Project

General

Profile

Actions

Bug #94786

closed

Bug #94787: Tracking issue related to HTML sanitization issues

Relax behavior of HTML sanitization

Added by Oliver Hader over 3 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
Security
Target version:
-
Start date:
2021-08-10
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
9
PHP Version:
Tags:
Complexity:
Is Regression:
Yes
Sprint Focus:

Description

Related to https://typo3.org/security/advisory/typo3-core-sa-2021-013

Currently property lib.parseFunc.htmlSanitize = 1 is enforced, in case the behavior has not been explicitly disabled.

The idea is to relax the behavior a bit, by target the actual use-cases:

  • f:format.html view-helper (using new attribute, being enabled per default)
  • RTE-related invocation of stdWrap.parseFunc (no idea yet, how to tackle)

Related issues 2 (0 open2 closed)

Related to TYPO3 Core - Task #96520: Enforce non-empty configuration in ContentObjectRenderer::parseFuncClosed2022-01-12

Actions
Related to TYPO3 Core - Task #96831: Drop html-sanitizer fall-back behavior in parseFuncClosed2022-02-11

Actions
Actions

Also available in: Atom PDF