[TYPO3-core] RFC: #14911: Validation errors in list view: & > &-amp;
Jigal van Hemert
jigal at xs4all.nl
Tue Jun 29 12:06:42 CEST 2010
Georg Ringer wrote:
> Am 29.06.2010 09:55, schrieb Jigal van Hemert:
>> Did a quick search on /&[a-zA-Z]+[-_a-zA-Z0-9]+(?=\[|=)/ in trunk. This
>> gave 1491 matches in 197 files. There are a lot of false-positives in
>> the results (inside comments for example), but I estimate that about
>> half of it are query parameters.
>
> IMO there are far more false positives. Just by looking at
> typo3/db_new.php > there are many &something but IMO everyonce except 2
> are htmlspecialchared.
That's why my next sentence was:
"Each case has to be reviewed to see the context and to decide if it is
used as HTML output and not already htmlspecialchars-ed later in the code."
:-)
There are situations where the &something is used in a URL which is used
directly or where the resulting string is htmlspecialchars-ed.
It's hard to find these when validating the output.
OTOH we must leave something for the clean-up team to do ;-)
--
Jigal van Hemert
skype:jigal.van.hemert
msn: jigal at xs4all.nl
http://twitter.com/jigalvh
More information about the TYPO3-team-core
mailing list