[TYPO3-core] RFC #11649: RemoveXSS corrupts HTML

Steffen Kamper info at sk-typo3.de
Mon Dec 7 16:53:30 CET 2009


Ingmar Schlecht schrieb:
> Marcus Krause schrieb:
>> Steffen Kamper schrieb:
>>> Hi,
>>> i agree that it looks weird. But i would like to see a proper solution
>>> with style - removeXSS is to strict here as it doesn't allow any usage
>>> of style, link etc.
>>> That's the main reason user don't use it as it destroys harmless code as
>>> well.
>> These discussions pop up quite often. RemoveXSS destroys output; nobody
>> uses it.
>> Having a custom solution in TYPO3 core needs constantly maintaining work
>> as new browsers introduce new behaviors. It would need a maintainer that
>> is up to date with XSS (browsers, encodings).
>> To be honest, I don't see anybody capable in the Core Team. In addition,
>> IMHO there are no free resources in the Security Team either.
>> We should really consider using a ready-to-be-used third party project
>> like htmlpurifier.
> I fully agree.

i also agree, but without discuss nothing happens. And removeXSS is 
3rdparty script, which was enhanced by some devs of us.
If there is a proper script outside, please make the suggest so we can 
integrate that instead the existing one.

vg Steffen

More information about the TYPO3-team-core mailing list