[TYPO3-english] label_userFunc HTML-formatted?

Bernhard Kraft kraftb at kraftb.at
Wed Oct 21 10:31:30 CEST 2009 

Steffen Müller schrieb:

> Escaping HTML tags is IMHO hardcoded in function getRecordTitlePrep() of
> class.t3lib_befunc.php

That's true. But I just checked "typo3/class.db_list_extra.inc" for the
use of "getRecordTitle", and on every occurence the third parameter
"$prep" is FALSE, meaning the values wont get htmlspecialchar'ed. At
least thats what I read out of the code.

If you have a look at t3lib/class.t3lib_befunc::getRecordTitle, you'll
see the third parameter is set to "FALSE" by default. At the bottom of
this method the method Steffen mentioned "getRecordTitlePrep()" only
get's called if "$prep" evaluates to true:

-----------------------------------------------------
if ($prep || $forceResult) {
  if ($prep) {
    $t = t3lib_BEfunc::getRecordTitlePrep($t);
-----------------------------------------------------

And in "typo3/class.db_list_extra.inc" the location where the table
label column is rendered doesn't set the parameter to true either:

typo3/class.db_list_extra.php::renderListRow (line 638)
-----------------------------------------------------
if ($fCol==$titleCol)   {
  $recTitle = t3lib_BEfunc::getRecordTitle($table,$row,FALSE,TRUE);
-----------------------------------------------------

As I understand this, your "htmlspecialchars" occurs at:

typo3/db_list.inc :: linkWrapItems (line 566):
-----------------------------------------------------
$code=htmlspecialchars(t3lib_div::fixed_lgd_cs($code,t3lib_div::intval_positive($GLOBALS['BE_USER']->uc['titleLen'])?$GLOBALS['BE_USER']->uc['titleLen']:$this->fixedL));
-----------------------------------------------------

You could try to debug this issue. But I guess there is no way to output
 HTML tags without changing this last "htmlspecialchars" (I guess
removing it won't be a good idea - if some "bad" editor puts <script>
tags into the title of a record he could accomplish an XSS attack.

Probably you should use one of those "removeBadHTML" methods. See
typo3/sysext/cms/tslib/class.tslib_content :: removeBadHTML.

As you should not use this class/method in the FE it would be a good
idea to just copy it and use it instead of the "htmlspecialchars" at
above mentioned line ;)


greets,
Bernhard



greets,
Bernhard

More information about the TYPO3-english mailing list