ce image: html tags within image description are rendered improperly
In TYPO3 6.2.17 HTML tags in the description field of an image are rendered improperly: The brackets of the tags are coded to < and >
Until Version 6.2.15 this was not the case. Please fall back to the former way of rendering.
Updated by Wouter Wolters almost 6 years ago
- Description updated (diff)
- Status changed from New to Closed
This is intended. Please read https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-013/ carefully to understand why this behaves like this now.
The core won't change this back.
Updated by Stefan Padberg almost 6 years ago
I understand your intentions but I have no possiblity to re-activate the insertion of proper HTML content as described in the above link. In all my 6.2.17 installation I find the following Typoscript settings which are the wellknown ones. There is no parseFunc call and no stripHTML call:
 = COA
 = TEXT
[data] = file:current:description
[required] = 1
[htmlSpecialChars] = 1
[br] = 1
This Typoscript is not working correctly anymore. So for me this is a bug.
Updated by Kaan Sanli almost 6 years ago
I can understand the need to disable html-code in fields like the image description for security reasons. But for some editors it is useful and neccessary to use html-code inside that field.
So I changed the TypoScript settings back prior to 6.2.16, but added a userPostFunc to remove XSS.
Here is my code:
parseFunc = < lib.parseFunc
htmlSpecialChars = 0
stdWrap.postUserFunc = TYPO3\CMS\Core\Utility\GeneralUtility->removeXSS
Wouldn't that be a way to provide the old functionality for editors while minimzing XSS-possibilities?
Please correct me, if my solution is insecure.