[TYPO3-core] RFC: #13133: File list cancel button does not respect returnUrl
Steffen Kamper
info at sk-typo3.de
Wed Jan 6 13:40:00 CET 2010
Georg Ringer schrieb:
> Am 02.01.2010 15:58, schrieb Steffen Kamper:
>> Solution:
>> When returnUrl exist make the redirect.
>
> -1 from me as member of the Security Team because this introduces XSS!
>
> PoC would be
> &returnUrl=javascript:alert(123)
>
> Georg
wrong - this is not related to this patch. Please contact Helmut for
details.
vg Steffen
More information about the TYPO3-team-core
mailing list