Bug #24426
closed
RemoveXSS Problem in Content Rendering?
0%
Description
Hi,
after upgrading to Version 4.4.5 i get some contents rendered with the <x> tag inline some different tags.
empl.:
t3lib_div::RemoveXSS('<div style="float: right; position: absolute; left: 300px;">Test</div>')
gives me:
<div st<x>yle="float: right; position: absolute; left: 300px;">test</div>
at the moment i get this in an Mail-Formular with <div style=""> and <a onclick=""> elements.
while the links will be
<a class="classname" on=""><x>click='window.open("/targetpath", "Title", "width=600,height=400,status=yes,scrollbars=yes,resizable=yes"); return false;' target="_blank" href="/targetpath">Linktitle</x></a>
(issue imported from #M16856)
Updated by Jigal van Hemert over 13 years ago
BE users can enter a lot of potentially dangerous stuff in the label field of the form wizard. The label is parsed by the removeXSS class to check for potentially harmful tags, attributes, etc.
The onclick and style attributes in your example can easily be used for XSS, so these are rendered harmless by inserting something in the attribute names (default is '<x>').
Do you have a proposal for a better solution?
Updated by René over 13 years ago
I'm not deep enough in the matter to offer a reasonable solution.
In case of inline styles would´nt it be sufficient to cut paths specified to relative? As with background-image: url() or @import?
Are forms and form labels not parsed by the removeXSS class before in T3v4.4 ?
Updated by Alexander Opitz over 10 years ago
- Status changed from New to Needs Feedback
- Target version deleted (
0) - Is Regression set to No
Hi,
as this issue is very old. Does the problem still exists within newer versions of TYPO3 CMS (6.1.7)?
Updated by Alexander Opitz almost 10 years ago
- Status changed from Needs Feedback to Closed
No feedback within the last 90 days => closing this ticket.
If you think that this is the wrong decision or experience this issue again, then please write to the mailing list typo3.teams.bugs with issue number and an explanation or open a new ticket and add a relation to this ticket number.