Bug #22886
Make menu titles in the FE htmlspecialchared by default
| Status: | New | Start date: | 2010-06-15 | |
|---|---|---|---|---|
| Priority: | Should have | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | 6.0.0 | |||
| TYPO3 Version: | 6.0 | Complexity: | ||
| PHP Version: | 5.3 | |||
| Votes: | 0 |
Description
1. to prevent XSS (by editors who can create pages)
2. to make the FE valid
(issue imported from #M14732)
History
Updated by Helmut Hummel over 2 years ago
Do you mean TypoScript like foo = TMENU ... or something in css_styled_content.
AFAIK everything that outputs editors content is hsc'd in css_styled_content
Updated by Oliver Klee over 1 year ago
- TYPO3 Version changed from 4.4 to 4.6
- Patch is reviewed set to No
- Has patch set to No
Steps to reproduce (on current master):
- Create a site that uses a normal TMENU.
- Create a page with the following title:
ROFL <script>alert(1);</script> - View the page in the FE
Expected results:
no pop-ups, the script code is visible in the menue
actual results:
2x the "1" popup
Updated by Steffen Gebert over 1 year ago
- Target version changed from 4.6.0 to 4.7.0
- TYPO3 Version changed from 4.6 to 4.7
Updated by Steffen Ritter about 1 year ago
- Target version changed from 4.7.0 to 4.7.1
Updated by Steffen Ritter about 1 year ago
- Target version changed from 4.7.1 to 6.0.0
- TYPO3 Version changed from 4.7 to 6.0
This is a change of behaviour which will lead to regressions in production sites, therefore I would like to only see that one in master
Updated by Helmut Hummel 10 months ago
- Project changed from Core Security to Core
Moving this to the public issue tracker for discussion.
No need to handle that in secret