[TYPO3-core] RFC: #8090: Menu creation has empty defaults which could lead to problems

Martin Kutschker Martin.Kutschker at n0spam-blackbox.net
Fri Apr 11 12:26:40 CEST 2008


Steffen Kamper schrieb:
> "Martin Kutschker" <Martin.Kutschker at n0spam-blackbox.net> schrieb im 
> Newsbeitrag 
> news:mailman.1.1207908626.18944.typo3-team-core at lists.netfielders.de...
>> Steffen Kamper schrieb:
>>> Hi
>>>
>>> This is an SVN patch request.
>>>
>>> Type: Bugfix
>>>
>>> Bugtracker references:
>>> http://bugs.typo3.org/view.php?id=8090
>>>
>>> Branches: 4.2
>>>
>>> Problem:
>>> If you set pagetitle to:
>>> Any title <script>alert("bad message");</script>
>>>
>>> you can destroy a page because any access to FE will execute the 
>>> Javascript
>> Which in turn has to be entered by an editor. So it's probably on purpose.
>>
>>> Solution:
>>> patch adds HSC if stdWrap-Array is empty
>> This is a the kind of the default that noone will understand. Setting any 
>> stdWrap feature will turn off the HSCing. So it would be better to check 
>> for the HSC parameter itself; unless not set to 0, set it to 1.
> 
> this is only if nothing is defined with stdWrap. If User sets something in 
> TS it won't affect.
> I would agree for checking only HSC in stdWrap, but no idea for a solution 
> here, do you have an idea?

Use isset()?

>> OTOH, this is a change in behaviour so, it should go to TS with a 
>> compatibility condtion. Some folks allow HTML to be added by editors, be 
>> it good or bad.
>>
> I don't know where to set. This is TS which has no defaults, or where do i 
> find any default TS for HMENU ?

Right. Stupid me. I was thinking about "content (default)" and CSC. I have 
no idea if the compatibility setting could (and should) be accessed from 
tslib-code.

Masi


More information about the TYPO3-team-core mailing list