Bug #92051

f:asset.script breaks ampersands and thus functionality

Added by Raphael Zschorsch about 1 year ago. Updated about 1 year ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2020-08-19
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
10
PHP Version:
7.2
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Adding this code:

<f:asset.script identifier="googleApi" src="https://maps.googleapis.com/maps/api/js?key=API_KEY&libraries=places" />

results in a frontend output:

<script src="https://maps.googleapis.com/maps/api/js?key=API_KEY&amp;amp;libraries=places"></script>

The original ampersand is already converted when added to the AssetCollector, which is correct, I suppose but then again htmlspecialchar'd in AssetRenderer.php in line 105 through the implodeAttributes function which results in the double manipulation of the ampersand:

$attributesString = count($attributes) ? ' ' . GeneralUtility::implodeAttributes($attributes, true) : '';

If I set the second parameter to false, it works.


Related issues

Related to TYPO3 Core - Feature #90522: Introduce AssetCollectorClosedFrank Naegler2020-02-24

Actions
Related to TYPO3 Core - Bug #92284: <f:asset.script> ViewHelper double escape the src attributeClosedFrank Naegler2020-09-10

Actions
#1

Updated by Oliver Hader about 1 year ago

  • Status changed from New to Needs Feedback

Setting the second parameter to false would allow cross-site scripting → we don't want that...
Probably ScriptViewHelper has to be adjusted. In any way, having automated tests for that would help here.

#2

Updated by Oliver Hader about 1 year ago

#3

Updated by Oliver Hader about 1 year ago

  • Status changed from Needs Feedback to New
#4

Updated by Raphael Zschorsch about 1 year ago

I only set the parameter to false to check if it has something to do with htmlspecialchars :)

#5

Updated by Raphael Zschorsch 11 months ago

  • Related to Bug #92284: <f:asset.script> ViewHelper double escape the src attribute added

Also available in: Atom PDF