[Typo3-dev] Security Problem - HTML

Dominic Brander typo3_db at snowflake.ch
Tue Sep 23 16:00:42 CEST 2003


I think this is a good way to go.
we can not give a 100% security as this is not possible.
but we can give some tools to admins to control at least a few things.


Christoph Moeller wrote:

> Dominic Brander schrieb:
> 
>> Let's start the security-discussion in this list.
> 
> 
> hmm, just had a quick look into typo3/t3lib/class.t3lib_parsehtml.php, 
> around line 466. There's the function HTMLcleaner which could (? i.e. if 
> someone still understands this code monster *g*) be extended to parse 
> for suspicious cookie stuff in the content's HTML.
> 
> I think it's not really possible to distinguish between malicious and 
> good JS cookie code inserted as HTML CE. For example there always could 
> be a white-hat use for manually inserted document.cookie's if someone 
> knows what he's doing.
> 
> Just an idea: warning messages to the admin telling about JS-cookie 
> usage in HTML content elements? Not really convenient - I know - but 
> anyone a better idea? This is a browser/general cookie problem...
> 
> Chris
> 
> _______________________________________________
> Typo3-dev mailing list
> Typo3-dev at lists.netfielders.de
> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-dev
> 
> 

-- 
dominic brander
________________________________________________________________________
dominic brander - snowflake productions gmbh
tel. CH  +41 1 451 75 71    - fax. CH +41 1 451 63 80
tel. D   +49 89 31 56 78 15 - fax. D +49 89 31 56 78 16
mobile   +41 76 493 25 88
http://www.snowflake.ch







More information about the TYPO3-dev mailing list