[Typo3-dev] XML/OpenOffice/Office 2003 comp RTE

[Robert Lemke]

Hi folks,

Thomas Bley wrote me a private email asking why we try to conceil
TYPO3's security issues. That's not our intention and I wasn't aware of
any conceilment regarding injection of malicious code into the RTE.

However I'd like to add a warning to my previous post: I don't know of
any way of inserting malicious code into the RTE *if it is configured
correctly*. That is, you have to make up a restrictive configuration of
the RTE transform proces which is well described in the RTE manual.

Still, if you allow anyone inserting HTML code containing JavaScript,
there is a certain risk. We mentioned that on the small article you find
at typo3.org's intro page dealing with a security issue which was also
discovered by Thomas Bley.


On Wed, 2003-11-12 at 23:58, Robert Lemke wrote:
> On Wed, 2003-11-12 at 23:01, Troels Kjær Rasmussen wrote:
> > THE COOL THING WITH SXW FILES IS THAT IT STORES PICTURES, METADATA WITHIN THE SXW FILE - 
> > so no more uploading of pictures! - insert them where you want them, and theyll be stored
> > right there in the sxw file
> 
> Hmm, I don't share your enthusiasm about an editor working directly with
> sxw files. Just zip the uploads and the fileadmin folder and you also
> have everything in one file - that's what sxw is, just a zip file.
> Where's the advantage? Plus accessing a zip / sxw file for processing
> the output to the frontend is really slow.
-- 
robert

"They placed me on this earth without a manual. 
 And i dare to say, i’m doing just fine without ;)"