[TYPO3-dev] t3lib_div::removeXSS() slowing down output
Jigal van Hemert
jigal at xs4all.nl
Sun Sep 28 12:50:52 CEST 2008
Marcus Krause wrote:
> Jigal van Hemert schrieb am 27.09.2008 01:14 Uhr:
> As you've been working on removeXSS(), I'd like to point you to bug
> #8978 [1]. I guess nobody would object when removeXSS() gets improved.
Thanks!
I've made some improvements already (while maintaining the speed!) to
catch more XSS attacks and keep 'normal' tekst unaffected.
e.g. <script/xss src="http://typo3.org/plaap.js"> will be filtered, but
<scripters> not.
Furthermore the '<x>' which is inserted can be modified (extra parameter).
There is one little problem left: some keywords (e.g. style) can ben
both a tag and an attribute. But I'm sure I will find a solution soon :-)
The only problems which remain are the situations where potentially
harmful keywords are used in the context where they could be harmful in
"normal" text:
------------
You can call javascript with javascript:alert('XSS'); or by ....
------------
In this text javascript: (not the first one without the semicolon!) will
be filtered.
Other suggestions for improvements?
--
Jigal van Hemert.
More information about the TYPO3-dev
mailing list