[TYPO3-core] RFC: #15812: Add backend maintenance for login news
Steffen Kamper
info at sk-typo3.de
Mon Sep 27 17:26:16 CEST 2010
Hi,
Jigal van Hemert schrieb:
> Now an admin can introduce XSS in the news messages. The header text is
> htmlspecialchars'ed, but the body text isn't. It can easily be processed
> by RemoveXSS::process(), can't it?
>
this is something i will never understand. An admin already has full
access, why shoud he build in alert with XSS?
Sorry, this makes no sense at all to me.
vg Steffen
More information about the TYPO3-team-core
mailing list