[TYPO3-core] RFC #15227: Bug: class.tslib_content.php returns unfiltered data

Roland Schenke rs at kruselenz.com
Mon Jul 26 04:26:51 CEST 2010 

Hi Jigal,

Am 26.07.2010 um 00:23 schrieb Jigal van Hemert:

> Roland Schenke wrote:
>> Problem: In function class.tslib_content.php::MULTIMEDIA() one has
>> the ability to specify height and width parameters for such objects
>> via Typoscript. In Lines 2632, 2633 and 2639, 2640 these values are
>> assigned unfiltered to html attributes which are part of the <embed>
>> tag that is used to embed the defined Object like Movies, Flash
>> Applications or JAVA Class Files.
>> Solution: apply intval() as integer seems to be the desired datatype
> 
> Is it? W3C mentions that width and height may also be a percentage.
> 
> Sorry, -1 for not allowing percentages.

thanks for mentioning W3C. After reading the offical specification for HTML 4.01, I found out that <embed> has never been an official tag to HTML 4.01 and that <applet> is deprecated.
Of course this does not solve our problem. The height and width parameter of the currently used tags as well as for the prefered <object> tag can indeed have a percent '%' sign or an asterisk '*' for so-called MultiLength. http://www.w3.org/TR/html401/types.html#type-length

How would you handle this?
In my opinion one could use a regular expression like /^[0-9]+[&|*]?$/ or check with strpos() for a % or * and use something like sprintf() for the output.
For the sake of completeness and if not using regular expressions, if one would use something like 123%* or 1*% I would suggest only taking the first character since the recommendation states that in case of MultiLegth the value before '*' has to be an integer.

Once again this might seem trivial, but how is the TYPO3 Core Team think about this kind of issues? Like Helmut Hummel wrote, as an admin or extension developer one is responsible to write secure code and secure Typoscript. Whether this is a critical exploit or not I still think it deserves attention.

--
Mit freundlichen Grüßen / Best regards

Roland Schenke
Forschung und Entwicklung

K & L Internet Service
Kruse & Lenz GbR - Vrestorfer Weg 5 - 21339 Lüneburg

Fon    : 0176 / 46534665
E-Mail : info at kruselenz.com
Web    : www.kruselenz.com

*** Internetauftritte * CMS * Webshops * Hosting * Grafik ***

More information about the TYPO3-team-core mailing list