[Flow] Fluid escaping interceptor not called when rendering view helpers with shorthand syntax
Zedd
zedd at akii.de
Tue Jul 1 12:36:39 CEST 2014
Same happens with any object that implements the __toString() method.
Greeting
Philipp Maier
On Jul 1, 2014, at 12:34 PM, Aske Ertmann <aske at moc.net> wrote:
> Hey Helmut
>
> Good catch, I would expect the same too and so it does seem like a XSS vulnerability in a sense.
>
> /Aske
>
> On 01 Jul 2014, at 12:19, Helmut Hummel <helmut.hummel at typo3.org> wrote:
>
>> Hey!
>>
>> I recently stumbled over this:
>>
>> {f:uri.action(action: 'list', arguments: {a:'b'})}
>> <f:uri.action action="list" arguments ="{a:'b'}" />
>>
>> both produce the same result where & is not html escaped.
>>
>> While I would understand this to be the case for the regular syntax, I would expect that Fluid calls the escaping interceptor when using the shorthand syntax.
>>
>> Currently it is necessary to always wrap the uri vh with a format.htmlentities vh which is kind of ugly ;)
>>
>> Am I missing something here?
>>
>> Kind regards,
>> Helmut
>>
>> --
>> Helmut Hummel
>> Release Manager TYPO3 6.0
>> TYPO3 Core Developer, TYPO3 Security Team Member
>>
>> TYPO3 .... inspiring people to share!
>> Get involved: typo3.org
>> _______________________________________________
>> Flow mailing list
>> Flow at lists.typo3.org
>> http://lists.typo3.org/cgi-bin/mailman/listinfo/flow
>
> _______________________________________________
> Flow mailing list
> Flow at lists.typo3.org
> http://lists.typo3.org/cgi-bin/mailman/listinfo/flow
More information about the Flow
mailing list