diff --git a/typo3/sysext/backend/Classes/Controller/Wizard/AddController.php b/typo3/sysext/backend/Classes/Controller/Wizard/AddController.php
index c7d19803fe6b20972300ba425171a8107f182a14..7f1a580540e7f6ced5f0b6155e0034d9861af727 100644
--- a/typo3/sysext/backend/Classes/Controller/Wizard/AddController.php
+++ b/typo3/sysext/backend/Classes/Controller/Wizard/AddController.php
@@ -265,7 +265,7 @@ class AddController extends AbstractWizardController
$redirectUrl = BackendUtility::getModuleUrl('record_edit', array(
'returnEditConf' => 1,
'edit[' . $this->P['params']['table'] . '][' . $this->pid . ']' => 'new',
- 'returnUrl' => GeneralUtility::removeXSS(GeneralUtility::getIndpEnv('REQUEST_URI'))
+ 'returnUrl' => GeneralUtility::getIndpEnv('REQUEST_URI')
));
HttpUtility::redirect($redirectUrl);
}
diff --git a/typo3/sysext/backend/Classes/Search/LiveSearch/LiveSearch.php b/typo3/sysext/backend/Classes/Search/LiveSearch/LiveSearch.php
index 4aa7cd21e0c2eacf9980b7c215e4c22f275ae210..03c24362572e95f81ff879dc15d103d4258ccd58 100644
--- a/typo3/sysext/backend/Classes/Search/LiveSearch/LiveSearch.php
+++ b/typo3/sysext/backend/Classes/Search/LiveSearch/LiveSearch.php
@@ -426,11 +426,10 @@ class LiveSearch
*
* @param string $queryString
* @return void
- * @see \TYPO3\CMS\Core\Utility\GeneralUtility::removeXSS()
*/
public function setQueryString($queryString)
{
- $this->queryString = GeneralUtility::removeXSS($queryString);
+ $this->queryString = $queryString;
}
/**
diff --git a/typo3/sysext/core/Classes/Utility/GeneralUtility.php b/typo3/sysext/core/Classes/Utility/GeneralUtility.php
index 18d975f5e3d562d4ca9417f6a8602d064891f876..fd295beca6e1487b25b089250c8a0dd7e0d649a7 100755
--- a/typo3/sysext/core/Classes/Utility/GeneralUtility.php
+++ b/typo3/sysext/core/Classes/Utility/GeneralUtility.php
@@ -249,6 +249,7 @@ class GeneralUtility
*
* @param string $string Input string
* @return string Input string with potential XSS code removed
+ * @deprecated since TYPO3 v8, will be removed in TYPO3 v9
*/
public static function removeXSS($string)
{
@@ -3390,14 +3391,17 @@ class GeneralUtility
* Checks if a given string is a valid frame URL to be loaded in the
* backend.
*
+ * If the given url is empty or considered to be harmless, it is returned
+ * as is, else the event is logged and an empty string is returned.
+ *
* @param string $url potential URL to check
- * @return string either $url if $url is considered to be harmless, or an
+ * @return string $url or empty string
*/
public static function sanitizeLocalUrl($url = '')
{
$sanitizedUrl = '';
- $decodedUrl = rawurldecode($url);
- if (!empty($url) && self::removeXSS($decodedUrl) === $decodedUrl) {
+ if (!empty($url)) {
+ $decodedUrl = rawurldecode($url);
$parsedUrl = parse_url($decodedUrl);
$testAbsoluteUrl = self::resolveBackPath($decodedUrl);
$testRelativeUrl = self::resolveBackPath(self::dirname(self::getIndpEnv('SCRIPT_NAME')) . '/' . $decodedUrl);
@@ -3410,7 +3414,9 @@ class GeneralUtility
$sanitizedUrl = $url;
} elseif (strpos($testAbsoluteUrl, self::getIndpEnv('TYPO3_SITE_PATH')) === 0 && $decodedUrl[0] === '/') {
$sanitizedUrl = $url;
- } elseif (empty($parsedUrl['scheme']) && strpos($testRelativeUrl, self::getIndpEnv('TYPO3_SITE_PATH')) === 0 && $decodedUrl[0] !== '/') {
+ } elseif (empty($parsedUrl['scheme']) && strpos($testRelativeUrl, self::getIndpEnv('TYPO3_SITE_PATH')) === 0
+ && $decodedUrl[0] !== '/' && strpbrk($decodedUrl, "*:|\"<>") === FALSE && strpos($decodedUrl, '\\\\') === false
+ ) {
$sanitizedUrl = $url;
}
}
diff --git a/typo3/sysext/core/Documentation/Changelog/master/Deprecation-76164-DeprecateRemoveXSS.rst b/typo3/sysext/core/Documentation/Changelog/master/Deprecation-76164-DeprecateRemoveXSS.rst
new file mode 100644
index 0000000000000000000000000000000000000000..97ef210270eb4cb6ea7e7231dc2492e57ac1ca73
--- /dev/null
+++ b/typo3/sysext/core/Documentation/Changelog/master/Deprecation-76164-DeprecateRemoveXSS.rst
@@ -0,0 +1,30 @@
+=========================================
+Deprecation: #76164 - Deprecate RemoveXSS
+=========================================
+
+Description
+===========
+
+Due to the wrong approach of RemoveXSS it is not 100% secure and does not keep its promise. The following methods have been marked as deprecated:
+
+- :php:``\TYPO3\CMS\Core\Utility\GeneralUtility::removeXSS()``
+- :php:``\RemoveXSS::process()``
+- :php:``\TYPO3\CMS\Form\Domain\Filter\RemoveXssFilter``
+
+
+Impact
+======
+
+Using the mentioned methods will trigger a deprecation log entry
+
+
+Affected Installations
+======================
+
+Instances that use these methods
+
+
+Migration
+=========
+
+Implement a proper encoding by yourself. Use :php:``htmlspecialchars()`` in the context of HTML or :php:``GeneralUtility::quoteJSvalue()`` in the context of JavaScript.
diff --git a/typo3/sysext/core/Resources/PHP/RemoveXSS.php b/typo3/sysext/core/Resources/PHP/RemoveXSS.php
index 7bf25c800184c880ae8912882a32ed72c7e546b5..06d789af93ca224b01446db39dd5432cf2dfe21d 100644
--- a/typo3/sysext/core/Resources/PHP/RemoveXSS.php
+++ b/typo3/sysext/core/Resources/PHP/RemoveXSS.php
@@ -16,6 +16,13 @@
* This code is public domain, you are free to do whatever you want with it,
* including adding it to your own project which can be under any license.
*/
+use TYPO3\CMS\Core\Utility\GeneralUtility;
+
+/**
+ * Class RemoveXSS
+ *
+ * @deprecated since TYPO3 v8, will be removed in TYPO3 v9
+ */
class RemoveXSS
{
/**
@@ -26,9 +33,11 @@ class RemoveXSS
* @param string $value Input string
* @param string $replaceString replaceString for inserting in keywords (which destroys the tags)
* @return string Input string with potential XSS code removed
+ * @deprecated since TYPO3 v8, will be removed in TYPO3 v9
*/
public static function process($value, $replaceString = '<x>')
{
+ GeneralUtility::logDeprecatedFunction();
// Don't use empty $replaceString because then no XSS-remove will be done
if ($replaceString == '') {
$replaceString = '<x>';
diff --git a/typo3/sysext/core/Tests/Unit/Utility/GeneralUtilityTest.php b/typo3/sysext/core/Tests/Unit/Utility/GeneralUtilityTest.php
index 282433faa1b7db0831b28713e5a0c5b052608d54..faa9aa084ce9d1b64e360d1a8d6f7b2274951466 100644
--- a/typo3/sysext/core/Tests/Unit/Utility/GeneralUtilityTest.php
+++ b/typo3/sysext/core/Tests/Unit/Utility/GeneralUtilityTest.php
@@ -2188,7 +2188,9 @@ class GeneralUtilityTest extends \TYPO3\CMS\Core\Tests\UnitTestCase
'empty string' => array(''),
'http domain' => array('http://www.google.de/'),
'https domain' => array('https://www.google.de/'),
- 'relative path with XSS' => array('../typo3/whatever.php?argument=javascript:alert(0)'),
