Project

General

Profile

Actions
Copy link

Bug #95517

closed

spamProtectEmailAddresses - JavaScript atSubst and lastDotSubst replacements

Added by Neobe Parlot over 2 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Frontend
Target version:
Candidate for patchlevel
Start date:
2021-10-07
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
10
PHP Version:
7.3
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

TESTED: (Working in 10.4.18 / breaks in 10.4.19)

config {
  # ascii / -5 to 1
  spamProtectEmailAddresses = -4
  # (at)
  spamProtectEmailAddresses_atSubst = <script type="text/javascript" language="JavaScript">document.write('@');</script><noscript>@</noscript>
  # (dot)
  spamProtectEmailAddresses_lastDotSubst = <script type="text/javascript" language="JavaScript">document.write('.');</script><noscript>.</noscript>
}

output/sourcecode (yes, all the whitespaces are also rendered)

<p>
    <a href="javascript:linkTo_UnCryptMailto(%27ocknvq%2CkphqBrtczku%5C%2Fmkghgt0fg%27);">E: mail&lt;script type="text/javascript" language="JavaScript"&gt;document.write('@');&lt;/script&gt;</a>
</p>
&lt;noscript&gt;@&lt;/noscript&gt;mail&lt;script type="text/javascript" language="JavaScript"&gt;document.write('.');&lt;/script&gt;&lt;noscript&gt;.&lt;/noscript&gt;com

output rendered:
MAIL<SCRIPT TYPE="TEXT/JAVASCRIPT" LANGUAGE="JAVASCRIPT">DOCUMENT.WRITE('@');</SCRIPT>

<noscript>@</noscript>mail<script type="text/javascript" language="JavaScript">document.write('.');</script><noscript>.</noscript>com

<hr/>

Expected behavior
output/sourcecode before update: (This one was working perfect!)

<a href="javascript:linkTo_UnCryptMailto(%27ocknvq%2CkphqBrtczku%5C%2Fmkghgt0fg%27);">E: mail<script type="text/javascript" language="JavaScript">document.write('@');</script>@<noscript>@</noscript>mail<script type="text/javascript" language="JavaScript">document.write('.');</script>.<noscript>.</noscript>com</a>

output rendered:

E: MAIL@Mail.com

Actions
Copy link
 #1

Updated by Neobe Parlot over 2 years ago

Ok, this might be my fault...

i found out that there is a new RTE-sanitizer ... i'm sorry.

This will fix my issue: (so i bet there could be a better solution for me, allowing <script>?!)
lib.parseFunc_RTE.htmlSanitize = 0

Actions
Copy link
 #2

Updated by Georg Ringer over 2 years ago

  • Status changed from New to Closed

closing the issue as solution found

Actions
Copy link

Also available in: Atom PDF