[Neos] FYI: Summary of todays "Technical Meeting"

Bastian Waidelich bastian at typo3.org
Tue Jul 22 17:06:23 CEST 2014

Hello list,

here's the summary of todays quick technical meeting (see 

Participants: Karsten Dambekalns, Jacob Floyd, Helmut Hummel, Marc 
Neuhaus, Christian Müller, Bastian Waidelich

== Possible Fluid security improvements ==

* Initiator(s): Helmut Hummel

=== Background: ===

The default escaping interceptor has limitations deserves some 
additional observation.
See discussion: http://forum.typo3.org/index.php/t/204660/
Related changes: https://review.typo3.org/31312 

Regarding context aware escaping see: 

Nette Framework has implemented that: 

=== Possible discussions: ===

* Besides probably being complex to implement, is context aware escaping 
really not desired?
* What options besides determine context do we have to make writing 
Fluid templates less error prone?


We agreed that "context aware escaping" is an interesting topic but not 
a viable solution for the short-term because of the way the Fluid parser 

We identified two major issues with the escaping behavior:

1) The behavior is not properly documented (escaping interceptors, best 
practices, security advisories, ...)
2) The provided (format) ViewHelpers don't behave consistently

We agreed that these issues need to be addressed and we also came up 
with the suggestion to enable escaping interceptors *by default* - This 
is currently only the case if the requested format is HTML.
To make it easier to adapt (non-HTML) templates to the previous behavior 
we'd need a new modifier that allows for disabling the escape 
interceptors globally for a template file.
See https://jira.typo3.org/browse/FLOW-26 for details

Bastian Waidelich

More information about the Neos mailing list