Bug #94866

Bug #94787: Tracking issue related to HTML sanitization issues

Generated onclick events for image-zoom, typolink and HMENU removed

Added by Oliver Hader 2 months ago. Updated about 1 month ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
Security
Target version:
-
Start date:
2021-08-13
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
9
PHP Version:
Tags:
Complexity:
Is Regression:
Yes
Sprint Focus:

Description

ContentObjectRender and AbstractMenuContentObject are generating onclick attributes in order to trigger individual client-side functionality such as opening a link in a new window or showing larger image.

Albeit this is not "nice" in general, a potential solution would be to allow those functions openPic and openWindow (needs to be exposed) in HTML sanitizer or the core.

#1

Updated by Oliver Hader 2 months ago

  • Status changed from New to In Progress
#2

Updated by Oliver Hader 2 months ago

How to test?

config.debug = 0

page = PAGE
page.stdWrap.parseFunc = 1

page.10 = TEXT
page.10 {
  value = Link
  typolink.parameter = / 200x300
}

page.20 = IMAGE
page.20 {
   file = fileadmin/introduction/images/unsplash/annie-spratt-604129-unsplash.jpg
   file.width = 80
   imageLinkWrap = 1
   imageLinkWrap {
      enable = 1
      JSwindow = 1
   }
}

page.30 = HMENU
page.30 {
  special = directory
  special.value = 1 // adjust to valid page ID having sub-pages
  JSWindow = 1
  1 = TMENU
  1.JSWindow = 1
  1.NO = 1
  1.NO {
    stdWrap.htmlSpecialChars = 1
  }
}
#3

Updated by Gerrit Code Review 2 months ago

  • Status changed from In Progress to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70551

#4

Updated by Gerrit Code Review 2 months ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70551

#5

Updated by Gerrit Code Review 2 months ago

Patch set 1 for branch 11.3 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70577

#6

Updated by Gerrit Code Review 2 months ago

Patch set 1 for branch 10.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70578

#7

Updated by Gerrit Code Review 2 months ago

Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70584

#8

Updated by Gerrit Code Review 2 months ago

Patch set 2 for branch 10.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70578

#9

Updated by Helmut Hummel 2 months ago

  • Status changed from Under Review to Needs Feedback
page.stdWrap.parseFunc = 1

Do we really need to stay backwards compatible with something like that?
And if so, isn't that resolved with #94786 as html sanitize is now disabled by default?

#10

Updated by Oliver Hader 2 months ago

Helmut Hummel wrote in #note-9:

page.stdWrap.parseFunc = 1

Do we really need to stay backwards compatible with something like that?

parseFunc = 1 is still a regular stdWrap functionality. In this example it is used to trigger HTML parser(!) and HTML sanitizer(!) - at the time of having created this issue, htmlSanitize = 1 was still enabled per default.

And if so, isn't that resolved with #94786 as html sanitize is now disabled by default?

No, htmlSanitize is disabled with #94786 when parseFunc gets called directly in TypoScript.

In case lib.parseFunc is used (e.g. stdWrap.parseFunc = < lib.parseFunc), htmlSanitize is still enabled when using ext:fluid_styled_content, see https://github.com/TYPO3/typo3/blob/v10.4.19/typo3/sysext/fluid_styled_content/Configuration/TypoScript/Helper/ParseFunc.typoscript#L44

Having htmlSanitize enabled per default in ContentObjectRenderer::parseFunc aimed to protect those scenarios that cleared their TypoScript libs, like lib.parseFunc > or lib.parseFunc_RTE >.

#11

Updated by Helmut Hummel 2 months ago

  • Status changed from Needs Feedback to Accepted

ah, ok, seems like link wizard in RTE is able to produce this onlick attribute

#12

Updated by Gerrit Code Review 2 months ago

  • Status changed from Accepted to Under Review

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70551

#13

Updated by Gerrit Code Review 2 months ago

Patch set 2 for branch 11.3 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70577

#14

Updated by Gerrit Code Review 2 months ago

Patch set 3 for branch 10.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70578

#15

Updated by Gerrit Code Review 2 months ago

Patch set 2 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70584

#16

Updated by Oliver Hader 2 months ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
#17

Updated by Benni Mack about 1 month ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF