[TYPO3-core] RFC #12990 : referrer in felogin form is not encoded correctly
Jigal van Hemert
jigal at xs4all.nl
Sun May 30 22:29:30 CEST 2010
Steffen Kamper wrote:
> Martin Kutschker schrieb:
>> Benjamin Mack schrieb:
>>> Hey Jigal,
>>>
>>> just by reading: the function is "htmlspecialchars()" not
>>> "htmlspecialchar()". Also, any steps on how to produce this obvious one
>>> quickly?
>>>
>>> Steffen K: I think there was a recent RFC (two months ago or so) where
>>> rawurlencode() was introduced. Any reasons why we used "rawurlencode()"
>>> and not HSC?
> the reason is/was simple: referrer may contain urls with params like ?
> and &. If this is used in url as single parameter, rawurlencoded is needed.
> I don't see that HSC is correct here.
If the referrer url would be used in a url (like in
http://domain.ext?redirectUrl=<referrer> ) rawurlencode would be needed.
In this case it is inserted in a form field value and thus HSC is correct.
--
Jigal van Hemert
skype:jigal.van.hemert
msn: jigal at xs4all.nl
http://twitter.com/jigalvh
More information about the TYPO3-team-core
mailing list