+ 'XSS attempt' => array('" onmouseover="alert(123)"'),
+ 'invalid URL, UNC path' => array('\\\\foo\\bar\\'),
+ 'invalid URL, HTML break out attempt' => array('" >blabuubb'),
'base64 encoded string' => array('data:%20text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4='),
);
}
diff --git a/typo3/sysext/felogin/Classes/Controller/FrontendLoginController.php b/typo3/sysext/felogin/Classes/Controller/FrontendLoginController.php
index 79c016add20d8f7d619c5fa14f8748d13340d9f0..d4fe68f4adc3ac6e1908b56d3012e990b5a16d2e 100644
--- a/typo3/sysext/felogin/Classes/Controller/FrontendLoginController.php
+++ b/typo3/sysext/felogin/Classes/Controller/FrontendLoginController.php
@@ -1005,12 +1005,6 @@ class FrontendLoginController extends \TYPO3\CMS\Frontend\Plugin\AbstractPlugin
if ($url === '') {
return '';
}
- $decodedUrl = rawurldecode($url);
- $sanitizedUrl = GeneralUtility::removeXSS($decodedUrl);
- if ($decodedUrl !== $sanitizedUrl || preg_match('#["<>\\\\]+#', $url)) {
- GeneralUtility::sysLog(sprintf($this->pi_getLL('xssAttackDetected'), $url), 'felogin', GeneralUtility::SYSLOG_SEVERITY_WARNING);
- return '';
- }
// Validate the URL:
if ($this->isRelativeUrl($url) || $this->isInCurrentDomain($url) || $this->isInLocalDomain($url)) {
return $url;
@@ -1083,10 +1077,13 @@ class FrontendLoginController extends \TYPO3\CMS\Frontend\Plugin\AbstractPlugin
*/
protected function isRelativeUrl($url)
{
- $parsedUrl = @parse_url($url);
- if ($parsedUrl !== false && !isset($parsedUrl['scheme']) && !isset($parsedUrl['host'])) {
- // If the relative URL starts with a slash, we need to check if it's within the current site path
- return $parsedUrl['path'][0] !== '/' || GeneralUtility::isFirstPartOfStr($parsedUrl['path'], GeneralUtility::getIndpEnv('TYPO3_SITE_PATH'));
+ $url = GeneralUtility::sanitizeLocalUrl($url);
+ if (!empty($url)) {
+ $parsedUrl = @parse_url($url);
+ if ($parsedUrl !== false && !isset($parsedUrl['scheme']) && !isset($parsedUrl['host'])) {
+ // If the relative URL starts with a slash, we need to check if it's within the current site path
+ return $parsedUrl['path'][0] !== '/' || GeneralUtility::isFirstPartOfStr($parsedUrl['path'], GeneralUtility::getIndpEnv('TYPO3_SITE_PATH'));
+ }
}
return false;
}
diff --git a/typo3/sysext/felogin/Resources/Private/Language/locallang.xlf b/typo3/sysext/felogin/Resources/Private/Language/locallang.xlf
index f742b5a0a3750bfd3b9628d0434ebaea845e09b6..0c234c438391f846ad257f0fcfe09265af7a298d 100644
--- a/typo3/sysext/felogin/Resources/Private/Language/locallang.xlf
+++ b/typo3/sysext/felogin/Resources/Private/Language/locallang.xlf
@@ -141,9 +141,6 @@ For security reasons, this link is only active until %s. If you do not visit the
<trans-unit id="noValidRedirectUrl">
<source>Url "%s" for redirect was not accepted!</source>
</trans-unit>
- <trans-unit id="xssAttackDetected">
- <source>Url "%s" contained an XSS attack and was cleaned!</source>
- </trans-unit>
</body>
</file>
</xliff>
diff --git a/typo3/sysext/form/Classes/Domain/Builder/FormBuilder.php b/typo3/sysext/form/Classes/Domain/Builder/FormBuilder.php
index e6d798ec3d034e0263114da0ec78703b0e0c9b57..0336873de07606906d112c3f492ae8bd5da9725f 100644
--- a/typo3/sysext/form/Classes/Domain/Builder/FormBuilder.php
+++ b/typo3/sysext/form/Classes/Domain/Builder/FormBuilder.php
