[TYPO3-core] RFC: Add external RemoveXSS library to TYPO3
Michael Stucki
michael at typo3.org
Mon Sep 24 23:06:30 CEST 2007
Hi Masi,
> > So who knows the answer?
>
> Well, the author's homepage for this little script is here:
>
> http://quickwired.com/smallprojects/php_xss_filter_function.php
>
> Why don't we ask him? Maybe the the sec. team has already (note: "with
> permission of the author").
We got that permission already. Lars Houmark has forwarded me a mail from the
author where he explicitely allows TYPO3 to "use and modify it however we
want". To me this sounds like no problem at all, however I'm still not sure
about any GPL weirdness, so I just wanted to be sure...
Have a look at the chart on this page which also covers information about
GPLv2 (which is the license of TYPO3 4.1): http://gplv3.fsf.org/dd3-faq
To me this looks exactly like it's a problem to include such code in a GPL (no
matter if v2 or v3) project, even if the author has approved it so clearly.
Since this looks so weird to me, the next question for me is:
Why should we care?
> But as the code doesn't seem to be "versioned" we can simply inline the
> code into t3lib_div directly. And - of course - we must use the code. Eg we
> could change the constructor of pi_base to use it or add a method that
> checks the piVars, etc. Mybe we can protect the BE as well.
Including the script in a separate file is one thing, including it into
class.t3lib_div.php is another one where we actually are changing the license
from <nothing> to GPL. So the first option seems to be much easier to me and
is also better to adapt in case there will still be a change in the function
one day...
- michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.netfielders.de/pipermail/typo3-team-core/attachments/20070924/21c3d473/attachment.pgp
More information about the TYPO3-team-core
mailing list