[TYPO3-dev] t3lib_div::removeXSS() slowing down output
Steffen Kamper
info at sk-typo3.de
Sat Sep 27 14:05:58 CEST 2008
Hi Jigal,
ah, now i got it that you modified the included one. I stopped
investigation a while ago after content was full with <x> stuff, so i
decided to make simple HSC instead.
I will test your modifications anyway.
vg Steffen
Jigal van Hemert schrieb:
> Hi Steffen,
>
> Steffen Kamper wrote:
>> Jigal van Hemert schrieb:
>>> Jigal van Hemert wrote:
>>>> One of the things I noticed is that t3lib_div::removeXSS() is very
>>>> inefficient in detecting and replacing potential threads.
>>> I made a faster version of removeXSS()
>>> http://www.xs4all.nl/~dcbjht/typo3/removeXSS.txt
>>>
>>> Can you guys please take a look at it. Feel free to include it in
>>> t3lib_div if no problems are found :-)
>>
>> thanks for this script. Where comes it from, any license?
>
> The script is online available at:
> http://kallahar.com/smallprojects/php_xss_filter_function.php
>
> But in the T3 distribution you can find it in:
> typo3/contrib/RemoveXSS/RemoveXSS.php
>
>> I will test it, as i see removeXSS as unusable at the moment because
>> of destroying output.
>
> I noticed an error in a regular expression ([9|10|13]), where it meant
> (9|10|13). But other than that I only unrolled some loops (made a big
> regexp instead of a loop with dozens of calls to preg_replace() ) and
> added a simple test for the list of potentially dangerous words before
> the existing removal routine (which now only uses the list of detected
> potentially dangerous words) is called.
>
> If you know of more problems with this routine I will try to fix them!
>
> Regards,
>
>
More information about the TYPO3-dev
mailing list