@@ -443,8 +443,6 @@ class FormBuilder
if ($this->getIncomingData()->getIncomingField($elementName) !== null) {
/* filter values and set it back to incoming fields */
- /* remove xss every time */
- $userConfiguredElementTypoScript['filters.'][-1] = 'removexss';
$keys = ArrayUtility::filterAndSortByNumericKeys($userConfiguredElementTypoScript['filters.']);
foreach ($keys as $key) {
$class = $userConfiguredElementTypoScript['filters.'][$key];
diff --git a/typo3/sysext/form/Classes/Domain/Filter/RemoveXssFilter.php b/typo3/sysext/form/Classes/Domain/Filter/RemoveXssFilter.php
index 9357863b9e20dda8410a4ebb5b835934d5995e77..0a97a2bc04fc778c7d8b947040c1de1813de4a54 100644
--- a/typo3/sysext/form/Classes/Domain/Filter/RemoveXssFilter.php
+++ b/typo3/sysext/form/Classes/Domain/Filter/RemoveXssFilter.php
@@ -18,6 +18,8 @@ use TYPO3\CMS\Core\Utility\GeneralUtility;
/**
* Remove Cross Site Scripting filter
+ *
+ * @deprecated since TYPO3 v8, will be removed in TYPO3 v9
*/
class RemoveXssFilter extends AbstractFilter implements FilterInterface
{
@@ -29,6 +31,7 @@ class RemoveXssFilter extends AbstractFilter implements FilterInterface
*
* @param string $value Unfiltered value
* @return string The filtered value
+ * @deprecated since TYPO3 v8, will be removed in TYPO3 v9
*/
public function filter($value)
{
diff --git a/typo3/sysext/form/Configuration/PageTS/modWizards.ts b/typo3/sysext/form/Configuration/PageTS/modWizards.ts
index e42812d5a2db96df03b46c4ab95214e9541e3601..aa514e38263e5363c7c0a01d1930c0013580373a 100644
--- a/typo3/sysext/form/Configuration/PageTS/modWizards.ts
+++ b/typo3/sysext/form/Configuration/PageTS/modWizards.ts
@@ -134,7 +134,7 @@ prefix = tx_form
}
}
filtering {
- showFilters = alphabetic, alphanumeric, currency, digit, integer, lowercase, regexp, removexss, stripnewlines, titlecase, trim, uppercase
+ showFilters = alphabetic, alphanumeric, currency, digit, integer, lowercase, regexp, stripnewlines, titlecase, trim, uppercase
filters {
alphabetic {
@@ -165,10 +165,6 @@ prefix = tx_form
showProperties = expression
}
- removexss {
- showProperties =
- }
-
stripnewlines {
showProperties =
}
diff --git a/typo3/sysext/form/Configuration/TypoScript/Filters/Filters.ts b/typo3/sysext/form/Configuration/TypoScript/Filters/Filters.ts
index df8fe686f257a73ba240dc6f44fd646878a47609..6d6c36c44b2584af1f97861cf20e3d38c9b7e6cb 100644
--- a/typo3/sysext/form/Configuration/TypoScript/Filters/Filters.ts
+++ b/typo3/sysext/form/Configuration/TypoScript/Filters/Filters.ts
@@ -42,11 +42,6 @@ plugin.tx_form {
className = TYPO3\CMS\Form\Domain\Filter\RegExpFilter
}
- removexss {
- displayName = Remove XSS
- className = TYPO3\CMS\Form\Domain\Filter\RemoveXssFilter
- }
-
stripnewlines {
displayName = Strip New Lines
className = TYPO3\CMS\Form\Domain\Filter\StripNewLinesFilter
diff --git a/typo3/sysext/form/Documentation/Administration/WizardSettings/DefaultsReference/OptionsTab/Index.rst b/typo3/sysext/form/Documentation/Administration/WizardSettings/DefaultsReference/OptionsTab/Index.rst
index 5978187bc1b9ad462149f73e135d89e3f5487faa..4bc01d2c38bcaaed2c125fea3d3a88b491665cee 100644
--- a/typo3/sysext/form/Documentation/Administration/WizardSettings/DefaultsReference/OptionsTab/Index.rst
+++ b/typo3/sysext/form/Documentation/Administration/WizardSettings/DefaultsReference/OptionsTab/Index.rst
