[TYPO3-core] RFC: #11019: User Setup Rewrite #4
Steffen Kamper
info at sk-typo3.de
Thu May 21 16:52:05 CEST 2009
Hi Rupi,
Rupert Germann schrieb:
> hi Steffen,
>
> ok, but ... ;-)
> did you know that there's a function called t3lib_div::rmFromList() ?
> or alternatively: t3lib_div::removeArrayEntryByValue() would also be an
> option here since $fieldList is converted to an array anyway.
>
funny, i searched for it but overlooked. naming rm... okay :)
removeArrayEntryByValue would be the wrong as it would be
removeArrayEntryByKey needed. But now you did it with rmFromList, fine!
>>> * most of the htmlspecialchars() calls are not needed because they are
>>> applied to strings which are ascii anyway eg. columnnames.
>> as you said: don't trust. It's more secure to do this to avoid tamper
>> manipulated data.
>
> yes that's of cource true for things that come from outside or have
> non-predictable content like csh items but something like
> htmlspecialchars($config['type']) is definetively unnecessary since $config
> can't be manipulated from outside.
>
think of editor who tries to hack into on the way getting admin rights.
Security isn't bad at all.
> One little thing more: I changed the position of the closing div which wraps
> the complete module output because it was added after the closing <html>
> tag.
>
fine
> I attached a v6 patch which includes the mentioned changes.
>
i tested v7 but didn't applied clean, did you used latest trunk? i'll
try it online now.
Thx for your help, teamwork gets the best out of it.
vg Steffen
More information about the TYPO3-team-core
mailing list