[TYPO3-core] RFC: Bug #15289: Element-Browser page tree has HSC'ed <span> elements

Helmut Hummel helmut at typo3.org
Sat Jul 31 16:17:54 CEST 2010


Hi Olly,

On 30.07.10 15:22, Oliver Hader wrote:
> 
> Notes: I'm kindly asking someone of the TYPO3 Security Team to also have
> a look at this issue. Thanks!

Security wise your patch was just fine. However I suggest to remove all
hsc in the wrapTitle() functions since the expected $title is always
expected to be already escaped. This is done in getTitleStr() except for
the domain name, as you pointed out.

Besides that there was only one place where wrapTitle() was called with
a not escaped string, so I added a hsc at the function call.

Find the updated patch attached

Regards Helmut
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0015289_v2.patch
Type: text/x-patch
Size: 2561 bytes
Desc: not available
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20100731/6fb402b1/attachment.bin>


More information about the TYPO3-team-core mailing list