TYPO3 Core

I understand your intentions but I have no possiblity to re-activate the insertion of proper HTML content as described in the above link. In all my 6.2.17 installation I find the following Typoscript settings which are the wellknown ones. There is no parseFunc call and no stripHTML call:

[caption]
[1] = COA
[1] = TEXT
[data] = file:current:description
[required] = 1
[htmlSpecialChars] = 1
[br] = 1

This Typoscript is not working correctly anymore. So for me this is a bug.

I checked the source code of my installations. All Css_styled_content extensions contain the above TS. Is it possible that old Css_styled_content is mixed in the 6.2.17? Or is Css_styled_content not updated automatically?

everthing alright. I missunderstood some thing. can be closed

Hi everybody,

I can understand the need to disable html-code in fields like the image description for security reasons. But for some editors it is useful and neccessary to use html-code inside that field.

So I changed the TypoScript settings back prior to 6.2.16, but added a userPostFunc to remove XSS.

Here is my code:

tt_content.image.20.caption.1.1 {
parseFunc = < lib.parseFunc
htmlSpecialChars = 0
stdWrap.postUserFunc = TYPO3\CMS\Core\Utility\GeneralUtility->removeXSS
}

Wouldn't that be a way to provide the old functionality for editors while minimzing XSS-possibilities?
Please correct me, if my solution is insecure.