Commit a8074eb6 authored by Carsten  Rose's avatar Carsten Rose
Browse files

Manual.rst: security hints, T3 Setup best practice, text input retype, charactercountwrap.

Config.qfq: central defaults for DATA_MATH, DATA_ERROR
parent 4248a43f
......@@ -1201,7 +1201,8 @@ affected by SQL injection. To prevent SQL injection, every variable is by defaul
* Variables passed by the client (=Browser) are untrusted and use the default sanitize class 'digit' (if nothing else is
specified). If alpha characters are submitted, the content violates `digit` and becomes therefore
`!!<name of sanitize class>!!` - there is no error message. Best is to always use SIP or digits.
`!!<name of sanitize class>!!` - there is no error message. Best is to always use SIP (value is trustful) or at least
digits for GET (=client) parameter (user might change those and therefore those are *not* trustful).
Get Parameter
-------------
......@@ -1282,7 +1283,7 @@ E.g. for Apache set a htaccess rule: ::
To offer download of those files, use the reserved columnname '_download' (see `download`_) or variants.
**Important**: To protect the installation against executing of uploaded malicious script code, disable PHP for the final upload
directory. E.g. `fileadmin`: ::
directory. E.g. `fileadmin` (Apache): ::
<Directory "/var/www/html/fileadmin">
php_admin_flag engine Off
......@@ -1294,11 +1295,20 @@ File upload
-----------
By default the mime type of every uploaded file is checked against a white list of allowed mime types. The mime type of
a file can be (easily) faked by an attacker. This check is good to handle regular user file upload for specific file types. To
prevent attacks against uploading and executing malicous code this won't help.
a file can be (easily) faked by an attacker. This check is good to handle regular user file upload for specific file types
but won't help to prevent attacks against uploading and executing malicous code.
Instead prohibit the execution of user contributed files by the webserver config (`SecureDirectFileAccess`_).
Typo3 Setup - best practice
---------------------------
* Activate notification emails for every BE login (if there are only few BE users). In case the backend has been hacked,
unusual login's (time or username) will appear: ::
[BE][warning_email_addr] = <your email>
[BE][warning_mode] = 1
.. _`store`:
Store
......@@ -2945,10 +2955,12 @@ Type: text
* *FormElement.parameter*:
* *retype* = 1 (optional): Current input element will be rendered twice. The form can only submitted if both elements are equal.
* *retypeLabel* = <text> (optional): The label of the second element.
* *retypeNote* = <text> (optional): The note of the second element.
* *characterCountWrap* = <text1>|<text2> (optional). Displays a character counter below the input/textarea element. If
`text1` / `text2` is missing, just display `<current>/</max>`. Customization: `characterCountWrap=<div class=qfq-cc-style>Count: |</div>`
* *retypeLabel* = <text> (optional): The label of the second element.
* *retypeNote* = <text> (optional): The note of the second element.
* *characterCountWrap* = <div class="qfq-cc-style">Count: |</div>` (optional).
Displays a character counter below the input/textarea element.
* Also check the :ref:`fe-parameter-attributes` *data-...-error* to customize error messages shown by the validator.
* *hideZero* = 0|1 (optional): `with hideZero=1` a '0' in the value will be replaced by an empty string.
* *emptyMeansNull* = [0|1] (optional): with `emptyMeansNull` or `emptyMeansNull=1` a NULL value will be written if
......
......@@ -117,14 +117,14 @@ editFormPage = form
# cat=form-config/config; type=string; label=Form data pattern error message:QFQ default is pattern dependent - leave this empty to use pattern specific messages. Customizable error message used in validator.js. 'pattern' violation.
formDataPatternError =
# cat=form-config/config; type=string; label=Form data required error message:Default is 'required error'. Customizable error message used in validator.js. 'required' violation.
# cat=form-config/config; type=string; label=Form data required error message:Default is 'data required'. Customizable error message used in validator.js. 'required' violation.
formDataRequiredError =
# cat=form-config/config; type=string; label=Form data match error message:Default is 'match error'. Customizable error message used in validator.js. 'match' violation. Typically used to ensure that two given emails or passwords are identically.
# cat=form-config/config; type=string; label=Form data match error message:Default is 'Fields do not match'. Customizable error message used in validator.js. 'match' violation. Typically used to ensure that two given emails or passwords are identically.
formDataMatchError =
# cat=form-config/config; type=string; label=Form data error message:Default is 'error'. Customizable error message used in validator.js. generic violation.
formDataError = error
# cat=form-config/config; type=string; label=Form data error message:Default is 'Error'. Customizable error message used in validator.js. generic violation.
formDataError =
# cat=form-config/config; type=boolean; label=Show record-id in form title:Default is off (0). If on (1), append the current record id on the title. New records get '(new)'.
showIdInFormTitle = 0
......
