Project

General

Profile

Actions
Copy link

Bug #22886

closed

Make menu titles in the FE htmlspecialchared by default

Added by Oliver Klee about 14 years ago. Updated 23 days ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Frontend
Target version:
Candidate for Major Version
Start date:
2010-06-15
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
6.0
PHP Version:
5.3
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

1. to prevent XSS (by editors who can create pages)
2. to make the FE valid

(issue imported from #M14732)

Actions
Copy link
 #1

Updated by Helmut Hummel over 13 years ago

Do you mean TypoScript like foo = TMENU ... or something in css_styled_content.

AFAIK everything that outputs editors content is hsc'd in css_styled_content

Actions
Copy link
 #2

Updated by Oliver Klee almost 13 years ago

  • TYPO3 Version changed from 4.4 to 4.6

Steps to reproduce (on current master):

  1. Create a site that uses a normal TMENU.
  2. Create a page with the following title:
    ROFL <script>alert(1);</script>
  3. View the page in the FE

Expected results:
no pop-ups, the script code is visible in the menue

actual results:
2x the "1" popup

Actions
Copy link
 #3

Updated by Steffen Gebert over 12 years ago

  • Target version changed from 4.6.0 to 4.7.0
  • TYPO3 Version changed from 4.6 to 4.7
Actions
Copy link
 #4

Updated by Steffen Ritter about 12 years ago

  • Target version changed from 4.7.0 to 4.7.1
Actions
Copy link
 #5

Updated by Steffen Ritter about 12 years ago

  • Target version changed from 4.7.1 to 6.0.0
  • TYPO3 Version changed from 4.7 to 6.0

This is a change of behaviour which will lead to regressions in production sites, therefore I would like to only see that one in master

Actions
Copy link
 #6

Updated by Helmut Hummel almost 12 years ago

  • Project changed from 1716 to TYPO3 Core

Moving this to the public issue tracker for discussion.

No need to handle that in secret

Actions
Copy link
 #7

Updated by Mathias Schreiber over 9 years ago

  • Target version changed from 6.0.0 to 7.2 (Frontend)
  • Is Regression set to No
Actions
Copy link
 #8

Updated by Benni Mack about 9 years ago

  • Target version changed from 7.2 (Frontend) to 7.4 (Backend)
Actions
Copy link
 #9

Updated by Gerrit Code Review about 9 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/40260

Actions
Copy link
 #10

Updated by Benni Mack about 9 years ago

  • Status changed from Under Review to New
Actions
Copy link
 #11

Updated by Susanne Moog almost 9 years ago

  • Target version changed from 7.4 (Backend) to 7.5
Actions
Copy link
 #12

Updated by Benni Mack almost 9 years ago

  • Assignee set to Benni Mack
  • Target version changed from 7.5 to 8 LTS
Actions
Copy link
 #13

Updated by Riccardo De Contardi over 8 years ago

  • Category set to Content Rendering
Actions
Copy link
 #14

Updated by Benni Mack over 7 years ago

  • Target version changed from 8 LTS to Candidate for Major Version
Actions
Copy link
 #15

Updated by Susanne Moog over 6 years ago

  • Category changed from Content Rendering to Frontend
Actions
Copy link
 #16

Updated by Riccardo De Contardi about 6 years ago

just a note: this issue affects only menus built with HMENU/TMENU; if the menu is built via menuProcessor, it is not present.

Actions
Copy link
 #18

Updated by Georg Ringer over 5 years ago

  • Assignee changed from Benni Mack to Georg Ringer
Actions
Copy link
 #19

Updated by Gerrit Code Review over 5 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/59333

Actions
Copy link
 #20

Updated by Susanne Moog over 5 years ago

  • Status changed from Under Review to Accepted

Review not found.

Actions
Copy link
 #21

Updated by Benni Mack 26 days ago

  • Status changed from Accepted to Needs Feedback
  • Assignee deleted (Georg Ringer)

Hey,

I don't know about this one: Right now, this happens only with TMENU in pure TypoScript - people nowadays use Fluid (with the data processor), so it's rather a low impact compared to 14 years ago, when the ticket was opened. Thus, justifying the breaking change (for v14 only) should also be checked with the security team.

My 2 cents: I personally use TypoScript HMENU for a Headless and adding HSC there by default isn't the right spot IMHO, otherwise people would need to disable it. For that, I'd rather keep it as is for the time being.

Actions
Copy link
 #22

Updated by Torben Hansen 23 days ago

  • Status changed from Needs Feedback to Closed

The TYPO3 security team discussed this topic and came to the conclusion, that the behavior should not be changed, since it is highly breaking and integrators can use stdWrap.htmlSpecialChars = 1 to prevent XSS in TypoScript generated menus. Rather than changing the code in this area, the documentation about this behavior for TMENU should be updated and possibilities to mitigate XSS in TMENU should be described. This ticket will therefore be closed now.

I added a note on my todo list to update the TMENU documentation and to outline, that user input in TMENU is not escaped by default. Additionally, I will update all doc examples for TMENU to include stdWrap.htmlSpecialChars = 1.

Actions
Copy link

Also available in: Atom PDF