[TYPO3-dev] Any security risk in creating links to files using path, provided by user?
Victor Livakovsky
v-tyok at mail.ru
Sat Dec 4 09:28:49 CET 2010
Hi, Steffen
> > $output .= '<a target="_blank" href="http://' . $this->domain . '/' .
> > $this->correctPath($this->tsconfig['properties']['file.']['uploadPath'])
> > . $value . '">' . $value . '</a>';
>
> Try this to find the weakness of your code:
> $value = '<script>alert("XSS");</script>';
> $value = '"><script>alert("XSS");</script><a href="foo';
> http://en.wikipedia.org/wiki/Cross-site_scripting
Thank you for pointing me out!
My question was about $this->tsconfig['properties']['file.']['uploadPath'],
but thanks to you I found a weak place in the code.
Regards.
More information about the TYPO3-dev
mailing list