Bug #22886
closedMake menu titles in the FE htmlspecialchared by default
Added by Oliver Klee over 14 years ago. Updated 5 months ago.
0%
Description
1. to prevent XSS (by editors who can create pages)
2. to make the FE valid
(issue imported from #M14732)
Updated by Helmut Hummel almost 14 years ago
Do you mean TypoScript like foo = TMENU ... or something in css_styled_content.
AFAIK everything that outputs editors content is hsc'd in css_styled_content
Updated by Oliver Klee about 13 years ago
- TYPO3 Version changed from 4.4 to 4.6
Steps to reproduce (on current master):
- Create a site that uses a normal TMENU.
- Create a page with the following title:
ROFL <script>alert(1);</script>
- View the page in the FE
Expected results:
no pop-ups, the script code is visible in the menue
actual results:
2x the "1" popup
Updated by Steffen Gebert about 13 years ago
- Target version changed from 4.6.0 to 4.7.0
- TYPO3 Version changed from 4.6 to 4.7
Updated by Steffen Ritter over 12 years ago
- Target version changed from 4.7.0 to 4.7.1
Updated by Steffen Ritter over 12 years ago
- Target version changed from 4.7.1 to 6.0.0
- TYPO3 Version changed from 4.7 to 6.0
This is a change of behaviour which will lead to regressions in production sites, therefore I would like to only see that one in master
Updated by Helmut Hummel over 12 years ago
- Project changed from 1716 to TYPO3 Core
Moving this to the public issue tracker for discussion.
No need to handle that in secret
Updated by Mathias Schreiber almost 10 years ago
- Target version changed from 6.0.0 to 7.2 (Frontend)
- Is Regression set to No
Updated by Benni Mack over 9 years ago
- Target version changed from 7.2 (Frontend) to 7.4 (Backend)
Updated by Gerrit Code Review over 9 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/40260
Updated by Susanne Moog over 9 years ago
- Target version changed from 7.4 (Backend) to 7.5
Updated by Benni Mack about 9 years ago
- Assignee set to Benni Mack
- Target version changed from 7.5 to 8 LTS
Updated by Riccardo De Contardi almost 9 years ago
- Category set to Content Rendering
Updated by Benni Mack over 7 years ago
- Target version changed from 8 LTS to Candidate for Major Version
Updated by Susanne Moog about 7 years ago
- Category changed from Content Rendering to Frontend
Updated by Riccardo De Contardi over 6 years ago
just a note: this issue affects only menus built with HMENU/TMENU; if the menu is built via menuProcessor, it is not present.
Updated by Georg Ringer almost 6 years ago
- Assignee changed from Benni Mack to Georg Ringer
Updated by Gerrit Code Review almost 6 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/59333
Updated by Susanne Moog over 5 years ago
- Status changed from Under Review to Accepted
Review not found.
Updated by Benni Mack 5 months ago
- Status changed from Accepted to Needs Feedback
- Assignee deleted (
Georg Ringer)
Hey,
I don't know about this one: Right now, this happens only with TMENU in pure TypoScript - people nowadays use Fluid (with the data processor), so it's rather a low impact compared to 14 years ago, when the ticket was opened. Thus, justifying the breaking change (for v14 only) should also be checked with the security team.
My 2 cents: I personally use TypoScript HMENU for a Headless and adding HSC there by default isn't the right spot IMHO, otherwise people would need to disable it. For that, I'd rather keep it as is for the time being.
Updated by Torben Hansen 5 months ago
- Status changed from Needs Feedback to Closed
The TYPO3 security team discussed this topic and came to the conclusion, that the behavior should not be changed, since it is highly breaking and integrators can use stdWrap.htmlSpecialChars = 1
to prevent XSS in TypoScript generated menus. Rather than changing the code in this area, the documentation about this behavior for TMENU should be updated and possibilities to mitigate XSS in TMENU should be described. This ticket will therefore be closed now.
I added a note on my todo list to update the TMENU documentation and to outline, that user input in TMENU is not escaped by default. Additionally, I will update all doc examples for TMENU to include stdWrap.htmlSpecialChars = 1
.