[TYPO3-core] RFC: #15812: Add backend maintenance for login news
Jigal van Hemert
jigal at xs4all.nl
Mon Sep 27 17:10:05 CEST 2010
Hi,
On 26-9-2010 16:45, Ingo Renner wrote:
> looks good, I just tweaked it a bit and also removed the strip_tags()
> call for the header. I initially put them in to prevent XSS, but now
> that we allow HTML in content, there's no need for it anymore...
Now an admin can introduce XSS in the news messages. The header text is
htmlspecialchars'ed, but the body text isn't. It can easily be processed
by RemoveXSS::process(), can't it?
I tried it with < script >alert('XSS');< /script > (without the spaces)
in both header and text, but it triggered my Antivirus software in the
temporary internet files.
Trying to delete the System News record resulted in a red flash message:
1: Attempt to delete record without delete-permissions
The record is however deleted (deleted is set to 1). I tested it with a
record with only a single word in both header and text, but the same
result here when deleting the record.
Overall I like the fact that this feature can be used more easily,
however the problems I encountered need fixing IMO.
--
Kind regards / met vriendelijke groet,
Jigal van Hemert
skype:jigal.van.hemert
msn: jigal at xs4all.nl
http://twitter.com/jigalvh
More information about the TYPO3-team-core
mailing list