Project

General

Profile

Actions

Bug #22886

closed

Make menu titles in the FE htmlspecialchared by default

Added by Oliver Klee over 14 years ago. Updated 5 months ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Frontend
Start date:
2010-06-15
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
6.0
PHP Version:
5.3
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

1. to prevent XSS (by editors who can create pages)
2. to make the FE valid

(issue imported from #M14732)

Actions #1

Updated by Helmut Hummel almost 14 years ago

Do you mean TypoScript like foo = TMENU ... or something in css_styled_content.

AFAIK everything that outputs editors content is hsc'd in css_styled_content

Actions #2

Updated by Oliver Klee about 13 years ago

  • TYPO3 Version changed from 4.4 to 4.6

Steps to reproduce (on current master):

  1. Create a site that uses a normal TMENU.
  2. Create a page with the following title:
    ROFL <script>alert(1);</script>
  3. View the page in the FE

Expected results:
no pop-ups, the script code is visible in the menue

actual results:
2x the "1" popup

Actions #3

Updated by Steffen Gebert about 13 years ago

  • Target version changed from 4.6.0 to 4.7.0
  • TYPO3 Version changed from 4.6 to 4.7
Actions #4

Updated by Steffen Ritter over 12 years ago

  • Target version changed from 4.7.0 to 4.7.1
Actions #5

Updated by Steffen Ritter over 12 years ago

  • Target version changed from 4.7.1 to 6.0.0
  • TYPO3 Version changed from 4.7 to 6.0

This is a change of behaviour which will lead to regressions in production sites, therefore I would like to only see that one in master

Actions #6

Updated by Helmut Hummel over 12 years ago

  • Project changed from 1716 to TYPO3 Core

Moving this to the public issue tracker for discussion.

No need to handle that in secret

Actions #7

Updated by Mathias Schreiber almost 10 years ago

  • Target version changed from 6.0.0 to 7.2 (Frontend)
  • Is Regression set to No
Actions #8

Updated by Benni Mack over 9 years ago

  • Target version changed from 7.2 (Frontend) to 7.4 (Backend)
Actions #9

Updated by Gerrit Code Review over 9 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/40260

Actions #10

Updated by Benni Mack over 9 years ago

  • Status changed from Under Review to New
Actions #11

Updated by Susanne Moog over 9 years ago

  • Target version changed from 7.4 (Backend) to 7.5
Actions #12

Updated by Benni Mack about 9 years ago

  • Assignee set to Benni Mack
  • Target version changed from 7.5 to 8 LTS
Actions #13

Updated by Riccardo De Contardi almost 9 years ago

  • Category set to Content Rendering
Actions #14

Updated by Benni Mack over 7 years ago

  • Target version changed from 8 LTS to Candidate for Major Version
Actions #15

Updated by Susanne Moog about 7 years ago

  • Category changed from Content Rendering to Frontend
Actions #16

Updated by Riccardo De Contardi over 6 years ago

just a note: this issue affects only menus built with HMENU/TMENU; if the menu is built via menuProcessor, it is not present.

Actions #18

Updated by Georg Ringer almost 6 years ago

  • Assignee changed from Benni Mack to Georg Ringer
Actions #19

Updated by Gerrit Code Review almost 6 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/59333

Actions #20

Updated by Susanne Moog over 5 years ago

  • Status changed from Under Review to Accepted

Review not found.

Actions #21

Updated by Benni Mack 5 months ago

  • Status changed from Accepted to Needs Feedback
  • Assignee deleted (Georg Ringer)

Hey,

I don't know about this one: Right now, this happens only with TMENU in pure TypoScript - people nowadays use Fluid (with the data processor), so it's rather a low impact compared to 14 years ago, when the ticket was opened. Thus, justifying the breaking change (for v14 only) should also be checked with the security team.

My 2 cents: I personally use TypoScript HMENU for a Headless and adding HSC there by default isn't the right spot IMHO, otherwise people would need to disable it. For that, I'd rather keep it as is for the time being.

Actions #22

Updated by Torben Hansen 5 months ago

  • Status changed from Needs Feedback to Closed

The TYPO3 security team discussed this topic and came to the conclusion, that the behavior should not be changed, since it is highly breaking and integrators can use stdWrap.htmlSpecialChars = 1 to prevent XSS in TypoScript generated menus. Rather than changing the code in this area, the documentation about this behavior for TMENU should be updated and possibilities to mitigate XSS in TMENU should be described. This ticket will therefore be closed now.

I added a note on my todo list to update the TMENU documentation and to outline, that user input in TMENU is not escaped by default. Additionally, I will update all doc examples for TMENU to include stdWrap.htmlSpecialChars = 1.

Actions

Also available in: Atom PDF