[TYPO3-v4] Re: [TYPO3-core] FYI: #17162: Missing localization in t3lib_tsstyleconfig
Helmut Hummel
helmut.hummel at typo3.org
Thu Jan 20 17:51:48 CET 2011
Hi,
let's move this discussion to typo3.projects.v4
Am 20.01.2011 13:54, schrieb Steffen Kamper:
>>
>> Please add htmlspecialchars around $extKey, just in case...
>
> don't think that is needed. The extkey also is the name of the extension
> directory, any invalid strings can't exist there.
> $extKey is not HSCed at other places, if you find a possible evil please
> let me know.
It's not really about security in this case, but about best practice.
If you output data into a HTML context which is not completely under
your control, encode it for that context (htmlspecialchars in that
case). If you do it every time, XSS exploitability fades away.
Same goes for the Label btw. It could contain a "&" in some language,
e.g. "Fire & Forget" ;)
So adding TRUE as second parameter for the sL() call would be good.
(I would also tend to set this as default, but this is another topic.)
And "Helmuts&Steffens-Extension" isn't a valid extkey but still a valid
directory name.
Another benefit is, that if you look at this part of the code, you
immediately see that it is sane, without searching if some validation or
filtering is done on these strings before.
Kind regards,
Helmut
--
Helmut Hummel
TYPO3 Security Team Leader
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the TYPO3-project-v4
mailing list