Bug #35853

Snippets Copy Button + htmlspecialchars

Added by Sven Juergens about 2 years ago. Updated over 1 year ago.

Status:Rejected Start date:2012-04-11
Priority:Should have Due date:
Assignee:Helmut Hummel % Done:

50%

Category:[FOR] Snippets
Target version:-
Votes: 0

Description

Hello,

if you try to use the copy Button in this Snippet

http://typo3.org/documentation/snippets/sd/75/

you got something like this

subheader_stdWrap {
 ...

 ...
  append.wrap = <span class="news-list-morelink">|</span>
...

  outerWrap = <p>|</p>
}

instead of

subheader_stdWrap {
 ...

 ...
  append.wrap = <span class="news-list-morelink">|</span>
...

  outerWrap =<p>|</p>
}

History

Updated by Sven Burkert about 2 years ago

  • Status changed from New to Accepted
  • Assignee set to Sven Burkert

Updated by Sven Burkert about 2 years ago

  • % Done changed from 0 to 100

Fixed in SVN, needs to be deployed.

Updated by Helmut Hummel about 2 years ago

  • Status changed from Accepted to Needs Feedback

Sven Burkert wrote:

Fixed in SVN, needs to be deployed.

If a snippet contains "</textarea>" it will break out of the context and all html (and of course JS) after that will be evaluated by the browser.

Thus your fix introduces a XSS possibility! Please do not deploy.

Updated by Helmut Hummel about 2 years ago

  • % Done changed from 100 to 50

Updated by Helmut Hummel about 2 years ago

There's no way around using htmlspecialchars() there:

http://stackoverflow.com/questions/1122902/using-a-textarea-to-protect-against-scripts

I'm currently not quite sure if doing htmlentities_decode in JS has any security implications:

http://www.strictly-software.com/htmlencode

But looking at the JS code, it looks fine at first sight for decoding.

Updated by Sven Burkert about 2 years ago

  • Assignee changed from Sven Burkert to Helmut Hummel

Thank you for your help, Helmut.

I've used htmlspecialchars again and I am wondering, that the content copied to clipboard is still decoded. It seems, the jQuery function $("textarea").val() (and also function text(), which I used before) decodes the text.

Updated by Helmut Hummel about 2 years ago

Sven Burkert wrote:

I've used htmlspecialchars again

Good :-P

and I am wondering, that the content copied to clipboard is still decoded. It seems, the jQuery function $("textarea").val() (and also function text(), which I used before) decodes the text.

Well, seems like jQuery does the magic already. Everything is fine then, isn't it?

Updated by Helmut Hummel about 2 years ago

Helmut Hummel wrote:

Well, seems like jQuery does the magic already.

I guess it's because you changed the content to be inside a textarea. The value of it of course needs html decoding.

Updated by Sven Burkert almost 2 years ago

  • Status changed from Needs Feedback to Under Review

Yes, everything fine and it can be deployed.

Updated by Joern Bock over 1 year ago

  • Status changed from Under Review to Rejected

Also available in: Atom PDF