[TYPO3-core] [TYPO3-v4] Re: FYI: #17162: Missing localization in t3lib_tsstyleconfig

[Helmut Hummel]

Hi,

let's move this discussion to typo3.projects.v4

Am 20.01.2011 13:54, schrieb Steffen Kamper:
>>
>> Please add htmlspecialchars around $extKey, just in case...
>
> don't think that is needed. The extkey also is the name of the extension
> directory, any invalid strings can't exist there.
> $extKey is not HSCed at other places, if you find a possible evil please
> let me know.

It's not really about security in this case, but about best practice.
If you output data into a HTML context which is not completely under 
your control, encode it for that context (htmlspecialchars in that 
case). If you do it every time, XSS exploitability fades away.

Same goes for the Label btw. It could contain a "&" in some language, 
e.g. "Fire & Forget" ;)
So adding TRUE as second parameter for the sL() call would be good.
(I would also tend to set this as default, but this is another topic.)

And "Helmuts&Steffens-Extension" isn't a valid extkey but still a valid 
directory name.

Another benefit is, that if you look at this part of the code, you 
immediately see that it is sane, without searching if some validation or 
filtering is done on these strings before.

Kind regards,
Helmut

-- 
Helmut Hummel
TYPO3 Security Team Leader

TYPO3 .... inspiring people to share!
Get involved: typo3.org