[TYPO3-dev] Where clipboard data is saved?

[Tapio Markula]

Martin Kutschker kirjoitti:
> Thorsten Kahler schrieb:
>> Hi Tapio,
>>
>> Tapio Markula wrote on 08.02.2007 15:00:
>>> But setting
>>> $_GET
>>> from $_GET params, which has been parsed through t3lib_div::_GET();
>>> works - and *can't* ever be a security flaw,
>>> because the value is *always* went trought the t3lib_div::_GET() 
>>> function.
>>> On the base of safe and checked $_GET param has just set another $_GET
>>> variable - which must be safe!
>>
>> who the hell told you that? You _always_ have to validate values 
>> passed from
>> the client!
>>
>> I hope you just wanted to make a joke.
> 
> I second that. There is NO security check in the t3lib_div::_GET()!

why that is then said, that it is security flaw
to use $_GET parameter without going throught 3lib_div::_GET()
and plugin can't be accepted as safe without using  that function.

> It's just not possible to check the parameters at this stage as it 
> depends on the application (ie the plugin) on how the data is used.

the core class method doesn't do anything without correct values.
When I have

$_GET['CB']['remove']=key($myGET['CB']['el']);   // set $_GET parameter

I force a class method to use $_GET variable, which has gone through 
t3lib_div::_GET().
the core class method doesn't do anything without correct values.
The value comes from usage of other core class methods (['CB']['el'] 
comes from usage of clipboard functions, which execute copy/paste 
functionalities).

I just want to say, that this should not be security problem