[TYPO3-english] Passing/Assigning/Inserting $GET GPvar to TS Form
Jan Bartels
j.bartels at arcor.de
Sat Apr 4 14:03:50 CEST 2015
Am 02.04.2015 um 10:23 schrieb bernd wilke:
> Am 02.04.15 um 01:07 schrieb Scotty C:
>> I know that if I havePHP: $GET['test'] = "hello"
>> ...andpage.10 = TEXTpage.10.data = GP : temp_name
>> ... then output will be "hello"
>
> 30.value.data = GP:test
> or
> 30.value.cObject = TEXT
> 30.value.cObject.data = GP:test
> or
> 30.value = {GP:test}
> 30.value.insertData = 1
All of these solutions will produce XSS-security problems because an
insecure user-input as the URL-parameter 'test' is directly used in the
output. Use something like removeBadHTML on stdWrap.
http://docs.typo3.org/typo3cms/TyposcriptReference/singlehtml/
Jan
More information about the TYPO3-english
mailing list