Bug #91194
closed
Faulty follow-up tag detection in parseFunc & Co. (regression)
100%
Description
As of version 10.4.0, the ContentObjectRenderer fails to parse <abbr> elements correctly that are nested within <a> element. The reason is sort of an edge case but presumably this might happen with other element combinations as well. Basically, the problem is that the start elements for links and abbreviations both start with "<a" and the parsing routines don't consider the remainder when scanning for matching follow-up elements.
There are two spots in ContentObjectRenderer that need to get fixed. The patch illustrates the problem (and a possible solution), but obviously something better than Regex might be used.
Files
Updated by Michael Sollmann over 4 years ago
Additionally you have to check for the existence of $conf['tags.'] in line 3933 before using it in the foreach loop.
Something like: if (strpos($data, '<') !== false && $conf['tags.']) {
foreach ($conf['tags.'] as $tag => $tagConfig) {
instead of:if (strpos($data, '<') !== false) {
foreach ($conf['tags.'] as $tag => $tagConfig) {
Without this check it leads to an error in one of my 10.4.0 installations.
Updated by Josef Glatz over 4 years ago
- Related to Bug #91172: html comments in fluid template lead to exception added
Updated by Oliver Hader over 4 years ago
- Related to deleted (Bug #91172: html comments in fluid template lead to exception)
Updated by Oliver Hader over 4 years ago
Thanks for your report. This issue might have security implications - that's the reason why it is set to private for the time being.
As far as I understood, the failing HTML in CKEditor might look linke this (abbr nested in anchor tag), correct?
<a href="https://example.org/" target="..."><abbr>Content</abbr></a>
Updated by Joschi Kuphal over 4 years ago
Exactly! There might be other combinations as well, e.g. <s><span>bla</span></s> (super rare, i know, but possible), but I didn't test these.
Updated by Oliver Hader over 4 years ago
- Related to Bug #39261: parseFunc does not handle nested tags correct added
Updated by Oliver Hader over 4 years ago
https://review.typo3.org/c/Packages/TYPO3.CMS/+/58946 introduced first with TYPO3 v10.4.0
Updated by Oliver Hader over 4 years ago
Does not seem to be related to security topics... in case anyone identifies a potential vulnerability here, please report to security@typo3.org
Moved from private to public again - the patch you provided seems to be okay...
Updated by Gerrit Code Review over 4 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64409
Updated by Oliver Hader over 4 years ago
I've pushed the provided patch (keeping author details) to Gerrit and would provide additional test cases for it...
Updated by Gerrit Code Review over 4 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64409
Updated by Joschi Kuphal over 4 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 03f531061733702aaf423e973976b898ca33173d.
Updated by