Bug #59540
closed
Viewhelpers htmlspecialchars and htmlentities never replace single quotes
100%
Description
Both Viewhelper are documented with
Text with & " ' < > * replaced by HTML entities
In fact, single quotes will never be replaced. Replacing quotes depends on the flags parameter which is given to htmlspecialchars()/htmlentities(). Both Viewhelpers set this flag to either ENT_NOQUOTES or ENT_COMPAT. But for converting both, single and double quotes, ENT_QUOTES would be needed.
Updated by Markus Klein almost 10 years ago
- Project changed from 2559 to TYPO3 Core
Updated by Markus Klein almost 10 years ago
- Category set to Fluid
- Is Regression set to No
- TYPO3 Version set to 6.2
Which TYPO3 version are you using?
Updated by Markus Klein almost 10 years ago
What fix do you propose?
- Correct the example
- change the code
I propose to go for the first solution
Updated by Julian Hofmann almost 10 years ago
Does anybody know, why ENT_COMPAT is in use here?
In my opinion, the flag has to be changed to ENT_QUOTES to be compatible with the (ViewHelper) documentation.
PHP-Documentation of the Flags:
ENT_COMPAT Will convert double-quotes and leave single-quotes alone. ENT_QUOTES Will convert both double and single quotes. ENT_NOQUOTES Will leave both double and single quotes unconverted.
Updated by Markus Klein almost 10 years ago
As I wrote above, I would not change the code, but the documentation. ENT_COMPAT is the default for hsc().
Updated by Claus Due over 8 years ago
- Status changed from New to Accepted
ViewHelper documentation must be changed, then this issue can be closed. I agree we should match hsc() default behavior. We can then discuss, as a separate feature request, introducing "flags" as an argument to control the ENT_* flags. It's not an easy fix though because bits.
Updated by Helmut Hummel over 8 years ago
Claus Due wrote:
ViewHelper documentation must be changed, then this issue can be closed. I agree we should match hsc() default behavior. We can then discuss, as a separate feature request, introducing "flags" as an argument to control the ENT_* flags. It's not an easy fix though because bits.
Markus Klein wrote:
As I wrote above, I would not change the code, but the documentation. ENT_COMPAT is the default for hsc().
I disagree here. I would change the code, as the additional quoting could be security relevant!
Updated by Markus Klein over 8 years ago
After talking to Helmut about this and checking the (damn) HTML5 standard, I have to change my mind. Single quotes are allowed for attribute value specification, hence we have to help to protect against XSS.
Of course there can be edge-cases where this might be a breaking change, but those should be really minor.
We also need to check the default interceptor what is done there currently. (for usages like {foo})
Updated by Claus Due over 8 years ago
We also need to check the default interceptor what is done there currently. (for usages like {foo})
The default interceptor wraps the ObjectAccessorNode in HtmlspecialcharsViewHelper if escaping behavior is enabled. So, yeah... :)
Updated by Gerrit Code Review over 8 years ago
- Status changed from Accepted to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/44140
Updated by Gerrit Code Review over 8 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/44140
Updated by Gerrit Code Review over 8 years ago
Patch set 86 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review over 8 years ago
Patch set 87 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review over 8 years ago
Patch set 88 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review over 8 years ago
Patch set 89 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review over 8 years ago
Patch set 90 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review over 8 years ago
Patch set 91 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review over 8 years ago
Patch set 92 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review over 8 years ago
Patch set 93 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review over 8 years ago
Patch set 94 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review over 8 years ago
Patch set 95 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review over 8 years ago
Patch set 96 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review over 8 years ago
Patch set 97 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review over 8 years ago
Patch set 98 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review over 8 years ago
Patch set 99 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review over 8 years ago
Patch set 100 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review over 8 years ago
Patch set 101 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review over 8 years ago
Patch set 102 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review over 8 years ago
Patch set 103 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review over 8 years ago
Patch set 104 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review over 8 years ago
Patch set 105 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review over 8 years ago
Patch set 106 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review over 8 years ago
Patch set 107 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review over 8 years ago
Patch set 108 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review over 8 years ago
Patch set 109 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review over 8 years ago
Patch set 110 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review over 8 years ago
Patch set 111 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review over 8 years ago
Patch set 112 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review about 8 years ago
Patch set 113 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review about 8 years ago
Patch set 114 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review about 8 years ago
Patch set 115 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review about 8 years ago
Patch set 116 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review about 8 years ago
Patch set 117 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review about 8 years ago
Patch set 118 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review about 8 years ago
Patch set 119 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review about 8 years ago
Patch set 120 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review about 8 years ago
Patch set 121 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review about 8 years ago
Patch set 122 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review about 8 years ago
Patch set 123 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review about 8 years ago
Patch set 124 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review about 8 years ago
Patch set 125 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review about 8 years ago
Patch set 126 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review about 8 years ago
Patch set 127 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review about 8 years ago
Patch set 128 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review about 8 years ago
Patch set 129 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review about 8 years ago
Patch set 130 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Gerrit Code Review about 8 years ago
Patch set 131 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/42425
Updated by Anonymous about 8 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 8b693daac0cc381f10c74bc5d78b2448f55111f3.
Updated by Riccardo De Contardi over 6 years ago
- Status changed from Resolved to Closed