[TYPO3-core] RFC: Feature Request 4790: typolink.addQueryString - enable usage of merged POST and GET data
Ernesto Baschny [cron IT]
ernst at cron-it.de
Tue Jan 23 18:05:55 CET 2007
Michael Stucki wrote: on 23.01.2007 17:24:
> Ernesto Baschny [cron IT] wrote:
>>> Documentation changes:
>>> Section 5.8, property "addQueryString", to end of ".method" paragraph:
>>> It's possible to get both, POST and GET data, on setting this to
>>> "POST,GET" or "GET,POST". The last method in this sequence takes
>>> precedence and overwrites the parts that are also present for the first
>>> method.
>> In the documentation I would propose to change the examples in .exclude
>> to exclude be "pass,user,logintype", which might get appended to the
>> typolink if the user has just logged into TYPO3 as a fe_user.
>
> I agree, this could be confusing otherwise...
Not only confusing, but a security risk: as the URL would contain
user+pass in cleartext, ready to be stored in proxies, browser caches
and other caches (maybe even TYPO3 cache, so the next user that hits the
page will get the link to the print view with user+pass from the last
guy that logged in there...).
Cheers,
Ernesto
More information about the TYPO3-team-core
mailing list