[TYPO3-mvc] RFC #8718: throw exception if a class to be reflected does not exist

Helmut Hummel helmut at typo3.org
Thu Jul 8 21:06:56 CEST 2010


Hi Felix,

while your sugestion sounds very reasonable, I ask myself a different
question.

On 07.07.10 00:57, Felix Oertel wrote:
>  throw new Tx_Extbase_Reflection_Exception_UnknownClass('The classname "' . $className . '" was not found and thus can not be reflected.', 1278450972);

Where does $className could come from, and what does the current
exception handling do with such a message.

Can we be sure that no XSS is possible, e.g by providing some fancy
$className through a GET parameter and having an exception handler,
which is not escaping the messages?

If this is no issue at all; great.

Regards Helmut (who already saw such vulnerabilities in web applications)


More information about the TYPO3-project-typo3v4mvc mailing list