[TYPO3-core] RFC: Improvement of removeXSS
David Slayback
dave at webempoweredchurch.org
Fri Oct 31 15:19:59 CET 2008
I've tested this extensively, we are running it on live sites, and all
is good. Much faster and improved. (Have incorporated it into
wec_discussion beta version.)
However, I did find one small bug -- it strips out commas. I have added
a new fix in http://bugs.typo3.org/view.php?id=8978. Very minor bug but
necessary to fix before core commit.
So +1 from me with the comma-fix.
-Dave
www.WebEmpoweredChurch.org
Steffen Kamper wrote:
> Hi,
>
> This is a SVN patch request.
>
> Bugtracker references:
> http://bugs.typo3.org/view.php?id=8978
> http://bugs.typo3.org/view.php?id=7033
> http://bugs.typo3.org/view.php?id=9198
>
> Problem:
>
> the removeXSS-script used had some lacks. It replaced tags in normal
> text which prevents most from using this script.
>
> Jigal did some improvements and i reformatted to CGL and tested.
> These changes are done:
>
> * - bugfixes in regexps
> * - optimizations
> * - quickscan for keywords to speed up the function when no potential
> threats
> * - regexps specific for different type of keywords to reduce false
> positives
> * - configurable "tag replaceString"
>
> for deeper information about XSS have a look at
> http://ha.ckers.org/xss.html
>
> vg Steffen
>
More information about the TYPO3-team-core
mailing list