Bug #35601

stripping characters in flexform fields (type "text")

Added by Thomas Dudzak about 10 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2012-04-03
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
4.5
PHP Version:
5.3
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

In TYPO3 v4.5.14 on an Apache Server with PHP 5.3.10 TYPO strips some characters like angle brackets and quotation marks from flexform fields type "text", so that a typoscript configuration in a plugin like that:

wrap =    <div id="dokument"> | </div>

will be saved as that:

wrap =    div id=dokument | /div

and of course won't work...

Seen in extensions: typocript_code, tt_news (additional typoscript field: myTS)

Worked on TYPO3 v4.5 and PHP 5.3 each with previous versions.

So, is it a bug or a security fix? Any workarround?

Thanking you in anticipation.

#1

Updated by Georg Ringer about 10 years ago

  • Status changed from New to Needs Feedback

where exactly do you enter this TS?

I am not aware of any stripping-feature which has been introduced

#2

Updated by Thomas Dudzak about 10 years ago

I entered it in two formular fields of the type text in tt_news and typoscript_code.

The tt_news field is the myTS-field on the s_misc-sheet of the flexform_ds.xml configuration file. Code is that:

<myTS>
    <TCEforms>
        <displayCond>HIDE_FOR_NON_ADMINS</displayCond>
        <exclude>1</exclude>
        <label>LLL:EXT:tt_news/locallang_tca.xml:tt_news.pi_flexform.tsconfig</label>
        <config>
            <type>text</type>
            <cols>80</cols>
            <rows>10</rows>
        </config>
    </TCEforms>
</myTS>

And in typoscript_code I used the field code_text in flexform_ds_pi1.xml

<code_text>
    <TCEforms>
        <exclude>1</exclude>
        <label>LLL:EXT:typoscript_code/locallang_db.php:flex.code.text</label>
        <config type="array">
            <type>text</type>
            <cols>48</cols>
            <rows>20</rows>
        </config>
    </TCEforms>
</code_text>

So in both there isn't provided any explicit validation of submitted content.

I found another "typosrcript as plugin"-extension called typoscriptce. This one does not use flexforms but tca-configuration. And that one works as it should...

There are two more Typo3 installations I'm responsible for. They are technically identical with that one, where the bug occured. But now I forund out that both does not have any problem like this. The only thing, that is different between that two and the buggy installtion is the PHP version, updated by the hoster last week i have read. The buggy one has v5.3.10, the others v5.3.4 (?). So it seems to me, that this is not a TYPO update problem, but a problem caused by PHP that breaks validation (?) of flexform fields... But also that I would like to repair, but don't know, where to for... ;)

#3

Updated by Georg Ringer about 10 years ago

  • Status changed from Needs Feedback to Closed
  • % Done changed from 0 to 100

as you found out yourself, this isn't an issue of TYPO3 but because of a misconfiguration of the server. therefore I am closing this issue.

#4

Updated by Fedir RYKHTIK over 9 years ago

If there are some news about it ?

We have exactly the same situation, PHP v.5.2.6.

Any ideas ?

Also available in: Atom PDF