[TYPO3-core] RFC #15504: Description of TYPO3_CONF settings should allow HTML markup for readability
David Bruchmann
typo3-team-core at bruchmann-web.de
Thu Aug 19 18:14:19 CEST 2010
----- Ursprüngliche Nachricht -----
Von: Ernesto Baschny [cron IT] <ernst at cron-it.de>
Gesendet: Donnerstag, 19. August 2010 17:51:57
An: typo3-team-core at lists.typo3.org
CC:
Betreff: Re: [TYPO3-core] RFC #15504: Description of TYPO3_CONF
settings should allow HTML markup for readability
Hi Ernesto,
>>
>> I didn't test it and you can correct me if I'm wrong:
>>
>> Is it possible to insert iframes or script-tags?
>>
>> If yes: is it a security-issue perhaps?
>
> Everything is possible. It is a security issue if some patch enters that
> core that includes them. The whole config_default.php is not written by
> anyone except the core developers. You'll have to trust us. ;)
>
>
as long as it isn't possible to override the settings by (fake- or
changed) Extensions I trust you without any doubts.
But I propose to exclude some elements like iframes, script, flash and
canvas perhaps to exclude those possibilities in general because as far
as I know the settings can be changed from every extension or script
without much knowhow.
Hope you don't think I'm paranoid ;)
Greets,
David
More information about the TYPO3-team-core
mailing list