TYPO3 Core

Oliver Hader wrote in #note-3:

Is the <meta> tag coming from a rich-text input field (I doubt, it does)?

No it is not, but i thought it may relate to this issue, since it occurs after the update and gets an log entry. It is part of an content string, that gets rendered with <f:format.html> from fluid.

content = CONTENT
content {
    table = tt_content
    select {
        orderBy = sorting
        where = colPos=0
        languageField = sys_language_uid
    }
}

and

<f:format.html><f:spaceless>{content}</f:spaceless></f:format.html>

If this is intended to not work anymore, sorry for bothering you.

@Jöran, don't worry, these are scenarios that seem to be actually used - thus, I'm thinking about solutions here.

I've been working on a way to actually analyze other invocations causing sanitization trouble (just in case there are other occurrences besides the <f:format.html> you mentioned). Feel free to try out https://forge.typo3.org/issues/94837 and the installation/patching instructions that are currently required - as long as thing patch is pending and not merged yet.

Okay for now, i quick fixed it with an own DefaultSanitizerBuilder – thanks for the documentation there!

I'll check the new typo3/html-sanitizer package later this evening.

• Maybe 'content' can just be added to the CommonBuilder::createGlobalAttrs() method? This would break: https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes
• Maybe 'meta' could be added to the basic tags? https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta

If needed anywhere and for documentation:

namespace My\Namespace\HtmlSanitizer;

use TYPO3\CMS\Core\Html\DefaultSanitizerBuilder;
use TYPO3\HtmlSanitizer\Behavior;
use TYPO3\HtmlSanitizer\Builder\BuilderInterface;

class MetaSanitizer extends DefaultSanitizerBuilder implements BuilderInterface
{
    public function createBehavior(): Behavior
    {
        // extends existing behavior, adds new tag
        return parent::createBehavior()
            ->withName('meta')
            ->withTags(
                (new Behavior\Tag('meta', Behavior\Tag::ALLOW_CHILDREN))
                    ->addAttrs(
                        new Behavior\Attr('content'),
                        ...$this->globalAttrs
                    )
            );
    }
}

and

$GLOBALS['TYPO3_CONF_VARS']['SYS']['htmlSanitizer'] = [
    'default' => \My\Namespace\HtmlSanitizer\MetaSanitizer::class
]

itemprop is not needed since it is part of the CommonBuilder::createGlobalAttrs() array.

FYI: Added in https://github.com/TYPO3/html-sanitizer/commit/2fb9e716edfc051f0e407df39c0cc443e65568eb, will be part of typo3/html-sanitizer:2.0.9 then.