[TYPO3-mvc] Is Extbase handling XSS automatically
Georg Ringer
typo3 at ringerge.org
Sat Oct 13 10:04:00 CEST 2012
Hi Matthias,
as always: It depends on the context. If you are doing regular html
output, everything is handled fine within the core. Of course you can
change that quite easy in custom VH and so on.
Additionally if you are writing JS, you need to escape differntly as in
html, just be aware of that.
regarding SQL injections: There are some things you need to care yourself:
- if you use order by and the ordering fields come from the outside, you
need to check them yourself
- if you use custom queries, of course you need to use quoteStr()
yourself too.
Georg
Member of the TYPO3 Security Team
More information about the TYPO3-project-typo3v4mvc
mailing list