http://forge.typo3.org/http://forge.typo3.org/themes/typo3_forge/favicon/favicon.png?17058661692015-12-26T11:48:13ZTYPO3 ForgeTYPO3 Core - Bug #72443: ce image: html tags within image description are rendered improperlyhttp://forge.typo3.org/issues/72443?journal_id=2910212015-12-26T11:48:13ZWouter Wolterstypo3@wouterwolters.nl
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/291021/diff?detail_id=248976">diff</a>)</li><li><strong>Status</strong> changed from <i>New</i> to <i>Closed</i></li></ul><p>Hi Stefan,</p>
<p>This is intended. Please read <a class="external" href="https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-013/">https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-013/</a> carefully to understand why this behaves like this now.</p>
<p>The core won't change this back.</p> TYPO3 Core - Bug #72443: ce image: html tags within image description are rendered improperlyhttp://forge.typo3.org/issues/72443?journal_id=2910222015-12-26T11:49:28ZAnja Leichsenring
<ul><li><strong>Status</strong> changed from <i>Closed</i> to <i>Rejected</i></li><li><strong>Priority</strong> changed from <i>Must have</i> to <i>Won't have this time</i></li></ul> TYPO3 Core - Bug #72443: ce image: html tags within image description are rendered improperlyhttp://forge.typo3.org/issues/72443?journal_id=2910832015-12-28T12:09:49ZStefan Padbergpost@bergische-webschmiede.de
<ul></ul><p>I understand your intentions but I have no possiblity to re-activate the insertion of proper HTML content as described in the above link. In all my 6.2.17 installation I find the following Typoscript settings which are the wellknown ones. There is no parseFunc call and no stripHTML call:</p>
<p>[caption]<br /> [1] = COA<br /> [1] = TEXT<br /> [data] = file:current:description<br /> [required] = 1<br /> [htmlSpecialChars] = 1<br /> [br] = 1</p>
<p>This Typoscript is not working correctly anymore. So for me this is a bug.</p> TYPO3 Core - Bug #72443: ce image: html tags within image description are rendered improperlyhttp://forge.typo3.org/issues/72443?journal_id=2910842015-12-28T12:21:16ZStefan Padbergpost@bergische-webschmiede.de
<ul></ul><p>I checked the source code of my installations. All Css_styled_content extensions contain the above TS. Is it possible that old Css_styled_content is mixed in the 6.2.17? Or is Css_styled_content not updated automatically?</p> TYPO3 Core - Bug #72443: ce image: html tags within image description are rendered improperlyhttp://forge.typo3.org/issues/72443?journal_id=2912372015-12-30T15:41:46ZStefan Padbergpost@bergische-webschmiede.de
<ul></ul><p>everthing alright. I missunderstood some thing. can be closed</p> TYPO3 Core - Bug #72443: ce image: html tags within image description are rendered improperlyhttp://forge.typo3.org/issues/72443?journal_id=2940512016-01-18T14:16:00ZKaan Sanli
<ul></ul><p>Hi everybody,</p>
<p>I can understand the need to disable html-code in fields like the image description for security reasons. But for some editors it is useful and neccessary to use html-code inside that field.</p>
<p>So I changed the TypoScript settings back prior to 6.2.16, but added a userPostFunc to remove XSS.</p>
<p>Here is my code:</p>
<p>tt_content.image.20.caption.1.1 {<br /> parseFunc = < lib.parseFunc<br /> htmlSpecialChars = 0<br /> stdWrap.postUserFunc = TYPO3\CMS\Core\Utility\GeneralUtility->removeXSS<br />}</p>
<p>Wouldn't that be a way to provide the old functionality for editors while minimzing XSS-possibilities?<br />Please correct me, if my solution is insecure.</p>