[TYPO3-core] RFC: Improvement of removeXSS
Steffen Kamper
info at sk-typo3.de
Mon Sep 29 13:35:17 CEST 2008
Hi,
This is a SVN patch request.
Bugtracker references:
http://bugs.typo3.org/view.php?id=8978
http://bugs.typo3.org/view.php?id=7033
http://bugs.typo3.org/view.php?id=9198
Problem:
the removeXSS-script used had some lacks. It replaced tags in normal
text which prevents most from using this script.
Jigal did some improvements and i reformatted to CGL and tested.
These changes are done:
* - bugfixes in regexps
* - optimizations
* - quickscan for keywords to speed up the function when no potential
threats
* - regexps specific for different type of keywords to reduce false
positives
* - configurable "tag replaceString"
for deeper information about XSS have a look at
http://ha.ckers.org/xss.html
vg Steffen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: removeXSS.diff
Type: text/x-diff
Size: 11648 bytes
Desc: not available
Url : http://lists.netfielders.de/pipermail/typo3-team-core/attachments/20080929/b2fb680b/attachment-0001.diff
More information about the TYPO3-team-core
mailing list