Bug #80888

GeneralUtility::removeXSS() doesn't respect base64 encoded links

Added by Alex Kellner over 4 years ago. Updated almost 4 years ago.

Status:
Rejected
Priority:
Must have
Assignee:
-
Category:
-
Target version:
-
Start date:
2017-04-19
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
8
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

In some projects we're using GeneralUtility::removeXSS() for user variables.
It turned out, that this is a failure. Base64 encoded links are not disarmed.

Example test.php in TYPO3 Webroot:

<?php
require __DIR__ . '/vendor/autoload.php';

$string = 'data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K';
echo '<a href="' . $string . '">1</a>';
echo \TYPO3\CMS\Core\Utility\GeneralUtility::removeXSS('<a href="' . $string . '">2</a>');


Files

removexssdatauri.patch (6.79 KB) removexssdatauri.patch patch for data attributes against 6.2 Jigal van Hemert, 2017-08-01 11:42

Related issues

Related to TYPO3 Core - Task #76164: Deprecate RemoveXSSClosed2016-05-12

Actions

Also available in: Atom PDF