[TYPO3-dev] Removing strip_tags dangerous?

Steffen Kamper steffen at sk-typo3.de
Fri Oct 19 11:32:05 CEST 2007


"JoH" <info at cybercraft.de> schrieb im Newsbeitrag 
news:mailman.1.1192785710.5430.typo3-dev at lists.netfielders.de...
>> no, because htmlspecialchars will encode <> signs
>
> No good idea!
> http://applesoup.googlepages.com/bypass_filter.txt
>
> Maybe the security team should check this out ...
>
> HTH
>
> Joey
>
for XSS there is a function, maybe this should called anyway:
$this->cObj->removeBadHTML

also htmlspecialchars should be used with charset e.g. in utf8, the default 
encoding is iso. may be there could be a wrapper function in t3lib_div using 
the used charset.

vg  Steffen 






More information about the TYPO3-dev mailing list