[TYPO3-dev] Proposal: Sanitize GET/POST parameters
Reinhard Führicht
rf at typoheads.at
Mon Jul 5 16:17:10 CEST 2010
Am 2010-07-05 15:32, schrieb Georg Ringer:
> Am 05.07.2010 15:24, schrieb Jigal van Hemert:
>>> The patch also adds a new script for XSS filtering because RemoveXSS
>>> is not really reliable in my view.
>>
>> Can you give specify in which areas the RemoveXSS version which is
>> included in the core is not really reliable? It already filters a lot of
>> clever XSS attacks. Suggestions to improve it are always welcome!
>
> if you have found examples that the RremoveXSS from core is not secure
> (enough), please don't reveal your findings here but send a mail to
> security at typo3.org or contact me in private. please not here
>
> Georg
I used Remove XSS for my extension Formhandler. The problem is not that
it is insecure, but the problem is (at least it was about half a year
ago) that RemoveXSS did the following:
- A user entered an email like user at basel.ch into a form field.
- RemoveXSS filtered it to something like: user@<basex>l.ch
So it's not a matter of insecurity, but a matter of filtering too much.
That's why I used another script for the filtering.
As I said, this was some time ago. I just tested it again, and it seems
to work fine now, so there is no need to worry.
Reinhard
More information about the TYPO3-dev
mailing list