@@ -236,7 +236,7 @@ showFilters
:aspect:`Default:`
alphabetic, alphanumeric, currency, digit, integer, lowercase,
- regexp, removexss, titlecase, trim, uppercase
+ regexp, titlecase, trim, uppercase
.. _wizard-settings-defaults-options-filtering-filters:
@@ -358,7 +358,7 @@ The default configuration of the options tab looks like this:
}
}
filtering {
- showFilters = alphabetic, alphanumeric, currency, digit, integer, lowercase, regexp, removexss, titlecase, trim, uppercase
+ showFilters = alphabetic, alphanumeric, currency, digit, integer, lowercase, regexp, titlecase, trim, uppercase
filters {
alphabetic {
showProperties = allowWhiteSpace
@@ -381,9 +381,6 @@ The default configuration of the options tab looks like this:
regexp {
showProperties = expression
}
- removexss {
- showProperties =
- }
titlecase {
showProperties =
}
diff --git a/typo3/sysext/form/Documentation/Configuration/Filters/Index.rst b/typo3/sysext/form/Documentation/Configuration/Filters/Index.rst
index 79d7f0177fb57c23dab3ed18bf3640d4cc8a3e71..733579287f8eebf8f240caea7b8016a858a5faae 100644
--- a/typo3/sysext/form/Documentation/Configuration/Filters/Index.rst
+++ b/typo3/sysext/form/Documentation/Configuration/Filters/Index.rst
@@ -16,11 +16,6 @@ assigned filters in the given order. The filtered data will be shown to the
visitor when there are errors in the form or on a confirmation page.
Otherwise the filtered data will be send by mail to the receiver.
-.. attention::
-
- By default, all submitted data will be filtered by a Cross Site Scripting
- (XSS) filter to prevent security issues.
-
.. toctree::
:maxdepth: 5
:titlesonly:
@@ -33,7 +28,6 @@ Otherwise the filtered data will be send by mail to the receiver.
Integer/Index.rst
Lowercase/Index.rst
Regexp/Index.rst
- Removexss/Index.rst
Stripnewlines/Index.rst
Titlecase/Index.rst
Trim/Index.rst
diff --git a/typo3/sysext/form/Documentation/Configuration/Filters/Removexss/Index.rst b/typo3/sysext/form/Documentation/Configuration/Filters/Removexss/Index.rst
deleted file mode 100644
index f55525f4dc96e3b7728a5bcd914612853dc03ac7..0000000000000000000000000000000000000000
--- a/typo3/sysext/form/Documentation/Configuration/Filters/Removexss/Index.rst
+++ /dev/null
@@ -1,16 +0,0 @@
-.. include:: ../../../Includes.txt
-
-
-.. _reference-filters-removexss:
-
-=========
-removexss
-=========
-
-This filter will process all incoming data by default. There is no need to
-add this filter manually.
-
-It filters the incoming data on possible Cross Site Scripting attacks and
-renders the incoming data safely by removing potential XSS code and adding a
-replacement string which destroys the tags.
-
diff --git a/typo3/sysext/form/Documentation/Configuration/Objects/ObjectAttributes/Index.rst b/typo3/sysext/form/Documentation/Configuration/Objects/ObjectAttributes/Index.rst
index bcff9f04122bcd17010f373baa8b440dae85d806..a95d2f1d9d52d7851a292db4c753013bc4f69fbb 100644
--- a/typo3/sysext/form/Documentation/Configuration/Objects/ObjectAttributes/Index.rst
+++ b/typo3/sysext/form/Documentation/Configuration/Objects/ObjectAttributes/Index.rst
@@ -365,14 +365,11 @@ filters
**Filtered:** John Doe
- **Note:**: By default, all submitted data will be filtered by a Cross
- Site Scripting (XSS) filter to prevent security issues.
