[TYPO3-core] RFC: Add external RemoveXSS library to TYPO3

[Martin Kutschker]

Patrick Broens schrieb:
> Michael Stucki wrote:
>> Hi Masi,
>>
>>>> So who knows the answer?
>>> Well, the author's homepage for this little script is here:
>>>
>>> http://quickwired.com/smallprojects/php_xss_filter_function.php
>>>
>>> Why don't we ask him? Maybe the the sec. team has already (note: "with
>>> permission of the author").
>>
>> We got that permission already. Lars Houmark has forwarded me a mail 
>> from the author where he explicitely allows TYPO3 to "use and modify 
>> it however we want". To me this sounds like no problem at all, however 
>> I'm still not sure about any GPL weirdness, so I just wanted to be 
>> sure...
>>
>> Have a look at the chart on this page which also covers information 
>> about GPLv2 (which is the license of TYPO3 4.1): 
>> http://gplv3.fsf.org/dd3-faq
>>
>> To me this looks exactly like it's a problem to include such code in a 
>> GPL (no matter if v2 or v3) project, even if the author has approved 
>> it so clearly.
>>
>> Since this looks so weird to me, the next question for me is:
>> Why should we care?
> If this has not a license, the final effect is that of a proprietary 
> license. Every program that is not accompanied by a copyright license is 
> subject to the Berne international copyright convention, and can not be 
> distributed or modified without the explicit consent of the copyright 
> holders.  This means that the program is not free without a free 
> copyright license, even when the source is available, with or without 
> charge.
> 
> So yes, there is a problem including this code in a GPL project.
> 
> I wonder if the author knows about licenses. Perhaps he is willing to 
> distribute the code with a license. That could be in our favour, but 
> maybe also in his.

So in fact it's easier IMHO for us to include the code directly in 
t3lib_div, attribute it to the author and save the email where he 
explicitely gives his ok to GPL the code.

Masi