This project is no longer maintained and no further public releases are planned.

No further support will be given.

Feel free to fork the git repository.

Interceptor\RemoveXSS

Removes malicious code from submitted values to prevent XSS attacks. This Interceptor is added automatically by Formhandler. It removes malicious code and by default some characters from the input values. For a list of characters, which will be removed, have a look at the following configuration section.

You can use the removeChars setting to remove profanity or characters by entering a comma separated list or using a cObject like USER to connect to a service.

Version added

1.0.0

TypoScript path

plugin.Tx_Formhandler.settings.initInterceptors.x copy to clipboard

Example code

plugin.Tx_Formhandler.settings.initInterceptors.1.class = Typoheads\Formhandler\Interceptor\RemoveXSS
plugin.Tx_Formhandler.settings.initInterceptors.1.config.fieldConf {
	name.removeChars = %,&,/
	email.removeChars = TEXT
	email.removeChars.value = ,|<|>
	email.separator = |
	company = USER
	company.userFunc = user_myClass->user_getRemoveWords
}

Properties

.fieldConf

Settings per form field.

Key = field name or “global”
Value = comma seperated list or cObject.

Just configure “removeChars.disable=1” per field or globally to disable the removal. If you set specific configuration for a single field, the removal will take place even if it is disabled globally.

Data type

Array

Default value

Default removal characters for each field are: < > ' “

Version added

1.0.0

Example code

fieldConf {
  global.removeChars.disable = 1

  email.removeChars = a,b,c
  company.removeChars = ,|*|<|>
  company.separator = |
  subject.removeChars = TEXT
  subject.removeChars.value = 3f4f5
  subject.separator = f
}

.doNotSanitizeFields

Comma separated list of field names to not be sanitized at all. No XSS removal is performed on these fields.

Data type

Boolean | cObj

Version added

1.0.0