Bug #33272
closed
Persistent XSS in HTML content element through t3editor
Added by Sara no-lastname-given almost 13 years ago.
Updated about 6 years ago.
Description
The t3editor of the HTML content element is susceptible to XSS, as output is not escaped. This can lead to privilege escalation in the Backend.
By disabling the t3editor, you can enter code like this
</textarea><script>alert(1)</script>
Opening with
t3editor enabled will then execute the JS.
Original report:
</textarea> triggers end of html content element in backend
Surely the html CE should be self-contained? Is there any way of turning this 'feature' off?
Also reported by Michael B. in #33252
Hi Sara,
I'm sorry, but I've absolutely no clue what this issue is about.
Please consider describing your problem more precisely.
Thank you.
- Project changed from TYPO3 Core to 1716
- Subject changed from </textarea> triggers end of html content element in backend to XSS in HTML content element through t3editor
- Category set to OW-A07: Cross Site Scripting
It might be a problem on my side, but disabling the t3editor did not work for me. Is this feature defect?
If it's defect, either manually insert it into database or insert it in a 4.5 installation and then upgrade to 4.6+ ;-)
- Status changed from New to Closed
- Status changed from Closed to Accepted
Damn it.. didn't want to close both of the reports :-/
- Status changed from Accepted to Under Review
- Subject changed from XSS in HTML content element through t3editor to Persistent XSS in HTML content element through t3editor
Hi,
I think that the HTML content element should NEVER be available for editors, because by definition being able to edit plain HTML leads to persitent XSS.
That said, I'm fine with fixing that publicly.
Fine, will take care of it.
- Project changed from 1716 to TYPO3 Core
- Category deleted (
OW-A07: Cross Site Scripting)
I guess you discussed that, would you share your opinion, why this is no security issue? Because HTML CE is treated bad generally?
As soon as an editor has access to the HTML CE, the persistent XSS is IMHO nothing desirable.
This is not a critical issue, as editors, which can use the HTML CE still have the possibility to put JS into Frontend code. Giving this possibility also for the Backend is no additional security issue.
So this is just a bug fix.
- Status changed from Under Review to Resolved
- Status changed from Resolved to Closed
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by