[TYPO3-core] RFC: #8090: Menu creation has empty defaults which could lead to problems
Martin Kutschker
Martin.Kutschker at n0spam-blackbox.net
Fri Apr 11 12:10:26 CEST 2008
Steffen Kamper schrieb:
> Hi
>
> This is an SVN patch request.
>
> Type: Bugfix
>
> Bugtracker references:
> http://bugs.typo3.org/view.php?id=8090
>
> Branches: 4.2
>
> Problem:
> If you set pagetitle to:
> Any title <script>alert("bad message");</script>
>
> you can destroy a page because any access to FE will execute the Javascript
Which in turn has to be entered by an editor. So it's probably on purpose.
> Solution:
> patch adds HSC if stdWrap-Array is empty
This is a the kind of the default that noone will understand. Setting any
stdWrap feature will turn off the HSCing. So it would be better to check
for the HSC parameter itself; unless not set to 0, set it to 1.
OTOH, this is a change in behaviour so, it should go to TS with a
compatibility condtion. Some folks allow HTML to be added by editors, be it
good or bad.
Masi
More information about the TYPO3-team-core
mailing list