-
:aspect:`Default:`
.. code-block:: typoscript
filters {
- 0 = removexss
+ 0 = trim
}
diff --git a/typo3/sysext/form/Resources/Private/Language/locallang_wizard.xlf b/typo3/sysext/form/Resources/Private/Language/locallang_wizard.xlf
index 488988b1e490b9398a02e5201c03badababdeb2d..47ec19b828be86c6cc03e1ad1b0c8f80af98e41c 100644
--- a/typo3/sysext/form/Resources/Private/Language/locallang_wizard.xlf
+++ b/typo3/sysext/form/Resources/Private/Language/locallang_wizard.xlf
@@ -558,9 +558,6 @@
<trans-unit id="filters_regexp">
<source>Regular Expression</source>
</trans-unit>
- <trans-unit id="filters_removexss">
- <source>Remove XSS</source>
- </trans-unit>
<trans-unit id="filters_stripnewlines">
<source>Strip New Lines</source>
</trans-unit>
diff --git a/typo3/sysext/form/Resources/Public/JavaScript/Wizard.js b/typo3/sysext/form/Resources/Public/JavaScript/Wizard.js
index 72ea8581b1c65d2326d2da463f7d0c05e7137606..3be1fa180bd786263880d058275922b40289badb 100644
--- a/typo3/sysext/form/Resources/Public/JavaScript/Wizard.js
+++ b/typo3/sysext/form/Resources/Public/JavaScript/Wizard.js
@@ -84,7 +84,6 @@ function configureWizardApplication() {
'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/Integer': {exports: 'TYPO3.Form.Wizard.Viewport.Left.Options.Forms.Filters.Integer', deps: ['TYPO3/CMS/Form/Wizard/Viewport/Left/Options', 'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/Filter']},
'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/LowerCase': {exports: 'TYPO3.Form.Wizard.Viewport.Left.Options.Forms.Filters.LowerCase', deps: ['TYPO3/CMS/Form/Wizard/Viewport/Left/Options', 'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/Filter']},
'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/RegExp': {exports: 'TYPO3.Form.Wizard.Viewport.Left.Options.Forms.Filters.RegExp', deps: ['TYPO3/CMS/Form/Wizard/Viewport/Left/Options', 'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/Filter']},
- 'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/RemoveXSS': {exports: 'TYPO3.Form.Wizard.Viewport.Left.Options.Forms.Filters.RemoveXSS', deps: ['TYPO3/CMS/Form/Wizard/Viewport/Left/Options', 'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/Filter']},
'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/StripNewLines': {exports: 'TYPO3.Form.Wizard.Viewport.Left.Options.Forms.Filters.StripNewLines', deps: ['TYPO3/CMS/Form/Wizard/Viewport/Left/Options', 'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/Filter']},
'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/TitleCase': {exports: 'TYPO3.Form.Wizard.Viewport.Left.Options.Forms.Filters.TitleCase', deps: ['TYPO3/CMS/Form/Wizard/Viewport/Left/Options', 'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/Filter']},
'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/Trim': {exports: 'TYPO3.Form.Wizard.Viewport.Left.Options.Forms.Filters.Trim', deps: ['TYPO3/CMS/Form/Wizard/Viewport/Left/Options', 'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/Filter']},
@@ -127,7 +126,6 @@ function configureWizardApplication() {
'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/Integer',
'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/LowerCase',
'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/RegExp',
- 'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/RemoveXSS',
'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/StripNewLines',
'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/TitleCase',
'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/Trim',
diff --git a/typo3/sysext/form/Resources/Public/JavaScript/Wizard/Viewport/Left/Options/Forms/Filters.js b/typo3/sysext/form/Resources/Public/JavaScript/Wizard/Viewport/Left/Options/Forms/Filters.js
