Project

General

Profile

Actions
Copy link

Bug #94787

closed

Tracking issue related to HTML sanitization issues

Added by Oliver Hader over 2 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Security
Target version:
-
Start date:
2021-08-10
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
TYPO3 Version:
9
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

as a result of https://typo3.org/security/advisory/typo3-core-sa-2021-013

Subtasks 15 (0 open15 closed)

Bug #94776: Email Links with config.spamProtectEmailAddresses = 2 do not work after UpdateClosedTorben Hansen2021-08-11

Actions
Bug #94823: sanitizeHtml disables email when config.spamProtectEmailAddresses is enabledClosed2021-08-11

Actions
Bug #94848: spamProtectEmailAddresses not working since TYPO3 10.4.19Closed2021-08-12

Actions
Bug #94885: Mailto Links missing hrefClosed2021-08-13

Actions
Bug #94786: Relax behavior of HTML sanitizationClosedOliver Hader2021-08-10

Actions
Task #94797: Enhance documentation for integration of html-sanitizerClosedOliver Hader2021-08-11

Actions
Bug #94804: Handle deprecated/legacy HTML markupClosedOliver Hader2021-08-11

Actions
Bug #94810: Unable to disable html sanitize Closed2021-08-11

Actions
Feature #94825: Introduce explicit f:sanitize.html view-helperClosedOliver Hader2021-08-11

Actions
Task #94836: <meta> gets sanitizedClosedOliver Hader2021-08-12

Actions
Task #94837: Forward initiator to typo3/html-sanitizerClosedOliver Hader2021-08-12

Actions
Task #94849: Upgrade to typo3/html-sanitizer v2.0.8ClosedOliver Hader2021-08-12

Actions
Task #94857: Add status quo tests for f:format.htmlClosedOliver Hader2021-08-12

Actions
Bug #94866: Generated onclick events for image-zoom, typolink and HMENU removedClosedOliver Hader2021-08-13

Actions
Task #94883: Upgrade to typo3/html-sanitizer v2.0.9ClosedOliver Hader2021-08-13

Actions
Actions
Copy link
 #1

Updated by Oliver Hader over 2 years ago

  • Status changed from New to Needs Feedback
Actions
Copy link
 #2

Updated by Christian Toffolo over 2 years ago

Probably related is the fact that now a source RTE HTML like:

<table align="left" border="2" cellpadding="10" cellspacing="10" style="width:100%">

is transformed in
<table style="width:100%">

Practically all obsolete <table> attributes are removed but those are still settable (therefore usable by the editor) in CKEditor.

Actions
Copy link
 #3

Updated by Oliver Hader over 2 years ago

Christian Toffolo wrote in #note-2:

Practically all obsolete <table> attributes are removed but those are still settable (therefore usable by the editor) in CKEditor.

Is this markup directly produced in CKEditor, or is it generated/processed in some Fluid template, processor or whatsoever?

Actions
Copy link
 #4

Updated by Oliver Hader over 2 years ago

  • Category set to Security
Actions
Copy link
 #5

Updated by Christian Toffolo over 2 years ago

Oliver Hader wrote in #note-3:

Christian Toffolo wrote in #note-2:

Practically all obsolete <table> attributes are removed but those are still settable (therefore usable by the editor) in CKEditor.

Is this markup directly produced in CKEditor, or is it generated/processed in some Fluid template, processor or whatsoever?

<table align="left" border="2" cellpadding="10" cellspacing="10" style="width:100%">
is produced in a CKEditor field in the BE and saved into the DB without alterations.
The table attributes are removed in the FE. I didn't debug where exactly but it's for sure processed by Fluid.
Actions
Copy link
 #6

Updated by Oliver Hader over 2 years ago

@ChristianToffolo I've create a new issue for for legacy markup in #94804, please let's continue there with details.

Actions
Copy link
 #7

Updated by Georg Ringer over 2 years ago

  • Related to Bug #94801: Updating from TYPO3 9.5.27 to 9.5.28+ leads to timeout in upgrade wizards check and reports module added
Actions
Copy link
 #8

Updated by Georg Ringer over 2 years ago

  • Related to deleted (Bug #94801: Updating from TYPO3 9.5.27 to 9.5.28+ leads to timeout in upgrade wizards check and reports module)
Actions
Copy link
 #9

Updated by Georg Ringer over 2 years ago

Actions
Copy link
 #10

Updated by Oliver Hader over 2 years ago

  • Status changed from Needs Feedback to Resolved
Actions
Copy link
 #11

Updated by Benni Mack over 2 years ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF