Bug #72443
closedce image: html tags within image description are rendered improperly
0%
Description
In TYPO3 6.2.17 HTML tags in the description field of an image are rendered improperly: The brackets of the tags are coded to < and >
Until Version 6.2.15 this was not the case. Please fall back to the former way of rendering.
Updated by Wouter Wolters almost 9 years ago
- Description updated (diff)
- Status changed from New to Closed
Hi Stefan,
This is intended. Please read https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-013/ carefully to understand why this behaves like this now.
The core won't change this back.
Updated by Anja Leichsenring almost 9 years ago
- Status changed from Closed to Rejected
- Priority changed from Must have to Won't have this time
Updated by Stefan Padberg almost 9 years ago
I understand your intentions but I have no possiblity to re-activate the insertion of proper HTML content as described in the above link. In all my 6.2.17 installation I find the following Typoscript settings which are the wellknown ones. There is no parseFunc call and no stripHTML call:
[caption]
[1] = COA
[1] = TEXT
[data] = file:current:description
[required] = 1
[htmlSpecialChars] = 1
[br] = 1
This Typoscript is not working correctly anymore. So for me this is a bug.
Updated by Stefan Padberg almost 9 years ago
I checked the source code of my installations. All Css_styled_content extensions contain the above TS. Is it possible that old Css_styled_content is mixed in the 6.2.17? Or is Css_styled_content not updated automatically?
Updated by Stefan Padberg almost 9 years ago
everthing alright. I missunderstood some thing. can be closed
Updated by Kaan Sanli almost 9 years ago
Hi everybody,
I can understand the need to disable html-code in fields like the image description for security reasons. But for some editors it is useful and neccessary to use html-code inside that field.
So I changed the TypoScript settings back prior to 6.2.16, but added a userPostFunc to remove XSS.
Here is my code:
tt_content.image.20.caption.1.1 {
parseFunc = < lib.parseFunc
htmlSpecialChars = 0
stdWrap.postUserFunc = TYPO3\CMS\Core\Utility\GeneralUtility->removeXSS
}
Wouldn't that be a way to provide the old functionality for editors while minimzing XSS-possibilities?
Please correct me, if my solution is insecure.