[TYPO3-core] RFC: Add external RemoveXSS library to TYPO3

Patrick Broens patrick at patrickbroens.nl
Wed Sep 26 09:26:45 CEST 2007 

Michael Stucki wrote:
> Hi Masi,
> 
>>> So who knows the answer?
>> Well, the author's homepage for this little script is here:
>>
>> http://quickwired.com/smallprojects/php_xss_filter_function.php
>>
>> Why don't we ask him? Maybe the the sec. team has already (note: "with
>> permission of the author").
> 
> We got that permission already. Lars Houmark has forwarded me a mail from the 
> author where he explicitely allows TYPO3 to "use and modify it however we 
> want". To me this sounds like no problem at all, however I'm still not sure 
> about any GPL weirdness, so I just wanted to be sure...
> 
> Have a look at the chart on this page which also covers information about 
> GPLv2 (which is the license of TYPO3 4.1): http://gplv3.fsf.org/dd3-faq
> 
> To me this looks exactly like it's a problem to include such code in a GPL (no 
> matter if v2 or v3) project, even if the author has approved it so clearly.
> 
> Since this looks so weird to me, the next question for me is:
> Why should we care?
If this has not a license, the final effect is that of a proprietary 
license. Every program that is not accompanied by a copyright license is 
subject to the Berne international copyright convention, and can not be 
distributed or modified without the explicit consent of the copyright 
holders.  This means that the program is not free without a free 
copyright license, even when the source is available, with or without 
charge.

So yes, there is a problem including this code in a GPL project.

I wonder if the author knows about licenses. Perhaps he is willing to 
distribute the code with a license. That could be in our favour, but 
maybe also in his.

Patrick
> 
>> But as the code doesn't seem to be "versioned" we can simply inline the
>> code into t3lib_div directly. And - of course - we must use the code. Eg we
>> could change the constructor of pi_base to use it or add a method that
>> checks the piVars, etc. Mybe we can protect the BE as well.
> 
> Including the script in a separate file is one thing, including it into 
> class.t3lib_div.php is another one where we actually are changing the license 
> from <nothing> to GPL. So the first option seems to be much easier to me and 
> is also better to adapt in case there will still be a change in the function 
> one day...
> 
> - michael

More information about the TYPO3-team-core mailing list