[Typo3-dev] Security Problem - HTML

Robert Lemke rl at robertlemke.de
Tue Sep 23 16:41:29 CEST 2003


Hi,

it seems like in my installation of TYPO3.6.0dev the problem DOES NOT
occur, the malicious part is just filtered out. But I have to find out where
it's
actually filtered.

You see this:

<img src="http://hostname/typo3/gfx/helpbubble.gif"
onload="document.write('<iframe
src="\'http://hostname/test.php?cookie">');">

I think it's because of TYPO3 trying to make the source code XHTML
compliant, note how the IMG tag changed to img!

-- 
robert






More information about the TYPO3-dev mailing list