Inside TYPO3

< 3.10.4. PHP settings  Table Of Content 3.10.6. XSS (Cross Site Scripting) >

3.10.5. Notice!

Generally, backend users in TYPO3 are expected to be trusted to a certain degree. At least TYPO3 assumes that you are in control of your backend users to a large extend and have a good grip on their intentions. Therefore you should be aware that:

  1. Backend users are typically allowed to create HTML content elements which inserts pure HTML on webpages! Other elements allow for the same and there are many places where URLs are possible to insert. All of this means one thing: Ordinary backend users maintaining content can exploit XSS techniques since they can insert content on pages! This is not a bug in TYPO3 but a "feature" which is impossible to avoid if you at the same time want people to do exactly that; insert pure HTML on pages!
    Of course the problem is not big; you can always track down which user might have inserted malicious code on the pages through the backend log!

To top


Valid XHTML 1.0!