[TYPO3-mvc] viewhelpers: stripHTML & removeXSS - what should be tested?
Helmut Hummel
typo3 at jhpc.de
Fri May 22 09:45:35 CEST 2009
Hi Sebastian,
Am 22.05.2009 9:20 Uhr, schrieb Sebastian Kurfürst:
>> When thinking about this, I now wonder if stripHTML and removeXSS
>> should be implemented as view helpers at all.
>>
>> Probably this belongs to the property validation framework, doesn't it?
> The property validation framework is used when data is submitted from
> the View to the Controller (HTTP Requests). However, we still need a
> standard way to prevent XSS attacks in the view for all the data
> presented to the user. Thus, I think these ViewHelpers make sense.
Well OK. I did not look at the whole validation stuff yet, but
nevertheless I think, that the person who writes the templates should
not cope with removeXSS, data should be escaped beforehand.
Of course stripHTML would make sense, since it would be usefull to
output the same data with or without HTML tags, depending on the usecase.
Kind regards
Helmut
More information about the TYPO3-project-typo3v4mvc
mailing list