Bug #35853
Snippets Copy Button + htmlspecialchars
| Status: | Rejected | Start date: | 2012-04-11 | ||
|---|---|---|---|---|---|
| Priority: | Should have | Due date: | |||
| Assignee: | Helmut Hummel | % Done: | 50% |
||
| Category: | [FOR] Snippets | ||||
| Target version: | - | ||||
| Votes: | 0 |
Description
Hello,
if you try to use the copy Button in this Snippet
http://typo3.org/documentation/snippets/sd/75/
you got something like this
subheader_stdWrap {
...
...
append.wrap = <span class="news-list-morelink">|</span>
...
outerWrap = <p>|</p>
}
instead of
subheader_stdWrap {
...
...
append.wrap = <span class="news-list-morelink">|</span>
...
outerWrap =<p>|</p>
}
History
Updated by Sven Burkert about 1 year ago
- Status changed from New to Accepted
- Assignee set to Sven Burkert
Updated by Sven Burkert about 1 year ago
- % Done changed from 0 to 100
Fixed in SVN, needs to be deployed.
Updated by Helmut Hummel about 1 year ago
- Status changed from Accepted to Needs Feedback
Sven Burkert wrote:
Fixed in SVN, needs to be deployed.
If a snippet contains "</textarea>" it will break out of the context and all html (and of course JS) after that will be evaluated by the browser.
Thus your fix introduces a XSS possibility! Please do not deploy.
Updated by Helmut Hummel about 1 year ago
- % Done changed from 100 to 50
Updated by Helmut Hummel about 1 year ago
There's no way around using htmlspecialchars() there:
http://stackoverflow.com/questions/1122902/using-a-textarea-to-protect-against-scripts
I'm currently not quite sure if doing htmlentities_decode in JS has any security implications:
http://www.strictly-software.com/htmlencode
But looking at the JS code, it looks fine at first sight for decoding.
Updated by Sven Burkert about 1 year ago
- Assignee changed from Sven Burkert to Helmut Hummel
Thank you for your help, Helmut.
I've used htmlspecialchars again and I am wondering, that the content copied to clipboard is still decoded. It seems, the jQuery function $("textarea").val() (and also function text(), which I used before) decodes the text.
Updated by Helmut Hummel about 1 year ago
Sven Burkert wrote:
I've used htmlspecialchars again
Good :-P
and I am wondering, that the content copied to clipboard is still decoded. It seems, the jQuery function $("textarea").val() (and also function text(), which I used before) decodes the text.
Well, seems like jQuery does the magic already. Everything is fine then, isn't it?
Updated by Helmut Hummel about 1 year ago
Helmut Hummel wrote:
Well, seems like jQuery does the magic already.
I guess it's because you changed the content to be inside a textarea. The value of it of course needs html decoding.
Updated by Sven Burkert about 1 year ago
- Status changed from Needs Feedback to Under Review
Yes, everything fine and it can be deployed.
Updated by Joern Bock 5 months ago
- Status changed from Under Review to Rejected