[TYPO3-core] RFC #11649: RemoveXSS corrupts HTML
Steffen Kamper
info at sk-typo3.de
Mon Dec 7 16:53:30 CET 2009
Hi,
Ingmar Schlecht schrieb:
> Marcus Krause schrieb:
>> Steffen Kamper schrieb:
>>> Hi,
>>>
>>> i agree that it looks weird. But i would like to see a proper solution
>>> with style - removeXSS is to strict here as it doesn't allow any usage
>>> of style, link etc.
>>> That's the main reason user don't use it as it destroys harmless code as
>>> well.
>> These discussions pop up quite often. RemoveXSS destroys output; nobody
>> uses it.
>> Having a custom solution in TYPO3 core needs constantly maintaining work
>> as new browsers introduce new behaviors. It would need a maintainer that
>> is up to date with XSS (browsers, encodings).
>> To be honest, I don't see anybody capable in the Core Team. In addition,
>> IMHO there are no free resources in the Security Team either.
>>
>> We should really consider using a ready-to-be-used third party project
>> like htmlpurifier.
>
> I fully agree.
>
i also agree, but without discuss nothing happens. And removeXSS is
3rdparty script, which was enhanced by some devs of us.
If there is a proper script outside, please make the suggest so we can
integrate that instead the existing one.
vg Steffen
More information about the TYPO3-team-core
mailing list