[Typo3-dev] Re: AW: [Typo3-metadev] Re: BE user IP locking / additional note on FE-created CE's?

["Kasper Skårhøj"]

>Another thing kind of struck me when reading René's introduction in the
>extension's manual:
>maybe an addition should be made, stating that sites allowing their
>users to post any new content via FE could be open to this "attack", as
>well. For example, Luite's phpBB extension allows forum users to add a
>signature/post containing the JS snippet. Possibly there are other FE
>ext's that allow for this kind of compromising, as well?

Exactly! The great danger is the frontend plugins which allows just that!

The rules are:
- Generally ALWAYS htmlspecialchars() your output from database - then you have secured it so far.
- Be careful with database content going into attributes of elements:
	 First of all, always htmlspecialchars() that as well.
	Secondly, for on*-handlers it's obviously dangerous. But also for regular URLs in <a href="..."> which is probably the most potential thing to overlook - here people can place javascript with "javascript:....."


And may I point everyones attension to the Cross Site Scripting (XSS) seciton which has already been written in one of the TYPO3 documents (Coding Guidelines I think it was...)


- kasper
-------------------- o ---------------------
>>>    In God I trust - others pay cash!     <<<
Check www.typo3.com