[TYPO3-core] RFC #11649: RemoveXSS corrupts HTML
Ingmar Schlecht
ingmar at typo3.org
Mon Dec 7 14:11:49 CET 2009
Marcus Krause schrieb:
> Steffen Kamper schrieb:
>> Hi,
>>
>> i agree that it looks weird. But i would like to see a proper solution
>> with style - removeXSS is to strict here as it doesn't allow any usage
>> of style, link etc.
>> That's the main reason user don't use it as it destroys harmless code as
>> well.
>
> These discussions pop up quite often. RemoveXSS destroys output; nobody
> uses it.
> Having a custom solution in TYPO3 core needs constantly maintaining work
> as new browsers introduce new behaviors. It would need a maintainer that
> is up to date with XSS (browsers, encodings).
> To be honest, I don't see anybody capable in the Core Team. In addition,
> IMHO there are no free resources in the Security Team either.
>
> We should really consider using a ready-to-be-used third party project
> like htmlpurifier.
I fully agree.
cheers
Ingmar
More information about the TYPO3-team-core
mailing list