Task #94836
closed
Bug #94787: Tracking issue related to HTML sanitization issues
<meta> gets sanitized
0%
Description
I am using <meta itemprop="xyz" content="xzy"> for implementing schema.org Schemata. These get sanitized in 10.4.19:
Thu, 12 Aug 2021 13:59:09 +0200 [DEBUG] request="8adc0a122842f" component="TYPO3.HtmlSanitizer.Visitor.CommonVisitor": Found unexpected tag {nodeName} - {"behavior":"default","nodeName":"meta"}
Should these be a default for the default sanitizer?
Related to #94787
Updated by Georg Ringer over 2 years ago
- Related to Bug #94787: Tracking issue related to HTML sanitization issues added
Updated by Oliver Hader over 2 years ago
- Status changed from Accepted to Needs Feedback
Is the <meta> tag coming from a rich-text input field (I doubt, it does)?
Updated by Jöran Kurschatke over 2 years ago
Oliver Hader wrote in #note-3:
Is the
<meta>tag coming from a rich-text input field (I doubt, it does)?
No it is not, but i thought it may relate to this issue, since it occurs after the update and gets an log entry. It is part of an content string, that gets rendered with <f:format.html> from fluid.
content = CONTENT
content {
table = tt_content
select {
orderBy = sorting
where = colPos=0
languageField = sys_language_uid
}
}
and
<f:format.html><f:spaceless>{content}</f:spaceless></f:format.html>
If this is intended to not work anymore, sorry for bothering you.
Updated by Oliver Hader over 2 years ago
@Jöran, don't worry, these are scenarios that seem to be actually used - thus, I'm thinking about solutions here.
I've been working on a way to actually analyze other invocations causing sanitization trouble (just in case there are other occurrences besides the <f:format.html> you mentioned). Feel free to try out https://forge.typo3.org/issues/94837 and the installation/patching instructions that are currently required - as long as thing patch is pending and not merged yet.
Updated by Jöran Kurschatke over 2 years ago
Okay for now, i quick fixed it with an own DefaultSanitizerBuilder – thanks for the documentation there!
I'll check the new typo3/html-sanitizer package later this evening.
- Maybe 'content' can just be added to the CommonBuilder::createGlobalAttrs() method? This would break: https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes
- Maybe 'meta' could be added to the basic tags? https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta
If needed anywhere and for documentation:
namespace My\Namespace\HtmlSanitizer;
use TYPO3\CMS\Core\Html\DefaultSanitizerBuilder;
use TYPO3\HtmlSanitizer\Behavior;
use TYPO3\HtmlSanitizer\Builder\BuilderInterface;
class MetaSanitizer extends DefaultSanitizerBuilder implements BuilderInterface
{
public function createBehavior(): Behavior
{
// extends existing behavior, adds new tag
return parent::createBehavior()
->withName('meta')
->withTags(
(new Behavior\Tag('meta', Behavior\Tag::ALLOW_CHILDREN))
->addAttrs(
new Behavior\Attr('content'),
...$this->globalAttrs
)
);
}
}
and
$GLOBALS['TYPO3_CONF_VARS']['SYS']['htmlSanitizer'] = [
'default' => \My\Namespace\HtmlSanitizer\MetaSanitizer::class
]
itemprop is not needed since it is part of the CommonBuilder::createGlobalAttrs() array.
Updated by Oliver Hader over 2 years ago
FYI: Added in https://github.com/TYPO3/html-sanitizer/commit/2fb9e716edfc051f0e407df39c0cc443e65568eb, will be part of typo3/html-sanitizer:2.0.9 then.
Updated by Oliver Hader over 2 years ago
- Category changed from Frontend to Security
- Status changed from Needs Feedback to Resolved
- Assignee set to Oliver Hader
Updated by Oliver Hader over 2 years ago
- Tracker changed from Bug to Task
- Is Regression deleted (
Yes)
Updated by