[TYPO3-english] Passing/Assigning/Inserting $GET GPvar to TS Form

Scotty C superscotty19 at yahoo.com
Tue Apr 7 04:02:12 CEST 2015


Hi Jan,
OK, here's my modified code:
page.10 = FORMpage.10 { data.cObject = COA data.cObject {    # GOAL: output "Test value: | test_value=label | <_GET['test']>"       # First we generate the static part of the string.    10 = TEXT    10.value = Test Value: | test_value=label |    # Then we collect the data from DB    20 = TEXT    20.data = GP : test    20.removeBadHTML = 1  }  dataArray {    10.label = Name:    10.type = name=input    20.label = Nachricht:    20.type = nachricht=textarea,40,10    100.type = submit=submit    100.value = Submit!  } # end dataArray    recipient = test at test.com  layout = <div class="some-class">###LABEL### ###FIELD###</div>}

Thanks!-S.
 
      From: Jan Bartels <j.bartels at arcor.de>
 To: typo3-english at lists.typo3.org 
 Sent: Saturday, April 4, 2015 6:03 AM
 Subject: Re: [TYPO3-english] Passing/Assigning/Inserting $GET GPvar to TS Form
   
Am 02.04.2015 um 10:23 schrieb bernd wilke:
> Am 02.04.15 um 01:07 schrieb Scotty C:
>> I know that if I havePHP: $GET['test'] = "hello"
>> ...andpage.10 = TEXTpage.10.data = GP : temp_name
>> ... then output will be "hello"
>
> 30.value.data = GP:test
> or
> 30.value.cObject = TEXT
> 30.value.cObject.data = GP:test
> or
> 30.value = {GP:test}
> 30.value.insertData = 1

All of these solutions will produce XSS-security problems because an 
insecure user-input as the URL-parameter 'test' is directly used in the 
output. Use something like removeBadHTML on stdWrap.

http://docs.typo3.org/typo3cms/TyposcriptReference/singlehtml/

Jan




_______________________________________________
TYPO3-english mailing list
TYPO3-english at lists.typo3.org
http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-english


   


More information about the TYPO3-english mailing list