Bug #7815
Code injection possible in Search field
| Status: | Resolved | Start date: | 2010-05-18 | |
|---|---|---|---|---|
| Priority: | Must have | Due date: | ||
| Assignee: | Ingo Renner | % Done: | 100% |
|
| Category: | Frontend Plugins | |||
| Target version: | 1.1 | |||
| TYPO3 Version: | Has patch: | |||
| PHP Version: | Tags: | |||
| Votes: | 0 |
Description
When using quotes in the search field it is possible to insert HTML to the page.
Example search:
"></div><h1>Code injection</h1><hr class="ci
FIX: quotes should be replaced by "e;
Related issues
| related to Apache Solr for TYPO3 CMS - Bug #8036: UTF8 chars in search string are not displayed correct in ... | Resolved | 2010-06-02 |
Associated revisions
Fixed issue #7815: Code injection possible in Search field
Fixed issue #7815: Code injection possible in Search field
History
Updated by Ingo Renner about 3 years ago
- Category set to Frontend Plugins
- Status changed from New to Resolved
- Assignee set to Ingo Renner
- Target version set to 1.1
- % Done changed from 0 to 100
resolved by adding htmlentities() with ENT_QUOTES option, t3lib_div::removeXSS() was already in place though, so that no harmful HTML could be inserted.