[TYPO3-core] RFC: Feature Request: TCEforms/IRRE - Allow TSconfig to override TCA field configuration
Ingmar Schlecht
ingmar at typo3.org
Fri Feb 2 13:15:04 CET 2007
Dmitry Dulepov wrote:
> Martin Kutschker wrote:
>> Does it in this context make more sense to make a kind of whitelist
>> (TCA settings allowed to be overriden) rather than a blacklist
>> (forbiddden changes).
>
> One reason to use blacklists because they may be shorter than
> whitelists. Another reason is that blacklists are usually backward
> compatible: if nothing is in blacklist, everything still works. However
> if you have to add something to whitelist after upgrade, probably you
> will not like such extra manual work.
>
> I feel (!= sure) that blacklists can be more suitable here.
I'm pretty sure whitelists are the way to go, as they prevent us from
tapping into security risks unconsciously. TSConfig can be edited not
only by admins, so we need to make sure not to allow modifications of
the TCA that cold affect security in some way.
I just tested it by setting "appearance.expandSingle = 1" on an IRRE
field, and it worked like a charm
+1
cheers
Ingmar
More information about the TYPO3-team-core
mailing list