Bug #22886
open
Make menu titles in the FE htmlspecialchared by default
0%
Description
1. to prevent XSS (by editors who can create pages)
2. to make the FE valid
(issue imported from #M14732)
Updated by Helmut Hummel over 13 years ago
Do you mean TypoScript like foo = TMENU ... or something in css_styled_content.
AFAIK everything that outputs editors content is hsc'd in css_styled_content
Updated by Oliver Klee over 12 years ago
- TYPO3 Version changed from 4.4 to 4.6
Steps to reproduce (on current master):
- Create a site that uses a normal TMENU.
- Create a page with the following title:
ROFL <script>alert(1);</script> - View the page in the FE
Expected results:
no pop-ups, the script code is visible in the menue
actual results:
2x the "1" popup
Updated by Steffen Gebert over 12 years ago
- Target version changed from 4.6.0 to 4.7.0
- TYPO3 Version changed from 4.6 to 4.7
Updated by Steffen Ritter about 12 years ago
- Target version changed from 4.7.0 to 4.7.1
Updated by Steffen Ritter almost 12 years ago
- Target version changed from 4.7.1 to 6.0.0
- TYPO3 Version changed from 4.7 to 6.0
This is a change of behaviour which will lead to regressions in production sites, therefore I would like to only see that one in master
Updated by Helmut Hummel over 11 years ago
- Project changed from 1716 to TYPO3 Core
Moving this to the public issue tracker for discussion.
No need to handle that in secret
Updated by Mathias Schreiber over 9 years ago
- Target version changed from 6.0.0 to 7.2 (Frontend)
- Is Regression set to No
Updated by Benni Mack almost 9 years ago
- Target version changed from 7.2 (Frontend) to 7.4 (Backend)
Updated by Gerrit Code Review almost 9 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/40260
Updated by Benni Mack almost 9 years ago
- Status changed from Under Review to New
Updated by Susanne Moog over 8 years ago
- Target version changed from 7.4 (Backend) to 7.5
Updated by Benni Mack over 8 years ago
- Assignee set to Benni Mack
- Target version changed from 7.5 to 8 LTS
Updated by Riccardo De Contardi over 8 years ago
- Category set to Content Rendering
Updated by Benni Mack about 7 years ago
- Target version changed from 8 LTS to Candidate for Major Version
Updated by Susanne Moog over 6 years ago
- Category changed from Content Rendering to Frontend
Updated by Riccardo De Contardi almost 6 years ago
just a note: this issue affects only menus built with HMENU/TMENU; if the menu is built via menuProcessor, it is not present.
Updated by Georg Ringer over 5 years ago
- Assignee changed from Benni Mack to Georg Ringer
Updated by Gerrit Code Review over 5 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/59333
Updated by Susanne Moog about 5 years ago
- Status changed from Under Review to Accepted
Review not found.