[Flow] Fluid escaping interceptor not called when rendering view helpers with shorthand syntax
Aske Ertmann
aske at moc.net
Tue Jul 1 12:34:48 CEST 2014
Hey Helmut
Good catch, I would expect the same too and so it does seem like a XSS vulnerability in a sense.
/Aske
On 01 Jul 2014, at 12:19, Helmut Hummel <helmut.hummel at typo3.org> wrote:
> Hey!
>
> I recently stumbled over this:
>
> {f:uri.action(action: 'list', arguments: {a:'b'})}
> <f:uri.action action="list" arguments ="{a:'b'}" />
>
> both produce the same result where & is not html escaped.
>
> While I would understand this to be the case for the regular syntax, I would expect that Fluid calls the escaping interceptor when using the shorthand syntax.
>
> Currently it is necessary to always wrap the uri vh with a format.htmlentities vh which is kind of ugly ;)
>
> Am I missing something here?
>
> Kind regards,
> Helmut
>
> --
> Helmut Hummel
> Release Manager TYPO3 6.0
> TYPO3 Core Developer, TYPO3 Security Team Member
>
> TYPO3 .... inspiring people to share!
> Get involved: typo3.org
> _______________________________________________
> Flow mailing list
> Flow at lists.typo3.org
> http://lists.typo3.org/cgi-bin/mailman/listinfo/flow
More information about the Flow
mailing list