search

bednee / cooluri

GIT repository for TYPO3 extension CoolUri
7 stars 12 forks source link

valuemap with "addQueryString.exlude = L" is not working ... #79

Closed snduesel closed 1 year ago

snduesel commented 6 years ago

If you have a typolink with addQueryString i can't exclude the parameter "L" (is also a security bug from TYPO3 ...)

But if we have the valuemap configure:

    <valuemaps>
        <valuemap>
            <parameter>L</parameter>
            <value key="">0</value>
            <value key="de">1</value>
        </valuemap>
    </valuemaps>
(=> Multidomain)

is it possible to enum the paramter - and i can't exlude the L parameter in my typolink with addQueryString

=> XSS is possible

I need a default-value in my valuemap! For example: <value key="">*</value>

https://forge.typo3.org/issues/80327

bednee commented 6 years ago

I don't understand that. Where does the L value come from? If you add it to the addQueryString it has to come from somewhere. If it's from linkVars you can limit the content of linkVars like this: config.linkVars = L(1-9) In this case only L with value 1 to 9 will be preserved, any other value will be ignored. Is that what you want?