[TYPO3-dev] Proposal: Sanitize GET/POST parameters

Franz Holzinger franz at ttproducts.de
Tue Jul 6 19:21:49 CEST 2010


Le 06/07/2010 17:04, Dmitry Dulepov a écrit :
> Hi!
> 
> Reinhard Führicht wrote:
>> TYPO3 doesn't sanitize the values submitted in GET or POST and leaves it
>> to the extension authors or the writers of TypoScript to care about XSS
>> and SQLI.
> 
> I recognize the danger but I think that leaving it up to developers what to
> do with data is a good idea. We'd better educate the developers instead of
> trying to make workarounds. Just an opinion...
> 
>> I would like to hear your opinions about that. Is this a useful feature?
> 
> As I said, I'd rather leave it to developers... But I do not insist. I
> understand tyhat many developers have no clue how dangerous XS can be.

I think the API could have an additional parameter for doing security
modifications of the input parameters:

t3lib_div::_GET
t3lib_div::_POST
t3lib_div::_GP
t3lib_div::_GPmerged

Then the developers could use this, but are not forced to. And an
additional configuration could be added to always make the checks.


- Franz




More information about the TYPO3-dev mailing list