index 60a0933dad82a3fd1e2b98c349056efbeb2a0561..0b835f396245b44c697457ddbebff0aafac1ff34 100644
--- a/typo3/sysext/form/Resources/Public/JavaScript/Wizard/Viewport/Left/Options/Forms/Filters.js
+++ b/typo3/sysext/form/Resources/Public/JavaScript/Wizard/Viewport/Left/Options/Forms/Filters.js
@@ -29,7 +29,6 @@ TYPO3.Form.Wizard.Viewport.Left.Options.Forms.Filters = Ext.extend(Ext.Panel, {
integer: true,
lowercase: true,
regexp: true,
- removexss: true,
stripnewlines: true,
titlecase: true,
trim: true,
@@ -189,7 +188,6 @@ TYPO3.Form.Wizard.Viewport.Left.Options.Forms.Filters = Ext.extend(Ext.Panel, {
'integer',
'lowercase',
'regexp',
- 'removexss',
'stripnewlines',
'titlecase',
'trim',
diff --git a/typo3/sysext/form/Resources/Public/JavaScript/Wizard/Viewport/Left/Options/Forms/Filters/RemoveXSS.js b/typo3/sysext/form/Resources/Public/JavaScript/Wizard/Viewport/Left/Options/Forms/Filters/RemoveXSS.js
deleted file mode 100644
index 21a0e85f99c29f9d4b609494b3b94178b01cf8d8..0000000000000000000000000000000000000000
--- a/typo3/sysext/form/Resources/Public/JavaScript/Wizard/Viewport/Left/Options/Forms/Filters/RemoveXSS.js
+++ /dev/null
@@ -1,18 +0,0 @@
-Ext.namespace('TYPO3.Form.Wizard.Viewport.Left.Options.Forms.Filters');
-
-/**
- * The remove XSS filter
- *
- * @class TYPO3.Form.Wizard.Viewport.Left.Options.Forms.Filters.RemoveXSS
- * @extends TYPO3.Form.Wizard.Viewport.Left.Options.Forms.Filters.Filter
- */
-TYPO3.Form.Wizard.Viewport.Left.Options.Forms.Filters.RemoveXSS = Ext.extend(TYPO3.Form.Wizard.Viewport.Left.Options.Forms.Filters.Filter, {
- /**
- * @cfg {String} filter
- *
- * The name of this filter
- */
- filter: 'removexss'
-});
-
-Ext.reg('typo3-form-wizard-viewport-left-options-forms-filters-removexss', TYPO3.Form.Wizard.Viewport.Left.Options.Forms.Filters.RemoveXSS);
\ No newline at end of file
diff --git a/typo3/sysext/form/Tests/Unit/Filter/RemoveXssFilterTest.php b/typo3/sysext/form/Tests/Unit/Filter/RemoveXssFilterTest.php
deleted file mode 100644
index f8f6d65bd078cde2e560ce8f184b72022caf3db2..0000000000000000000000000000000000000000
--- a/typo3/sysext/form/Tests/Unit/Filter/RemoveXssFilterTest.php
+++ /dev/null
@@ -1,54 +0,0 @@
-<?php
-namespace TYPO3\CMS\Form\Tests\Unit\Filter;
-
-/*
- * This file is part of the TYPO3 CMS project.
- *
- * It is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License, either version 2
- * of the License, or any later version.
- *
- * For the full copyright and license information, please read the
- * LICENSE.txt file that was distributed with this source code.
- *
- * The TYPO3 project - inspiring people to share!
- */
-
-/**
- * Test case
- */
-class RemoveXssFilterTest extends \TYPO3\CMS\Core\Tests\UnitTestCase
-{
- /**
- * @var \TYPO3\CMS\Form\Domain\Filter\RemoveXssFilter
- */
- protected $subject;
-
- protected function setUp()
- {
- $this->subject = new \TYPO3\CMS\Form\Domain\Filter\RemoveXssFilter();
- }
-
- public function maliciousStringProvider()
- {
- return array(
- '<IMG SRC="javascript:alert(\'XSS\');">' => array('<IMG SRC="javascript:alert(\'XSS\');">'),
- '<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>' => array('<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'),
- '<IMG SRC=JaVaScRiPt:alert(\'XSS\')>' => array('<IMG SRC=JaVaScRiPt:alert(\'XSS\')>'),
- '<IMG SRC=javascript:alert("XSS")>' => array('<IMG SRC=javascript:alert("XSS")>'),
- '<IMG SRC=`javascript:alert("RSnake says, \'XSS\'")`>' => array('<IMG SRC=`javascript:alert("RSnake says, \'XSS\'")`>'),
- );
- }
-
- /**
- * @test
- * @dataProvider maliciousStringProvider
- */
- public function filterForMaliciousStringReturnsInputFilteredOfXssCode($input)
- {
- $this->assertNotSame(
- $input,
- $this->subject->filter($input)
- );
- }
-}