Bug #72443

ce image: html tags within image description are rendered improperly

Added by Stefan Padberg almost 6 years ago. Updated almost 6 years ago.

Won't have this time
Target version:
Start date:
Due date:
% Done:


Estimated time:
TYPO3 Version:
PHP Version:
Is Regression:
Sprint Focus:


In TYPO3 6.2.17 HTML tags in the description field of an image are rendered improperly: The brackets of the tags are coded to < and >

Until Version 6.2.15 this was not the case. Please fall back to the former way of rendering.

Related issues

Is duplicate of TYPO3 Core - Bug #72383: FAL sys_file_reference DescriptionRejected2015-12-22

Is duplicate of TYPO3 Core - Bug #72330: HTML Tags in image caption textfield get escapedRejected2015-12-18

Is duplicate of TYPO3 Core - Bug #72295: No render of HTML TAGs anymore in tables after update from 6.2.15 to 6.2.16Rejected2015-12-17


Updated by Wouter Wolters almost 6 years ago

  • Description updated (diff)
  • Status changed from New to Closed

Hi Stefan,

This is intended. Please read https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-013/ carefully to understand why this behaves like this now.

The core won't change this back.


Updated by Anja Leichsenring almost 6 years ago

  • Status changed from Closed to Rejected
  • Priority changed from Must have to Won't have this time

Updated by Stefan Padberg almost 6 years ago

I understand your intentions but I have no possiblity to re-activate the insertion of proper HTML content as described in the above link. In all my 6.2.17 installation I find the following Typoscript settings which are the wellknown ones. There is no parseFunc call and no stripHTML call:

[1] = COA
[1] = TEXT
[data] = file:current:description
[required] = 1
[htmlSpecialChars] = 1
[br] = 1

This Typoscript is not working correctly anymore. So for me this is a bug.


Updated by Stefan Padberg almost 6 years ago

I checked the source code of my installations. All Css_styled_content extensions contain the above TS. Is it possible that old Css_styled_content is mixed in the 6.2.17? Or is Css_styled_content not updated automatically?


Updated by Stefan Padberg almost 6 years ago

everthing alright. I missunderstood some thing. can be closed


Updated by Kaan Sanli almost 6 years ago

Hi everybody,

I can understand the need to disable html-code in fields like the image description for security reasons. But for some editors it is useful and neccessary to use html-code inside that field.

So I changed the TypoScript settings back prior to 6.2.16, but added a userPostFunc to remove XSS.

Here is my code:

tt_content.image.20.caption.1.1 {
parseFunc = < lib.parseFunc
htmlSpecialChars = 0
stdWrap.postUserFunc = TYPO3\CMS\Core\Utility\GeneralUtility->removeXSS

Wouldn't that be a way to provide the old functionality for editors while minimzing XSS-possibilities?
Please correct me, if my solution is insecure.

Also available in: Atom PDF