500 100644
--- a/typo3/sysext/backend/Classes/Backend/ToolbarItems/UserToolbarItem.php
+++ b/typo3/sysext/backend/Classes/Backend/ToolbarItems/UserToolbarItem.php
@@ -85,14 +85,14 @@ class UserToolbarItem implements ToolbarItemInterface {
/** @var BackendModule $module */
$moduleIcon = $module->getIcon();
$dropdown[] ='<li'
- . ' id="' . $module->getName() . '"'
- . ' class="typo3-module-menu-item submodule mod-' . $module->getName() . '" '
- . ' data-modulename="' . $module->getName() . '"'
- . ' data-navigationcomponentid="' . $module->getNavigationComponentId() . '"'
- . ' data-navigationframescript="' . $module->getNavigationFrameScript() . '"'
- . ' data-navigationframescriptparameters="' . $module->getNavigationFrameScriptParameters() . '"'
+ . ' id="' . htmlspecialchars($module->getName()) . '"'
+ . ' class="typo3-module-menu-item submodule mod-' . htmlspecialchars($module->getName()) . '" '
+ . ' data-modulename="' . htmlspecialchars($module->getName()) . '"'
+ . ' data-navigationcomponentid="' . htmlspecialchars($module->getNavigationComponentId()) . '"'
+ . ' data-navigationframescript="' . htmlspecialchars($module->getNavigationFrameScript()) . '"'
+ . ' data-navigationframescriptparameters="' . htmlspecialchars($module->getNavigationFrameScriptParameters()) . '"'
. '>';
- $dropdown[] = '<a title="' . htmlspecialchars($module->getDescription()) . '" href="' . $module->getLink() . '" class="dropdown-list-link modlink">';
+ $dropdown[] = '<a title="' . htmlspecialchars($module->getDescription()) . '" href="' . htmlspecialchars($module->getLink()) . '" class="dropdown-list-link modlink">';
$dropdown[] = '<span class="submodule-icon typo3-app-icon"><span><span>' . ($moduleIcon['html'] ?: $moduleIcon['html']) . '</span></span></span>';
$dropdown[] = '<span class="submodule-label">' . htmlspecialchars($module->getTitle()) . '</span>';
$dropdown[] = '</a>';
--
GitLab