[TYPO3-core] RFC: #15812: Add backend maintenance for login news
François Suter
fsu-lists at cobweb.ch
Tue Oct 5 22:25:56 CEST 2010
Hi,
> I didn't follow the total thread, but thought this was the outcome of
> the discussion, whether an admin can be considered evil or not...
Look at many of the recent security fixes that were applied to the core.
Quite a few them were exploitable only by admins. Actually I'm surprised
at how subdued the Security Team has been on this subject. We have spent
quite some effort fixing admin-exploitable XSS in a number of places, so
I'm not really keen on introducing new holes.
As for the reliability of removeXSS, it has been discussed in this very
thread. It seems like the Security Team thinks it is not reliable. Jigal
offered to improve it, but I don't know the status of this.
I would very much like a clear statement from the Security Team before
introducing HTML in here, although I definitely agree that it would very
useful.
Cheers
--
Francois Suter
Cobweb Development Sarl - http://www.cobweb.ch
More information about the TYPO3-team-core
mailing list