Project

General

Profile

Actions
Copy link

Bug #93012

closed

Email address are not wrapped in A tag if config.spamProtectEmailAddresses is set

Added by Rémy DANIEL over 3 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Frontend
Target version:
-
Start date:
2020-12-07
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
10
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

When the config.spamProtectEmailAddresses is set, a mailto: string passed through lib.parseFunc is transformed to a mailto link, with an href of the form "javascript:linkTo_UnCryptMailto()".

Problem, the <a> tag is removed in the rendered html, only the stays.

If I set config.spamProtectEmailAddresses to 0, the <a href="mailto:xxx@yyy.zzz">xxx@yyy.zzz</a> is present in the rendered html.

When debugging, I found that the makelinks conf of lib.parseFunc works well, but just after, the tags.a conf triggers a TEXT cObj with the <a href="javascript:linkTo_UnCryptMailto()">xxx@yyy.zzz</a> as value, and typolink removes the javascript: href, for security reason (see ContentObjectRenderer->resolveMixedLinkParameter)

How to reproduce:

page = PAGE
page.config.disableAllHeaderCode = 1
page.config.spamProtectEmailAddresses = -3
page.10 = TEXT
page.10.value = mailto:xxx@yyy.zzz
page.10.stdWrap.parseFunc < lib.parseFunc

Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Bug #39261: parseFunc does not handle nested tags correctClosed2012-07-25

Actions
Actions
Copy link
 #1

Updated by Rémy DANIEL over 3 years ago

As a workaround, I disabled spamProtectEmailAddresses an email addresses are now clickable in frontend.
The drawback is that there is no more spam protection on email addresses.

Actions
Copy link
 #2

Updated by Daniel Siepmann over 2 years ago

Looks like TYPO3 first detects the mailto and creates a link out of it, via method mailto_makelinks within ContentObjectRenderer. It then processes all found and configured tags, e.g. a Tags. That way it will process the previously generated a tag.

That will then fail. I do not yet fully understand why, put probably due to "invalid" value? The _parseFunc() method will call the configured cObject TEXT to build the a tag. That seems to fail.

I guess the highlighted lines in the given commit introduced the issue: https://github.com/TYPO3/typo3/commit/43d0fa1e78765ab1272f2f06d4a86a0c667ac538#diff-8e9ce7124a168de37f8a901cda889082df4ab9447ff2b56358fde80250a01b3aR3891-R3900

The default parseFunc will render a Tags. That will end in typolink Method, which will use the existing href parameter which starts with javascript. There is no handler and javascript is considered insecure and therefore not linked, see: https://github.com/TYPO3/typo3/blob/v10.4.22/typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php#L5082

Review: https://review.typo3.org/c/Packages/TYPO3.CMS/+/58946
Related issue: #39261

One could use the deprecated hook in v10.4 to custom resolve the link and circumvent the issue. But that won't work with v11 (accordingly to v10 code base) as hook is then gone and custom link handler result will be blocked.
One could add a custom link handler which converts the already rendered and protected link back to be processed again which sounds stupid and unnecessary complex.

Actions
Copy link
 #3

Updated by Daniel Siepmann over 2 years ago

  • Related to Bug #39261: parseFunc does not handle nested tags correct added
Actions
Copy link
 #4

Updated by Gerrit Code Review over 2 years ago

  • Status changed from New to Under Review

Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/72871

Actions
Copy link
 #5

Updated by Gerrit Code Review over 2 years ago

Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/72871

Actions
Copy link
 #6

Updated by Gerrit Code Review over 2 years ago

Patch set 4 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/72871

Actions
Copy link
 #7

Updated by Gerrit Code Review over 2 years ago

Patch set 5 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/72871

Actions
Copy link
 #8

Updated by Gerrit Code Review over 2 years ago

Patch set 1 for branch 11.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/72912

Actions
Copy link
 #9

Updated by Gerrit Code Review over 2 years ago

Patch set 2 for branch 11.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/72912

Actions
Copy link
 #10

Updated by Benni Mack over 2 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions
Copy link
 #11

Updated by Benni Mack over 1 year ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF