Bug #94786

Bug #94787: Tracking issue related to HTML sanitization issues

Relax behavior of HTML sanitization

Added by Oliver Hader 4 months ago. Updated about 2 months ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
Security
Target version:
-
Start date:
2021-08-10
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
9
PHP Version:
Tags:
Complexity:
Is Regression:
Yes
Sprint Focus:

Description

Related to https://typo3.org/security/advisory/typo3-core-sa-2021-013

Currently property lib.parseFunc.htmlSanitize = 1 is enforced, in case the behavior has not been explicitly disabled.

The idea is to relax the behavior a bit, by target the actual use-cases:

  • f:format.html view-helper (using new attribute, being enabled per default)
  • RTE-related invocation of stdWrap.parseFunc (no idea yet, how to tackle)

Also available in: Atom PDF