During the TYPO3 Developer Days this year I hosted a workshop about security problems which are probably not well known by TYPO3 integrators or extension developers.
The slides for this workshop are available on sildeshare.
Since there was not enough time to tackle everything I had in the slides, I’d like to add two things I find important to know about.
First of all I mentioned in the workshop that plain TypoScript could introduce security holes that are not that obvious at first sight. You can look that up in the slides or in an older post of mine. In the latter I also mentioned that Jigal wrote an excellent article about how to securely build SQL queries with Typoscript when you really need string input from untrusted sources.
However I would not recommend doing complicated queries with the TypoScript CONTENT object especially not with user input involved. It is still hard to see what the resulting query would look like when writing the TypoScript so it is very likely to overlook some (security related) problems.
Flash messages view helper in Fluid
If you are developing Extbase extensions, you most likely know about and use flash messages.
$this->flashMessageContainer->add('Added Article: ' . $article->getTitle());
In this case some user input is provided in the flash message. This is no problem, if you render the flash messages in your template like this:
All flash messages that are rendered are properly HTML-encoded
But if you use the renderMode div like that:
<f:flashMessages renderMode="div" />
The output is not encoded at all! This means if you put user input into your flash messages and use renderMode div then your code is susceptible to Cross-Site Scripting.
OK, that’s it for now. I hope you enjoyed my workshop and learned something new.
Have a good time and stay secure!