[TYPO3-commerce] RFC: #10152: Insufficient input sanitizing in address handling
Sebastian Fischer
sf at marketing-factory.de
Wed Oct 27 09:09:47 CEST 2010
Am 07.10.2010 15:25, schrieb Michael Knabe:
> This is an SVN patch request.
>
> Type: Bugfix
>
> Bugtracker references:
> http://forge.typo3.org/issues/10152
>
> Branches:
> trunk
>
> Problem:
> While entering the invoice address in pi3 the form fields are not
> correctly sanitized. Entering quotes (") breaks the output form. This is
> not a security issue, as the values are passed through
> tx_commerce_div::removeXSSStripTagsArray but it looks nasty.
>
> Solution:
> Add a call to htmlspecialchars
>
> How to reproduce:
> Enter a name, steetname, whatever containing a double quote into the
> invoice address form. Also enter an invalid e-mail address or leave a
> required field empty so you see the form again.
>
>
> Notes:
> I ask myself if it wouldn't be better to add this to
> removeXSSStripTagsArray but discarded it as I cannot foresee the effects
> on other functions. If you know it better feel free to change the patch.
>
> Cheers,
> Michael
>
>
+1 by reading
Greetings
Sebastian
More information about the TYPO3-team-commerce
mailing list