[TYPO3-core] RFC: #8090: Menu creation has empty defaults which could lead to problems
Martin Kutschker
Martin.Kutschker at n0spam-blackbox.net
Fri Apr 11 12:26:40 CEST 2008
Steffen Kamper schrieb:
> "Martin Kutschker" <Martin.Kutschker at n0spam-blackbox.net> schrieb im
> Newsbeitrag
> news:mailman.1.1207908626.18944.typo3-team-core at lists.netfielders.de...
>> Steffen Kamper schrieb:
>>> Hi
>>>
>>> This is an SVN patch request.
>>>
>>> Type: Bugfix
>>>
>>> Bugtracker references:
>>> http://bugs.typo3.org/view.php?id=8090
>>>
>>> Branches: 4.2
>>>
>>> Problem:
>>> If you set pagetitle to:
>>> Any title <script>alert("bad message");</script>
>>>
>>> you can destroy a page because any access to FE will execute the
>>> Javascript
>> Which in turn has to be entered by an editor. So it's probably on purpose.
>>
>>> Solution:
>>> patch adds HSC if stdWrap-Array is empty
>> This is a the kind of the default that noone will understand. Setting any
>> stdWrap feature will turn off the HSCing. So it would be better to check
>> for the HSC parameter itself; unless not set to 0, set it to 1.
>
> this is only if nothing is defined with stdWrap. If User sets something in
> TS it won't affect.
> I would agree for checking only HSC in stdWrap, but no idea for a solution
> here, do you have an idea?
Use isset()?
>> OTOH, this is a change in behaviour so, it should go to TS with a
>> compatibility condtion. Some folks allow HTML to be added by editors, be
>> it good or bad.
>>
> I don't know where to set. This is TS which has no defaults, or where do i
> find any default TS for HMENU ?
Right. Stupid me. I was thinking about "content (default)" and CSC. I have
no idea if the compatibility setting could (and should) be accessed from
tslib-code.
Masi
More information about the TYPO3-team-core
mailing list