[TYPO3-dev] Where clipboard data is saved?
Martin Kutschker
martin.kutschker-n0spam at no5pam-blackbox.net
Fri Feb 9 20:36:45 CET 2007
Thorsten Kahler schrieb:
> Hi Tapio,
>
> Tapio Markula wrote on 08.02.2007 15:00:
>> But setting
>> $_GET
>> from $_GET params, which has been parsed through t3lib_div::_GET();
>> works - and *can't* ever be a security flaw,
>> because the value is *always* went trought the t3lib_div::_GET() function.
>> On the base of safe and checked $_GET param has just set another $_GET
>> variable - which must be safe!
>
> who the hell told you that? You _always_ have to validate values passed from
> the client!
>
> I hope you just wanted to make a joke.
I second that. There is NO security check in the t3lib_div::_GET()!
It's just not possible to check the parameters at this stage as it
depends on the application (ie the plugin) on how the data is used.
Masi
More information about the TYPO3-dev
mailing list