Project

General

Profile

Actions

Bug #92051

closed

f:asset.script breaks ampersands and thus functionality

Added by Raphael Zschorsch over 3 years ago. Updated 8 months ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2020-08-19
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
10
PHP Version:
7.2
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Adding this code:

<f:asset.script identifier="googleApi" src="https://maps.googleapis.com/maps/api/js?key=API_KEY&libraries=places" />

results in a frontend output:

<script src="https://maps.googleapis.com/maps/api/js?key=API_KEY&amp;amp;libraries=places"></script>

The original ampersand is already converted when added to the AssetCollector, which is correct, I suppose but then again htmlspecialchar'd in AssetRenderer.php in line 105 through the implodeAttributes function which results in the double manipulation of the ampersand:

$attributesString = count($attributes) ? ' ' . GeneralUtility::implodeAttributes($attributes, true) : '';

If I set the second parameter to false, it works.


Related issues 2 (0 open2 closed)

Related to TYPO3 Core - Feature #90522: Introduce AssetCollectorClosedFrank Nägler2020-02-24

Actions
Related to TYPO3 Core - Bug #92284: <f:asset.script> ViewHelper double escape the src attributeClosedFrank Nägler2020-09-10

Actions
Actions #1

Updated by Oliver Hader over 3 years ago

  • Status changed from New to Needs Feedback

Setting the second parameter to false would allow cross-site scripting → we don't want that...
Probably ScriptViewHelper has to be adjusted. In any way, having automated tests for that would help here.

Actions #2

Updated by Oliver Hader over 3 years ago

Actions #3

Updated by Oliver Hader over 3 years ago

  • Status changed from Needs Feedback to New
Actions #4

Updated by Raphael Zschorsch over 3 years ago

I only set the parameter to false to check if it has something to do with htmlspecialchars :)

Actions #5

Updated by Raphael Zschorsch over 3 years ago

  • Related to Bug #92284: <f:asset.script> ViewHelper double escape the src attribute added
Actions #6

Updated by Riccardo De Contardi 8 months ago

I think it has been solved: I performed the following test on TYPO3 11.x, 12.x, 13.x:

- add the following code to my Fluid page template:

<f:asset.script identifier="googleApi" src="https://maps.googleapis.com/maps/api/js?key=API_KEY&libraries=places" />

Result

on all the TYPO3 version tested the output has been:

<script src="https://maps.googleapis.com/maps/api/js?key=API_KEY&amp;libraries=places"></script>
Actions #7

Updated by Riccardo De Contardi 8 months ago

  • Status changed from New to Closed

I have been confirmed that the problem has been solved with https://forge.typo3.org/issues/92284 - closing this issue.

If you think that this is the wrong decision or experience the issue again, please reopen it or open a new issue with a reference to this one. Thank you.

Actions

Also available in: Atom PDF