Update / Extend existing "Extensions Development" section in "Security Guide"

[sypets]

Update: There is already plan by Security Team to work on new chapter and examples (see Slack).

todo

• [ ] contact security team / Torben Hansen and add current status / plans to issue

Current behavior

"Extension Development" (in "Security Guide") exists since v11.

It mostly exists of migrated docs parts which already existed, see "git blame": https://github.com/TYPO3-Documentation/TYPO3CMS-Reference-CoreApi/blame/main/Documentation/Security/GuidelinesExtensionDevelopment/Index.rst

Expected behavior/output

• extend "Extension Development" to contain all relevant parts and link to existing documentation
• possibly split up current page into multi-page structure (how to structure? - by technology, e.g. Fluid, Extbase etc. or by vulnerability, e.g. XSS, SQL injection ... ?)
• find security related extension development information which is currently not documented at all

Possible open questions

• what about security-related stuff which is already documented outside of "Security Guide", should there still be a section in Security Guide to mention this and link to relevant sections in main docs?
• what about general information (e.g. about XSS, SQL injection) which is not TYPO3 specific but important to know for developers (e.g. document this | just point to docs elsewhere | entirely skip explaining this)

Links

current docs: https://docs.typo3.org/m/typo3/reference-coreapi/main/en-us/Security/GuidelinesExtensionDevelopment/Index.html

Additional context

list of already documented security information (developer related)

(incomplete!, work-in-progress) list of already documented information (not in "Security Guide"):

1. QueryBuilder / ExpressionBuilder escapeLikeWildcards:

->like() and ->notLike() values must be additionally quoted with a call to $queryBuilder->escapeLikeWildcards($value) to suppress the special meaning of % characters from $value.

https://docs.typo3.org/m/typo3/reference-coreapi/main/en-us/ApiOverview/Database/ExpressionBuilder/Index.html#comparisons

2. QueryBuilder prepared statements / escaping (createNamedParameter, quoteIdentifier)

Always use this when dealing with user input in expressions to protect the statement from SQL injections:

https://docs.typo3.org/m/typo3/reference-coreapi/main/en-us/ApiOverview/Database/QueryBuilder/Index.html#createnamedparameter

3. CSRF-like request token handling https://docs.typo3.org/m/typo3/reference-coreapi/main/en-us/ApiOverview/Authentication/CSRFlikeRequestTokenHandling.html

4. Fluid format.raw

PAY SPECIAL ATTENTION TO SECURITY HERE (especially Cross Site Scripting), as the output is NOT SANITIZED! https://docs.typo3.org/other/typo3/view-helper-reference/main/en-us/typo3fluid/fluid/latest/Format/Raw.html

5. Fluid custom ViewHelper $escapeOuput property

By default, all output is escaped by htmlspecialchars to prevent cross site scripting.

https://docs.typo3.org/m/typo3/reference-coreapi/main/en-us/ApiOverview/Fluid/DevelopCustomViewhelper.html#escaping-of-output

... (wip)

list of not documented security information

tbd

1. sanitizing input (GET / POST parameters) in $request->getQueryParams()

• https://docs.typo3.org/m/typo3/reference-coreapi/main/en-us/ApiOverview/RequestLifeCycle/Typo3Request.html