[TYPO3-core] RFC #17133: Pagetree - qtip can be used to execute custom javascript (XSS)

Steffen Kamper info at sk-typo3.de
Wed Jan 19 01:43:23 CET 2011

Previous message: [TYPO3-core] RFC #17133: Pagetree - qtip can be used to execute custom javascript (XSS)
Next message: [TYPO3-core] RFC #17133: Pagetree - qtip can be used to execute custom javascript (XSS)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

important to say that this is double HSC

t3lib_BEfunc::titleAttribForPages returns this:

$out = htmlspecialchars(implode(' - ', $parts));

and in the patch this is done second time.

This is due the fact that ExtJs tooltips make a decode on the content, 
so 1 + 1 - 1 = 1 :)

+1 by reading.

vg Steffen

Previous message: [TYPO3-core] RFC #17133: Pagetree - qtip can be used to execute custom javascript (XSS)
Next message: [TYPO3-core] RFC #17133: Pagetree - qtip can be used to execute custom javascript (XSS)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the TYPO3-team-core mailing list