Task #94836

Bug #94787: Tracking issue related to HTML sanitization issues

<meta> gets sanitized

Added by Jöran Kurschatke 2 months ago. Updated about 1 month ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
Security
Target version:
-
Start date:
2021-08-12
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
10
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

I am using <meta itemprop="xyz" content="xzy"> for implementing schema.org Schemata. These get sanitized in 10.4.19:

Thu, 12 Aug 2021 13:59:09 +0200 [DEBUG] request="8adc0a122842f" component="TYPO3.HtmlSanitizer.Visitor.CommonVisitor": Found unexpected tag {nodeName} - {"behavior":"default","nodeName":"meta"}

Should these be a default for the default sanitizer?

Related to #94787

#1

Updated by Georg Ringer 2 months ago

  • Related to Bug #94787: Tracking issue related to HTML sanitization issues added
#2

Updated by Georg Ringer 2 months ago

  • Status changed from New to Accepted
#3

Updated by Oliver Hader 2 months ago

  • Status changed from Accepted to Needs Feedback

Is the <meta> tag coming from a rich-text input field (I doubt, it does)?

#4

Updated by Oliver Hader 2 months ago

  • Parent task set to #94787
#5

Updated by Jöran Kurschatke 2 months ago

Oliver Hader wrote in #note-3:

Is the <meta> tag coming from a rich-text input field (I doubt, it does)?

No it is not, but i thought it may relate to this issue, since it occurs after the update and gets an log entry. It is part of an content string, that gets rendered with <f:format.html> from fluid.

content = CONTENT
content {
    table = tt_content
    select {
        orderBy = sorting
        where = colPos=0
        languageField = sys_language_uid
    }
}

and

<f:format.html><f:spaceless>{content}</f:spaceless></f:format.html>

If this is intended to not work anymore, sorry for bothering you.

#6

Updated by Oliver Hader 2 months ago

@Jöran, don't worry, these are scenarios that seem to be actually used - thus, I'm thinking about solutions here.

I've been working on a way to actually analyze other invocations causing sanitization trouble (just in case there are other occurrences besides the <f:format.html> you mentioned). Feel free to try out https://forge.typo3.org/issues/94837 and the installation/patching instructions that are currently required - as long as thing patch is pending and not merged yet.

#7

Updated by Jöran Kurschatke 2 months ago

Okay for now, i quick fixed it with an own DefaultSanitizerBuilder – thanks for the documentation there!

I'll check the new typo3/html-sanitizer package later this evening.

As solutions:

If needed anywhere and for documentation:

namespace My\Namespace\HtmlSanitizer;

use TYPO3\CMS\Core\Html\DefaultSanitizerBuilder;
use TYPO3\HtmlSanitizer\Behavior;
use TYPO3\HtmlSanitizer\Builder\BuilderInterface;

class MetaSanitizer extends DefaultSanitizerBuilder implements BuilderInterface
{
    public function createBehavior(): Behavior
    {
        // extends existing behavior, adds new tag
        return parent::createBehavior()
            ->withName('meta')
            ->withTags(
                (new Behavior\Tag('meta', Behavior\Tag::ALLOW_CHILDREN))
                    ->addAttrs(
                        new Behavior\Attr('content'),
                        ...$this->globalAttrs
                    )
            );
    }
}

and

$GLOBALS['TYPO3_CONF_VARS']['SYS']['htmlSanitizer'] = [
    'default' => \My\Namespace\HtmlSanitizer\MetaSanitizer::class
]

itemprop is not needed since it is part of the CommonBuilder::createGlobalAttrs() array.

#8

Updated by Oliver Hader 2 months ago

FYI: Added in https://github.com/TYPO3/html-sanitizer/commit/2fb9e716edfc051f0e407df39c0cc443e65568eb, will be part of typo3/html-sanitizer:2.0.9 then.

#9

Updated by Oliver Hader 2 months ago

  • Category changed from Frontend to Security
  • Status changed from Needs Feedback to Resolved
  • Assignee set to Oliver Hader
#10

Updated by Oliver Hader 2 months ago

  • Tracker changed from Bug to Task
  • Is Regression deleted (Yes)
#11

Updated by Benni Mack about 1 month ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF