Bug #79608

Wrong handling with html tags in EXT:form

Added by Georg Ringer about 4 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
Form Framework
Target version:
-
Start date:
2017-02-03
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
8
PHP Version:
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

EXT:form strips html tags all over the place instead of properly escaping it.

  • If html tags (or special chars) are not allowled, like in the name of the form or elements, those should also not allowed to be entered
  • if HTML tags should be possible (especially in fields like static text), those should be possible to be entered

Related issues

Related to TYPO3 Core - Bug #80343: EXT:form - HTML double-encoding of form name in "form tree" (BE)Closed2017-03-19

Actions
#1

Updated by Bjoern Jacob about 4 years ago

  • Status changed from Accepted to Needs Feedback
  • Assignee set to Georg Ringer

Just to get you right, allow us some questions. We do not want to store any HTML tags within the form elements. Especially, the "static text" element should only store plain text without any HTML data. If a special format is needed, the people should use the form element called "Content element".

Could you please explain your concern in more detail? Do you want us to remove any HTML formatting while entering the data into the property fields?

#2

Updated by Martin Kutschker about 4 years ago

Another issue with any < or > in form names is discussed in more #80343.

#3

Updated by Gerrit Code Review about 4 years ago

  • Status changed from Needs Feedback to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/52093

#4

Updated by Gerrit Code Review about 4 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/52093

#5

Updated by Gerrit Code Review about 4 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/52093

#6

Updated by Gerrit Code Review about 4 years ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/52093

#7

Updated by Gerrit Code Review about 4 years ago

Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/52093

#8

Updated by Bjoern Jacob over 3 years ago

  • Sprint Focus set to Remote Sprint
#9

Updated by Gerrit Code Review over 3 years ago

Patch set 6 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/52093

#10

Updated by Gerrit Code Review over 3 years ago

Patch set 7 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/52093

#11

Updated by Gerrit Code Review over 3 years ago

Patch set 8 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/52093

#12

Updated by Thorben Nissen over 3 years ago

I came across this, while trying to build a form element that allows to insert HTML code instead of plain text. That could be very useful, if you e.g. need to display a list within the form.
Creating a content element and then link to it in just on form is overkill.

#13

Updated by Gerrit Code Review over 3 years ago

Patch set 9 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/52093

#14

Updated by Gerrit Code Review over 3 years ago

Patch set 10 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/52093

#15

Updated by Bjoern Jacob about 3 years ago

  • Sprint Focus deleted (Remote Sprint)
#16

Updated by Bjoern Jacob almost 3 years ago

  • Status changed from Under Review to Closed
  • Assignee deleted (Georg Ringer)

We continue this topic with a different solution: #84849. I am closing this issue in favor of #84849.

Also available in: Atom PDF