Bug #18562
closed
Adding <script> Tag in pagetitle field
Added by Guido S. over 16 years ago.
Updated over 14 years ago.
Description
If i add a new page., I just tried to include HTML Code in field "pagetitle". TYPO3 Backend accept this and the Frontend render this HTML Code:
I think HTML is okay, but the <script> Tag is maybe to insecure?
I add this code:
<html><script>alert("Test")</script></html>
(issue imported from #M8019)
Files
This is a Admin-only function, why should it be insecure?
I think in worst case. Redakteur uses this function to readout some user cookies or something else.
But i think my issue could be delete :-)
editors are not allowed to edit TS, only admins.
I close this issue.
i tested it also and you are right, the JS is executed in FE, so imho there is a missing htmlspecialchars for FE
Okay.
As advised: Minor :)
once again - the execution is not in Page but in Admin Panel. Is this the place where you have it also?
so page title in <title> is with htmlspecialchars, in AdminPanel not
I found it in an another way. I change pagetitle in Admin, and i think all is fine. I found no JS Popups in Admin. Where have you found this?
We see the JS Popup in the frontend if TYPO3 generate the menu (special = directory)
Edit:
<title> use htmlsepcialchars(), thats right
Committed to 4.2 by Ingmar on 2008-04-20
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by