extension_builder icon indicating copy to clipboard operation
extension_builder copied to clipboard

Published 20 hours ago • verified publisher icon FriendsOfTYPO3

📚 [DOC] Documentation of security relevant information

Open simonschaufi opened this issue 4 years ago • 3 comments

  • [ ] How to make extbase controller actions secure

simonschaufi avatar Sep 21 '21 12:09 simonschaufi

  • include check for access rights (FE and / or BE)
  • common type-checks / requirements / conversion
  • parse & filter text if advisable (strip html, add quotes, htmlentities for html, sql, etc. from user input)
  • for any keys like API keys create models that could be protected somehow to access the keys

some things could be candidates for being solved with AOP

DavidBruchmann avatar Sep 21 '21 13:09 DavidBruchmann

TYPO3 does not support AOP but I guess many people are unaware about the initalize* actions which is the right place to do that in my opinion

simonschaufi avatar Sep 21 '21 14:09 simonschaufi

yes as far as possible, that's correct. Wasn't sure if TYPO3 got or gets AOP, probably it won't be included was the statement I once got

DavidBruchmann avatar Sep 21 '21 15:09 DavidBruchmann