Bug #33272
closed
Persistent XSS in HTML content element through t3editor
0%
Description
The t3editor of the HTML content element is susceptible to XSS, as output is not escaped. This can lead to privilege escalation in the Backend.
By disabling the t3editor, you can enter code like this
</textarea><script>alert(1)</script>
Opening with
t3editor enabled will then execute the JS.
Original report:
</textarea> triggers end of html content element in backend Surely the html CE should be self-contained? Is there any way of turning this 'feature' off?
Also reported by Michael B. in #33252
Updated by Markus Klein over 12 years ago
Hi Sara,
I'm sorry, but I've absolutely no clue what this issue is about.
Please consider describing your problem more precisely.
Thank you.
Updated by Steffen Gebert over 12 years ago
- Project changed from TYPO3 Core to 1716
Updated by Steffen Gebert over 12 years ago
- Subject changed from </textarea> triggers end of html content element in backend to XSS in HTML content element through t3editor
- Category set to OW-A07: Cross Site Scripting
It might be a problem on my side, but disabling the t3editor did not work for me. Is this feature defect?
If it's defect, either manually insert it into database or insert it in a 4.5 installation and then upgrade to 4.6+ ;-)
Updated by Steffen Gebert about 12 years ago
- Status changed from New to Closed
Resolved as duplicate
Updated by Steffen Gebert about 12 years ago
- Status changed from Closed to Accepted
Damn it.. didn't want to close both of the reports :-/
Updated by Gerrit Code Review about 12 years ago
- Status changed from Accepted to Under Review
Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/8761
Updated by Gerrit Code Review about 12 years ago
Patch set 1 for branch TYPO3_4-6 has been pushed to the review server.
It is available at http://review.typo3.org/8762
Updated by Steffen Gebert about 12 years ago
- Subject changed from XSS in HTML content element through t3editor to Persistent XSS in HTML content element through t3editor
Updated by Helmut Hummel about 12 years ago
Hi,
I think that the HTML content element should NEVER be available for editors, because by definition being able to edit plain HTML leads to persitent XSS.
That said, I'm fine with fixing that publicly.
Updated by Helmut Hummel over 11 years ago
- Project changed from 1716 to TYPO3 Core
- Category deleted (
OW-A07: Cross Site Scripting)
Updated by Steffen Gebert over 11 years ago
I guess you discussed that, would you share your opinion, why this is no security issue? Because HTML CE is treated bad generally?
As soon as an editor has access to the HTML CE, the persistent XSS is IMHO nothing desirable.
Updated by Steffen Gebert over 11 years ago
This is not a critical issue, as editors, which can use the HTML CE still have the possibility to put JS into Frontend code. Giving this possibility also for the Backend is no additional security issue.
So this is just a bug fix.
Updated by Georg Ringer about 11 years ago
- Status changed from Under Review to Resolved
Applied in changeset ceab1f8890185553da5d33cff8c1992c495afc87.
Updated by