[TYPO3-mvc] RFC #8718: throw exception if a class to be reflected does not exist
Helmut Hummel
helmut at typo3.org
Thu Jul 8 21:06:56 CEST 2010
Hi Felix,
while your sugestion sounds very reasonable, I ask myself a different
question.
On 07.07.10 00:57, Felix Oertel wrote:
> throw new Tx_Extbase_Reflection_Exception_UnknownClass('The classname "' . $className . '" was not found and thus can not be reflected.', 1278450972);
Where does $className could come from, and what does the current
exception handling do with such a message.
Can we be sure that no XSS is possible, e.g by providing some fancy
$className through a GET parameter and having an exception handler,
which is not escaping the messages?
If this is no issue at all; great.
Regards Helmut (who already saw such vulnerabilities in web applications)
More information about the TYPO3-project-typo3v4mvc
mailing list