A frequently used feature of TypoScript is stdWrap. It provides many functions and wrappers to parse your data. It serves as a multipurpose parsing suite with helpers of any kind. dataWrap is one of the most powerful among them, but it's also one of the most tricky ones. Read on for a little demonstration on how to add security to your TypoScript by applying the stdWrap function "htmlSpecialChars" to data in dataWrap...
Whenever you are using GET/POST parameters in SQL queries, you have to face the risk of running into SQL injection. The golden rule here is not to trust user parameters, but always properly check and escape values. This article introduces a TYPO3 extension, which helps to sanitize parameters by extending TypoScript stdWrap. PLEASE ALSO READ THE COMMENTS ON THIS ARTICLE FOR UPDATES IN THE TYPO3 CORE TO TACKLE THIS ISSUE!
Using GET/POST vars in SQL queries involves the risk of SQL injection if the parameter is not properly sanitized. There are lots of warnings and documents around in the web on how to prevent this in PHP scripts. But what about TypoScript?
The output of most TYPO3 FE plugins are wrapped with a HTML div container by default (so called basewrap). This seems to be fair in most cases, but sometimes it is not and you have to get rid of them. Unfortunately, a lot of extensions including some of the most popular ones don't provide any control to handle this. This article describes how to do it better.