[TYPO3-commerce] RFC: #10152: Insufficient input sanitizing in address handling
Michael Knabe
t3 at aafhh.de
Thu Oct 7 15:25:28 CEST 2010
This is an SVN patch request.
Type: Bugfix
Bugtracker references:
http://forge.typo3.org/issues/10152
Branches:
trunk
Problem:
While entering the invoice address in pi3 the form fields are not
correctly sanitized. Entering quotes (") breaks the output form. This is
not a security issue, as the values are passed through
tx_commerce_div::removeXSSStripTagsArray but it looks nasty.
Solution:
Add a call to htmlspecialchars
How to reproduce:
Enter a name, steetname, whatever containing a double quote into the
invoice address form. Also enter an invalid e-mail address or leave a
required field empty so you see the form again.
Notes:
I ask myself if it wouldn't be better to add this to
removeXSSStripTagsArray but discarded it as I cannot foresee the effects
on other functions. If you know it better feel free to change the patch.
Cheers,
Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: com_10152.diff
Type: text/x-patch
Size: 434 bytes
Desc: not available
URL: <http://lists.typo3.org/pipermail/typo3-team-commerce/attachments/20101007/d86bd1be/attachment.bin>
More information about the TYPO3-team-commerce
mailing list