Bug #94866
closed
Bug #94787: Tracking issue related to HTML sanitization issues
Generated onclick events for image-zoom, typolink and HMENU removed
Added by Oliver Hader over 3 years ago. Updated about 3 years ago.
100%
Description
ContentObjectRender and AbstractMenuContentObject are generating onclick attributes in order to trigger individual client-side functionality such as opening a link in a new window or showing larger image.
Albeit this is not "nice" in general, a potential solution would be to allow those functions openPic and openWindow (needs to be exposed) in HTML sanitizer or the core.
Updated by Oliver Hader over 3 years ago
How to test?¶
config.debug = 0
page = PAGE
page.stdWrap.parseFunc = 1
page.10 = TEXT
page.10 {
value = Link
typolink.parameter = / 200x300
}
page.20 = IMAGE
page.20 {
file = fileadmin/introduction/images/unsplash/annie-spratt-604129-unsplash.jpg
file.width = 80
imageLinkWrap = 1
imageLinkWrap {
enable = 1
JSwindow = 1
}
}
page.30 = HMENU
page.30 {
special = directory
special.value = 1 // adjust to valid page ID having sub-pages
JSWindow = 1
1 = TMENU
1.JSWindow = 1
1.NO = 1
1.NO {
stdWrap.htmlSpecialChars = 1
}
}
Updated by Gerrit Code Review over 3 years ago
- Status changed from In Progress to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70551
Updated by Gerrit Code Review over 3 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70551
Updated by Gerrit Code Review over 3 years ago
Patch set 1 for branch 11.3 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70577
Updated by Gerrit Code Review over 3 years ago
Patch set 1 for branch 10.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70578
Updated by Gerrit Code Review over 3 years ago
Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70584
Updated by Gerrit Code Review over 3 years ago
Patch set 2 for branch 10.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70578
Updated by Helmut Hummel over 3 years ago
- Status changed from Under Review to Needs Feedback
page.stdWrap.parseFunc = 1
Do we really need to stay backwards compatible with something like that?
And if so, isn't that resolved with #94786 as html sanitize is now disabled by default?
Updated by Oliver Hader over 3 years ago
Helmut Hummel wrote in #note-9:
page.stdWrap.parseFunc = 1Do we really need to stay backwards compatible with something like that?
parseFunc = 1 is still a regular stdWrap functionality. In this example it is used to trigger HTML parser(!) and HTML sanitizer(!) - at the time of having created this issue, htmlSanitize = 1 was still enabled per default.
And if so, isn't that resolved with #94786 as html sanitize is now disabled by default?
No, htmlSanitize is disabled with #94786 when parseFunc gets called directly in TypoScript.
In case lib.parseFunc is used (e.g. stdWrap.parseFunc = < lib.parseFunc), htmlSanitize is still enabled when using ext:fluid_styled_content, see https://github.com/TYPO3/typo3/blob/v10.4.19/typo3/sysext/fluid_styled_content/Configuration/TypoScript/Helper/ParseFunc.typoscript#L44
Having htmlSanitize enabled per default in ContentObjectRenderer::parseFunc aimed to protect those scenarios that cleared their TypoScript libs, like lib.parseFunc > or lib.parseFunc_RTE >.
Updated by Helmut Hummel over 3 years ago
- Status changed from Needs Feedback to Accepted
ah, ok, seems like link wizard in RTE is able to produce this onlick attribute
Updated by Gerrit Code Review over 3 years ago
- Status changed from Accepted to Under Review
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70551
Updated by Gerrit Code Review over 3 years ago
Patch set 2 for branch 11.3 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70577
Updated by Gerrit Code Review over 3 years ago
Patch set 3 for branch 10.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70578
Updated by Gerrit Code Review over 3 years ago
Patch set 2 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70584
Updated by Oliver Hader over 3 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset b2d9f4ece5e20588d90a74e055f4d747f6d6820a.
Updated by