[Typo3-dev] Security Problem - HTML
Christoph Moeller
chris at byters.de
Tue Sep 23 15:54:50 CEST 2003
Dominic Brander schrieb:
> Let's start the security-discussion in this list.
hmm, just had a quick look into typo3/t3lib/class.t3lib_parsehtml.php,
around line 466. There's the function HTMLcleaner which could (? i.e. if
someone still understands this code monster *g*) be extended to parse
for suspicious cookie stuff in the content's HTML.
I think it's not really possible to distinguish between malicious and
good JS cookie code inserted as HTML CE. For example there always could
be a white-hat use for manually inserted document.cookie's if someone
knows what he's doing.
Just an idea: warning messages to the admin telling about JS-cookie
usage in HTML content elements? Not really convenient - I know - but
anyone a better idea? This is a browser/general cookie problem...
Chris
More information about the TYPO3-dev
mailing list