Bug #18562
closed
Adding <script> Tag in pagetitle field
0%
Description
If i add a new page., I just tried to include HTML Code in field "pagetitle". TYPO3 Backend accept this and the Frontend render this HTML Code:
I think HTML is okay, but the <script> Tag is maybe to insecure?
I add this code:
<html><script>alert("Test")</script></html>
(issue imported from #M8019)
Files
Updated by Steffen Kamper about 16 years ago
This is a Admin-only function, why should it be insecure?
Updated by Guido S. about 16 years ago
I think in worst case. Redakteur uses this function to readout some user cookies or something else.
But i think my issue could be delete :-)
Updated by Steffen Kamper about 16 years ago
editors are not allowed to edit TS, only admins.
I close this issue.
Updated by Steffen Kamper about 16 years ago
i tested it also and you are right, the JS is executed in FE, so imho there is a missing htmlspecialchars for FE
Updated by Steffen Kamper about 16 years ago
once again - the execution is not in Page but in Admin Panel. Is this the place where you have it also?
so page title in <title> is with htmlspecialchars, in AdminPanel not
Updated by Guido S. about 16 years ago
I found it in an another way. I change pagetitle in Admin, and i think all is fine. I found no JS Popups in Admin. Where have you found this?
We see the JS Popup in the frontend if TYPO3 generate the menu (special = directory)
Edit:
<title> use htmlsepcialchars(), thats right
Updated by Christian Kuhn over 14 years ago
Committed to 4.2 by Ingmar on 2008-04-20