[TYPO3-core] RFC #8636: Translation for module lowlevel
Stefano Kowalke
blueduck at gmx.net
Sun Jun 8 15:27:42 CEST 2008
Hi
Christopher wrote:
> Hi Stefano,
>
> "Stefano Kowalke" <blueduck at gmx.net> schrieb im Newsbeitrag
> news:mailman.1.1212857291.4445.typo3-team-core at lists.netfielders.de...
>> Hi Christopher,
>>
>> Check if htmlspecialchars is needed.
>
> This is done adding a "true", right?
> E.g. $GLOBALS['LANG']->getLL('configuration', true)
Right
> My question is: When is there a need to add this?
To the function:
Htmlspecialchars() convert some HTML Code to its entities. From <,>,&," to
<, >, & und "
Normally you need this, if you allowed user input at your site (guestbook,
comments). The user could insert some Javascript for example and if the
page with the included JS is called, the JS will be execute.
So you mask the data from somewere (file, database) to neutralize the JS
Code in HTML output.
If you have this JS in the page:
<script type="text/Javascript">
for (x=1; x>0;x++){
alert ("Alert!");
}
</script>
with htmlspecialchars() you get this:
<script type="text/Javascript">
for (x=1; x>0;x++){
alert ("Gefaked!");
}
</script>
> And: Why?
This question is not bad, because the lang labels come frome a locallang.xml
file. The only way i see to get some bad code in there is the
translationserver. Somebody could enter JS Code there and this will be
execute.
But if you have a <br /> in there, you get a <br /> in the label and not a
line break.
Recently here was a discussion about the same topic:
RFC:8574 Do not use htmlspecialchars for CSH description
Cheers
Stefano
--
Seit dem 1.1.2008 werden Daten zu jeder E-Mail verdachtsunabhängig gespeichert!
Weitere Informationen: www.vorratsdatenspeicherung.de
GPG-ID: 0x2B08936D
Key-Fingerprint: 7F31 BCF0 70C0 B3B1 1235 07E9 1777 D7A0 2B08 936D
More information about the TYPO3-team-core
mailing list