......@@ -828,8 +828,8 @@ const F_FE_DATA_MATCH_ERROR = 'data-match-error'; // contains id of the sibling
const F_FE_DATA_ERROR = 'data-error';
const F_FE_DATA_PATTERN_ERROR_DEFAULT = 'pattern error'; // Attention: the default is also defined in ext_conf_template.txt
const F_FE_DATA_REQUIRED_ERROR_DEFAULT = 'required error'; // Attention: the default is also defined in ext_conf_template.txt
const F_FE_DATA_MATCH_ERROR_DEFAULT = 'match error'; // Attention: the default is also defined in ext_conf_template.txt
const F_FE_DATA_REQUIRED_ERROR_DEFAULT = 'data required'; // Attention: the default is also defined in ext_conf_template.txt
const F_FE_DATA_MATCH_ERROR_DEFAULT = 'fields do not'; // Attention: the default is also defined in ext_conf_template.txt
const F_PARAMETER = 'parameter'; // valid for F_ and FE_
......
......@@ -320,7 +320,8 @@ class Config {
SYSTEM_THUMBNAIL_DIR_PUBLIC => SYSTEM_THUMBNAIL_DIR_PUBLIC_DEFAULT,
F_FE_DATA_REQUIRED_ERROR => F_FE_DATA_REQUIRED_ERROR_DEFAULT,
F_FE_DATA_MATCH_ERROR => F_FE_DATA_MATCH_ERROR_DEFAULT,
F_FE_DATA_ERROR => 'error',
];
// To let run legacy code
......
......@@ -376,10 +376,10 @@ EOT;
$body .= PHP_EOL . SYSTEM_FORM_BS_LABEL_COLUMNS . ' = 4';
$body .= PHP_EOL . SYSTEM_FORM_BS_INPUT_COLUMNS . ' = 5';
$body .= PHP_EOL . SYSTEM_FORM_BS_NOTE_COLUMNS . ' = 6';
$body .= PHP_EOL . SYSTEM_FORM_DATA_PATTERN_ERROR . ' = pattern error';
$body .= PHP_EOL . SYSTEM_FORM_DATA_REQUIRED_ERROR . ' = required error';
$body .= PHP_EOL . SYSTEM_FORM_DATA_MATCH_ERROR . ' = match error';
$body .= PHP_EOL . SYSTEM_FORM_DATA_ERROR . ' = error';
$body .= PHP_EOL . SYSTEM_FORM_DATA_PATTERN_ERROR . ' = Pattern error';
$body .= PHP_EOL . SYSTEM_FORM_DATA_REQUIRED_ERROR . ' = Required error';
$body .= PHP_EOL . SYSTEM_FORM_DATA_MATCH_ERROR . ' = Fields do not match';
$body .= PHP_EOL . SYSTEM_FORM_DATA_ERROR . ' = Error';
$body .= PHP_EOL . SYSTEM_CSS_CLASS_QFQ_FORM . ' = main-class';
$body .= PHP_EOL . SYSTEM_CSS_CLASS_QFQ_FORM_PILL . ' = pill-class';
$body .= PHP_EOL . SYSTEM_CSS_CLASS_QFQ_FORM_BODY . ' = body-class';
......@@ -387,10 +387,10 @@ EOT;
$expect[F_BS_LABEL_COLUMNS] = '4';
$expect[F_BS_INPUT_COLUMNS] = '5';
$expect[F_BS_NOTE_COLUMNS] = '6';
$expect[F_FE_DATA_PATTERN_ERROR] = 'pattern error';
$expect[F_FE_DATA_REQUIRED_ERROR] = 'required error';
$expect[F_FE_DATA_MATCH_ERROR] = 'match error';
$expect[F_FE_DATA_ERROR] = 'error';
$expect[F_FE_DATA_PATTERN_ERROR] = 'Pattern error';
$expect[F_FE_DATA_REQUIRED_ERROR] = 'Required error';
$expect[F_FE_DATA_MATCH_ERROR] = 'Fields do not match error';
$expect[F_FE_DATA_ERROR] = 'Error';
$expect[F_CLASS] = 'main-class';
$expect[F_CLASS_PILL] = 'pill-class';
$expect[F_CLASS_BODY] = 'body-class';
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment