Bug #91194

Faulty follow-up tag detection in parseFunc & Co. (regression)

Added by Joschi Kuphal over 1 year ago. Updated over 1 year ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Content Rendering
Target version:
Start date:
2020-04-25
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
10
PHP Version:
7.3
Tags:
Complexity:
easy
Is Regression:
Yes
Sprint Focus:

Description

As of version 10.4.0, the ContentObjectRenderer fails to parse <abbr> elements correctly that are nested within <a> element. The reason is sort of an edge case but presumably this might happen with other element combinations as well. Basically, the problem is that the start elements for links and abbreviations both start with "<a" and the parsing routines don't consider the remainder when scanning for matching follow-up elements.

There are two spots in ContentObjectRenderer that need to get fixed. The patch illustrates the problem (and a possible solution), but obviously something better than Regex might be used.


Files

ContentObjectRenderer.patch (1.22 KB) ContentObjectRenderer.patch Joschi Kuphal, 2020-04-25 12:08

Related issues

Related to TYPO3 Core - Bug #39261: parseFunc does not handle nested tags correctClosed2012-07-25

Actions
#1

Updated by Michael Sollmann over 1 year ago

Additionally you have to check for the existence of $conf['tags.'] in line 3933 before using it in the foreach loop.

Something like:
if (strpos($data, '<') !== false && $conf['tags.']) {
foreach ($conf['tags.'] as $tag => $tagConfig) {

instead of:
if (strpos($data, '<') !== false) {
foreach ($conf['tags.'] as $tag => $tagConfig) {

Without this check it leads to an error in one of my 10.4.0 installations.

#2

Updated by Josef Glatz over 1 year ago

  • Related to Bug #91172: html comments in fluid template lead to exception added
#3

Updated by Oliver Hader over 1 year ago

  • Private changed from No to Yes
#4

Updated by Oliver Hader over 1 year ago

Investigating...

#5

Updated by Oliver Hader over 1 year ago

  • Related to deleted (Bug #91172: html comments in fluid template lead to exception)
#7

Updated by Oliver Hader over 1 year ago

Thanks for your report. This issue might have security implications - that's the reason why it is set to private for the time being.

As far as I understood, the failing HTML in CKEditor might look linke this (abbr nested in anchor tag), correct?

<a href="https://example.org/" target="..."><abbr>Content</abbr></a>

#8

Updated by Joschi Kuphal over 1 year ago

Exactly! There might be other combinations as well, e.g. <s><span>bla</span></s> (super rare, i know, but possible), but I didn't test these.

#9

Updated by Oliver Hader over 1 year ago

  • Related to Bug #39261: parseFunc does not handle nested tags correct added
#10

Updated by Oliver Hader over 1 year ago

https://review.typo3.org/c/Packages/TYPO3.CMS/+/58946 introduced first with TYPO3 v10.4.0

#11

Updated by Oliver Hader over 1 year ago

  • Private changed from Yes to No
#12

Updated by Oliver Hader over 1 year ago

Does not seem to be related to security topics... in case anyone identifies a potential vulnerability here, please report to

Moved from private to public again - the patch you provided seems to be okay...

#13

Updated by Gerrit Code Review over 1 year ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64409

#14

Updated by Oliver Hader over 1 year ago

I've pushed the provided patch (keeping author details) to Gerrit and would provide additional test cases for it...

#15

Updated by Gerrit Code Review over 1 year ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64409

#16

Updated by Joschi Kuphal over 1 year ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
#17

Updated by Benni Mack over 1 year ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF