[TYPO3-core] RFC #11649: RemoveXSS corrupts HTML

Marcus Krause marcus#exp2009 at t3sec.info
Mon Dec 7 14:02:55 CET 2009


Steffen Kamper schrieb:
> Hi,
> 
> i agree that it looks weird. But i would like to see a proper solution
> with style - removeXSS is to strict here as it doesn't allow any usage
> of style, link etc.
> That's the main reason user don't use it as it destroys harmless code as
> well.

These discussions pop up quite often. RemoveXSS destroys output; nobody
uses it.
Having a custom solution in TYPO3 core needs constantly maintaining work
as new browsers introduce new behaviors. It would need a maintainer that
is up to date with XSS (browsers, encodings).
To be honest, I don't see anybody capable in the Core Team. In addition,
IMHO there are no free resources in the Security Team either.

We should really consider using a ready-to-be-used third party project
like htmlpurifier.


Marcus.


More information about the TYPO3-team-core mailing list