Bug #94787

Tracking issue related to HTML sanitization issues

Added by Oliver Hader about 1 month ago. Updated about 1 month ago.

Status:
Resolved
Priority:
Should have
Assignee:
-
Category:
Security
Target version:
-
Start date:
2021-08-10
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
TYPO3 Version:
9
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:


Subtasks

Bug #94776: Email Links with config.spamProtectEmailAddresses = 2 do not work after UpdateResolvedTorben Hansen2021-08-11

Actions
Bug #94823: sanitizeHtml disables email when config.spamProtectEmailAddresses is enabledClosed2021-08-11

Actions
Bug #94848: spamProtectEmailAddresses not working since TYPO3 10.4.19Closed2021-08-12

Actions
Bug #94885: Mailto Links missing hrefClosed2021-08-13

Actions
Bug #94786: Relax behavior of HTML sanitizationResolvedOliver Hader2021-08-10

Actions
Task #94797: Enhance documentation for integration of html-sanitizerResolvedOliver Hader2021-08-11

Actions
Bug #94804: Handle deprecated/legacy HTML markupResolvedOliver Hader2021-08-11

Actions
Bug #94810: Unable to disable html sanitize Closed2021-08-11

Actions
Feature #94825: Introduce explicit f:sanitize.html view-helperClosedOliver Hader2021-08-11

Actions
Task #94836: <meta> gets sanitizedClosedOliver Hader2021-08-12

Actions
Task #94837: Forward initiator to typo3/html-sanitizerClosedOliver Hader2021-08-12

Actions
Task #94849: Upgrade to typo3/html-sanitizer v2.0.8ClosedOliver Hader2021-08-12

Actions
Task #94857: Add status quo tests for f:format.htmlClosedOliver Hader2021-08-12

Actions
Bug #94866: Generated onclick events for image-zoom, typolink and HMENU removedClosedOliver Hader2021-08-13

Actions
Task #94883: Upgrade to typo3/html-sanitizer v2.0.9ClosedOliver Hader2021-08-13

Actions
#1

Updated by Oliver Hader about 1 month ago

  • Status changed from New to Needs Feedback
#2

Updated by Christian Toffolo about 1 month ago

Probably related is the fact that now a source RTE HTML like:

<table align="left" border="2" cellpadding="10" cellspacing="10" style="width:100%">

is transformed in
<table style="width:100%">

Practically all obsolete <table> attributes are removed but those are still settable (therefore usable by the editor) in CKEditor.

#3

Updated by Oliver Hader about 1 month ago

Christian Toffolo wrote in #note-2:

Practically all obsolete <table> attributes are removed but those are still settable (therefore usable by the editor) in CKEditor.

Is this markup directly produced in CKEditor, or is it generated/processed in some Fluid template, processor or whatsoever?

#4

Updated by Oliver Hader about 1 month ago

  • Category set to Security
#5

Updated by Christian Toffolo about 1 month ago

Oliver Hader wrote in #note-3:

Christian Toffolo wrote in #note-2:

Practically all obsolete <table> attributes are removed but those are still settable (therefore usable by the editor) in CKEditor.

Is this markup directly produced in CKEditor, or is it generated/processed in some Fluid template, processor or whatsoever?

<table align="left" border="2" cellpadding="10" cellspacing="10" style="width:100%">
is produced in a CKEditor field in the BE and saved into the DB without alterations.
The table attributes are removed in the FE. I didn't debug where exactly but it's for sure processed by Fluid.
#6

Updated by Oliver Hader about 1 month ago

@ChristianToffolo I've create a new issue for for legacy markup in #94804, please let's continue there with details.

#7

Updated by Georg Ringer about 1 month ago

  • Related to Bug #94801: Updating from TYPO3 9.5.27 to 9.5.28+ leads to timeout in upgrade wizards check and reports module added
#8

Updated by Georg Ringer about 1 month ago

  • Related to deleted (Bug #94801: Updating from TYPO3 9.5.27 to 9.5.28+ leads to timeout in upgrade wizards check and reports module)
#9

Updated by Georg Ringer about 1 month ago

#10

Updated by Oliver Hader about 1 month ago

  • Status changed from Needs Feedback to Resolved

Also available in: Atom PDF