Bug #94776
closedBug #94787: Tracking issue related to HTML sanitization issues
Email Links with config.spamProtectEmailAddresses = 2 do not work after Update
100%
Description
After Updating from 10.4.18 to 10.4.19, Using
config.spamProtectEmailAddresses = 2 config.spamProtectEmailAddresses_atSubst = (at)
Links to Emailadresses do not work correctly anymore. Before the following HTML was generated:
<a href="javascript:linkTo_UnCryptMailto(%27ocknvq%2CkphqBrtczku%5C%2Fmkghgt0fg%27);">info(at)example.com</a>
Now the HTML Output ist:
<a>info(at)example.com</a>
Therefore linking emailadresses does not work anymore.
In the source code of the RTE they are displayed like this:
<a href="mailto:info@example.com">info@example.com </a>
If I disable spamProtectEmailAddresses the emailadress is generated.
Updated by Torben Hansen about 3 years ago
TYPO3 HTML Sanitizer strips those href
attributes for links. Created PR so href
values starting with javascript:linkTo_UnCryptMailto
are accepted: https://github.com/TYPO3/html-sanitizer/pull/15
Updated by ian ian about 3 years ago
I add that I have configured:
spamProtectEmailAddresses = ascii
and the email address are not translated to a Unicode HTML notation.
Updated by Gerrit Code Review about 3 years ago
- Status changed from Accepted to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70411
Updated by Gerrit Code Review about 3 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70411
Updated by Oliver Hader about 3 years ago
Christian Toffolo wrote in #note-7:
I add that I have configured:
[...]
and the email address are not translated to a Unicode HTML notation.
Example:
<a href="mailto:some.body@test.typo3.org">some.body(at)test.typo3(dot)org</a>
The underlying library we're using decodes HTML hex/numeric entities per default, which actually is a good thing for having normalized attribute values additional checks can be performed on.
https://github.com/Masterminds/html5-php/blob/2.7.5/src/HTML5/Parser/Tokenizer.php#L565-L588
I'm pretty much convinced that spam bots are looking either for mailto:
AND mailto:
(as the entity encoded pendant) to extract email addresses. DOM-based crawlers are resolving entities automatically (exactly like Masterminds/html5-php
does).
Yes, it is a change in behavior - but I think, it is not worth fixing it, because it does not add any additional "protection". What do you think?
Updated by Oliver Hader about 3 years ago
- Category set to Security
- TYPO3 Version changed from 10 to 9
Updated by Gerrit Code Review about 3 years ago
Patch set 1 for branch 10.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70414
Updated by Gerrit Code Review about 3 years ago
Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70415
Updated by Torben Hansen about 3 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 4871338cddb7357e44152f34c5aa2d087b9d835a.
Updated by Gerrit Code Review about 3 years ago
- Status changed from Resolved to Under Review
Patch set 1 for branch 11.3 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70416
Updated by Sven Juergens about 3 years ago
hi, one question. Unfortunately, some of our pages are affected by this bug, so I wanted to ask is a regression update of TYPO3 to be expected this week or later? If it should be later, I would start to patch the pages manually first. I would just like to avoid patching all the pages and then there is an update immediately afterwards :)
Updated by Oliver Hader about 3 years ago
Sven Juergens wrote in #note-17:
hi, one question. Unfortunately, some of our pages are affected by this bug, so I wanted to ask is a regression update of TYPO3 to be expected this week or later? If it should be later, I would start to patch the pages manually first. I would just like to avoid patching all the pages and then there is an update immediately afterwards :)
Please see parent issue #94787 to get an overview. I fear there will be more issues/reports during the next few hours/days. It's obvious there will be new release packages, however it is currently not defined when that shall happen.
It also is kind of a chicken-egg problem - people not upgrading, waiting for new releases and then finding new bugs in those new releases because they were not tested earlier...
Updated by Gerrit Code Review about 3 years ago
Patch set 2 for branch 11.3 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70416
Updated by Johannes Nielsen about 3 years ago
I add that setting
config.spamProtectEmailAddresses_atSubst = @ config.spamProtectEmailAddresses_lastDotSubst = .
now has no effect anymore. We often do this as a compromise between good spam protection and usability as there are still quite many users that copy-paste the e-mail address rather than simply clicking the email-link.
Updated by Oliver Hader about 3 years ago
As mentioned above already, spamProtectEmailAddresses
and especially ascii
or any substitutions do not offer much protection.
Just as a side-note, CloudFlare is using something like this to obfuscate email addresses:
https://support.cloudflare.com/hc/en-us/articles/200170016-What-is-Email-Address-Obfuscation-
<a href="/cdn-cgi/l/email-protection#f59dc1969ec3c2c4c7c6c1b59dc1969ec687c6c4db9b9081" role="button" title="Mail"><i class="fa fa-envelope"></i><span class="__cf_email__" data-cfemail="462e72252d707177747572062e72252d7534757768282332">[email protected]</span></a>
Updated by Torben Hansen about 3 years ago
- Status changed from Under Review to Resolved
Applied in changeset d80cac5cc016523e5570c2bf7d30699642c810b5.
Updated by ian ian about 3 years ago
I agree that spamProtectEmailAddresses=ascii
does not offer the best protection, but in most cases it's enough. In my experience, many sites running for many years, the email addresses published usually are not affected by spammers.
Isn't possible to add a TYPO3 config option to disable the sanitizer for mailto:
links?
And then, in DefaultSanitizerBuilder.php
, code something like:
$isMailtoUri = new Behavior\RegExpAttrValue('#^mailto:#');?
This is to give the site admin the possibility to choose.
Updated by Oliver Hader about 3 years ago
- Status changed from Resolved to On Hold
Updated by Oliver Hader about 3 years ago
- Status changed from On Hold to Resolved
Updated by Georg Ringer about 3 years ago
- Related to Bug #94833: mailto-Links in RTE will not get rendered in frontend added
Updated by Oliver Hader about 3 years ago
- Status changed from Resolved to On Hold
Updated by Oliver Hader about 3 years ago
- Status changed from On Hold to Resolved
Updated by Benni Mack almost 3 years ago
- Status changed from Resolved to Closed