Bug #20846
closed
Synchronize RemoveXSS.php in 4.2 and 4.3
0%
Description
This file is used for security reasons. So it's important to have all fixes not only in 4.3 but in 4.2. For this reason both files should be identical.
(issue imported from #M11664)
Files
Updated by
Updated by Steffen Kamper about 15 years ago
The uploaded patch is the version used in trunk. So we have the same security for RemoveXSS in both versions (4.2 and trunk)
Ernesto, please add to your reviews for beta2
Updated by Ernesto Baschny about 15 years ago
Steffen, will do.
First note is that I would love to see some unit tests for the most common XSS cases that are being handled by this script, so that we can make sure it doesn't break if we change something. The function is pretty long and tedious to test or consider all potential exploits.
Updated by Steffen Kamper about 15 years ago
Ernesto, i will start with unit tests in trunk.
I did a page where i compared the "new" file (this) against the old (4.2 current) here:
http://www.sk-typo3.de/index.php?id=370
Updated by Steffen Kamper about 15 years ago
I also installed a testscript here:
http://www.sk-typo3.de/RemoveXSS.376.0.html
Updated by Steffen Kamper about 15 years ago
added some unit tests in #21314 - will commit it to trunk in some minutes
Updated by Ernesto Baschny about 15 years ago
Steffen, thanks a lot for the work. I haven't reviewed it but I assume it is already ok. Have you commited it? "Some minutes" have already passed. :)
Updated by Steffen Kamper about 15 years ago
it's committed yesterday to trunk (unit tests). This patch is for 4_2 and should go to 4.2.10 so we have the same file in both versions for better maintainance (i promised Larsto tke care)
Updated by Ernesto Baschny about 15 years ago
Ok Steffen, thanks! I will review this and we will commit this right before release of 4.2.10 (meaning tomorrow morning).