[TYPO3-core] RFC: #8090: Menu creation has empty defaults which could lead to problems
Steffen Kamper
steffen at sk-typo3.de
Fri Apr 11 12:16:49 CEST 2008
"Martin Kutschker" <Martin.Kutschker at n0spam-blackbox.net> schrieb im
Newsbeitrag
news:mailman.1.1207908626.18944.typo3-team-core at lists.netfielders.de...
> Steffen Kamper schrieb:
>> Hi
>>
>> This is an SVN patch request.
>>
>> Type: Bugfix
>>
>> Bugtracker references:
>> http://bugs.typo3.org/view.php?id=8090
>>
>> Branches: 4.2
>>
>> Problem:
>> If you set pagetitle to:
>> Any title <script>alert("bad message");</script>
>>
>> you can destroy a page because any access to FE will execute the
>> Javascript
>
> Which in turn has to be entered by an editor. So it's probably on purpose.
>
>> Solution:
>> patch adds HSC if stdWrap-Array is empty
>
> This is a the kind of the default that noone will understand. Setting any
> stdWrap feature will turn off the HSCing. So it would be better to check
> for the HSC parameter itself; unless not set to 0, set it to 1.
this is only if nothing is defined with stdWrap. If User sets something in
TS it won't affect.
I would agree for checking only HSC in stdWrap, but no idea for a solution
here, do you have an idea?
>
> OTOH, this is a change in behaviour so, it should go to TS with a
> compatibility condtion. Some folks allow HTML to be added by editors, be
> it good or bad.
>
I don't know where to set. This is TS which has no defaults, or where do i
find any default TS for HMENU ?
vg Steffen
More information about the TYPO3-team-core
mailing list