Bug #3977

TextValidator is insecure

Added by Robert Lemke about 10 years ago. Updated over 7 years ago.

Status:
Rejected
Priority:
Should have
Assignee:
-
Category:
Validation
Target version:
-
Start date:
Due date:
% Done:

20%

Estimated time:
6.00 h
PHP Version:
Has patch:
No
Complexity:

Description

The TextValidator currently allows strings like

%3cspan style="color: #BBBBBB;"%3ea nice text%3c/span%3e

It seems like we can't solve this completely with filter_var because then characters like percent, semikolon, quotes etc. can't be used in a text. In general the test case lacks realistic string which should pass the validator.

TextValidatorTest.php.patch View - Patch for the unit test (4.8 KB) Karsten Dambekalns, 2010-01-20 12:11


Related issues

Related to TYPO3.Flow - Bug #2851: TextValidator is insecure Resolved 2009-03-16

Associated revisions

Revision 043cd78b (diff)
Added by Robert Lemke about 10 years ago

[~BUGFIX] FLOW3 (Validation): The ValidatorResolver test case failed - but only if the Blog package was installed. This was due to some Blog model being used by a data provider which in reality should have been a sample, not existing class. Fixed that.
[~TASK] FLOW3 (Validation): The TextValidator was too restrictive because it did not allow line breaks and other common characters - now it does. However, it's not really secure yet. Relates to #3977
[+BUGFIX] Fluid (Core): Added some safe guard and aception to the Abstract Node which would exit with a fatal error in some cases.

Revision cfa4bd55 (diff)
Added by Christian Müller over 7 years ago

[TASK] Improve TextValidator unit tests

This introduces more test texts for the TextValidator tests.

Change-Id: Ie461a82fec5ead10941031c53e32694d4d0b44d2
Related: #3977
Releases: 1.0, 1.1

History

#1 Updated by Robert Lemke about 10 years ago

  • Target version deleted (1.0 alpha 3)

#2 Updated by Robert Lemke almost 10 years ago

  • Target version set to 1.0 alpha 8

#3 Updated by Karsten Dambekalns over 9 years ago

Attached a patch for the unit test that makes adding new valid and invalid input easier.

#4 Updated by Robert Lemke over 9 years ago

  • Status changed from New to Accepted
  • Assignee set to Robert Lemke
  • % Done changed from 0 to 20
  • Estimated time set to 6.00 h

#5 Updated by Robert Lemke over 9 years ago

  • Start date deleted (2009-03-16)

#6 Updated by Karsten Dambekalns over 9 years ago

  • Target version changed from 1.0 alpha 8 to 1.0 alpha 9

#7 Updated by Robert Lemke over 9 years ago

  • Target version deleted (1.0 alpha 9)

#9 Updated by Bastian Waidelich over 7 years ago

  • Has patch set to No

IMO TextValidator should be removed as it depends on the context whether a string is insecure or not (also see comment at #6121)

#10 Updated by Christian Müller over 7 years ago

  • Status changed from Accepted to Rejected
  • Assignee deleted (Robert Lemke)

The test improvements are in review now, I will close this, we could decide to deprecate the TextValidator at some point. I added also some longer comment to the TextValidator to point out that it won't make sure the validated string is secure in all possible output environments.

Also available in: Atom PDF