Project

General

Profile

Actions
Copy link

Bug #20835

closed

RemoveXSS corrupts HTML

Added by Dmitry Dulepov over 15 years ago. Updated about 11 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2009-08-05
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.2
PHP Version:
5.2
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

Try RemoveXSS on this code:

<![CDATA[
<div style="x:y">test</div>
]>

The result is:
<![CDATA[
<div <x>yle="x:y">test</div>
]>

which looks on the screen like:
yle="x:y">test

Suggestions:
- process tags and attributes separately
- change <x> to x
- do not replace first to chars but prepend "x" to the attribute
- do not replace style attribute
(issue imported from #M11649)

Files

11649.diff (637 Bytes) 11649.diff Administrator Admin, 2009-12-07 11:17

Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Bug #24426: RemoveXSS Problem in Content Rendering?Closed2010-12-27

Actions
Actions
Copy link

Also available in: Atom PDF