[TYPO3-core] RFC: Improvement of removeXSS
Oliver Hader
oliver at typo3.org
Wed Nov 12 11:49:22 CET 2008
Hi Steffen,
Steffen Kamper schrieb:
> Hi,
>
> here is an updated version from David Slayback fixing a minor bug.
>
> So this one needs one core +1 to get submitted.
>
> Again, i know that it's not perfect and more enhancements will follow,
> but i think it's important to have a working base as the current version
> isn't.
I've tested the patch with the exploits shown at
http://ha.ckers.org/xssAttacks.xml. However I'm puzzled how this works,
when the functionality gets called with "RemoveXSS::RemoveXSS()". This
is a static call to the constructor.
I guess, that it's intended to be called statically - but then the code
is wrong (and was wrong before this patch). Which extensions are
currently using the RemoveXSS feature? I'd like to know how the use it
there...
Basically +1 on reading and testing
olly
--
Oliver Hader
TYPO3 4.3 Release Manager
More information about the TYPO3-team-core
mailing list