Bug #94917

styles.content.allowTags not working, renderd iframe as <iframe>

Added by Peter Friesen 3 months ago. Updated 19 days ago.

Status:
Needs Feedback
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2021-08-17
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
10
PHP Version:
7.4
Tags:
sanitizeHtml, html-sanitizer
Complexity:
Is Regression:
Sprint Focus:

Description

I run a small news website. I sometimes put iframe html-code in tx_news articles.

With TYPO3 10.4.19

<iframe src="..."></iframe>

will be transformed into
&lt;iframe src=&quot;...&quot;&gt;&lt;/iframe&gt;

after saving the article in ckeditor.

Since TYPO3 10.4.20, the iframe-code will be saved correctly in the editor. But unfortunately it is still rendering incorrectly on the homepage.

I have following in my template constants. I successfully checked it with TypoScript-Object-Browser.

styles.content.allowTags:= addToList(iframe)

In ckeditor preset yaml i have this (excerpt):
processing:
  allowTags:
    - iframe
    - img

editor:
    config:
        extraAllowedContent: "iframe,img" 

It seems to be an additional problem with htmlSanitize.

Thanks :)


Files


Related issues

Has duplicate TYPO3 Core - Bug #95903: iFrame is escaped in output since version 10.4.18?Closed2021-11-08

Actions
#1

Updated by Oliver Hader 3 months ago

  • Status changed from New to Needs Feedback

The scope of recent updates with HTML sanitizer were to avoid cross-site scripting, allowTags = iframe allowed the whole tag, without further restricting element attributes. As a result, the following scenarios were possible and considered cross-site scripting:

    <iframe src="javascript:alert(1)"></iframe>
    <iframe src="/anything.html" onload="alert(2)"></iframe>

Possible changes for local site

In case you are the only one submitting content to that site, you most probably can disable HTML sanitizer by corresponding feature flag security.frontend.htmlSanitizeParseFuncDefault completely - or adjust processing for that corresponding news template or TypoScript configuration.

→ see https://docs.typo3.org/c/typo3/cms-core/master/en-us/Changelog/9.5.x/Important-94484-IntroduceHTMLSanitizer.html

Alternatively, you also could override the default builder and add Behavior\Tag('iframe') with corresponding attributes you're using.

→ see https://gist.github.com/ohader/2239dab247e18d23e677fd1b816f4fd5 as an example

Add iframe in HTML sanitizer

The overall goal in HTML sanitizer is to avoid cross-site scripting - just allowing iframe without further restrictions and corresponding manual tests would contradict the goals in general. However, it is of course possible to do that - it's work, it just requires time and more automated test-cases.

#2

Updated by Peter Friesen 3 months ago

Many thanks for the answer. I understand the problem of allowing unchecked iframes. In my case it is not a problem because only I enter the content. Of course it would be great if html-sanitizer supports iframe. I'll try the solution with Behavior\Tag(). Thank you!

#3

Updated by Reindl Bernd 2 months ago

I have the same problem with <img usemap=""> and <map>...</map>.

Overriding a class is not a good solution. What happens if more than one extension want to add a Behavior.
Why didn't make this configurable via TypoScript?
So the page admin (And extension developer) can configure the sanitizer.

#4

Updated by Oliver Hader 19 days ago

Reindl Bernd wrote in #note-3:

I have the same problem with <img usemap=""> and <map>...</map>.

Overriding a class is not a good solution. What happens if more than one extension want to add a Behavior.
Why didn't make this configurable via TypoScript?
So the page admin (And extension developer) can configure the sanitizer.

Can those image map items be declared as rich-text content within CKEditor (or similar)? If not, please consider moving them out of <f:format.html> sections (or whatever triggers sanitization of that part of your templates, see https://github.com/TYPO3/html-sanitizer/issues/23).

Existing capabilities of TypoScript HTMLparser were not sufficient to declare secure/allowed markup nodes - that's why package typo3/html-sanitizer has been integrated to have a strict handling to avoid cross-site scripting.

→ please see my comments at https://github.com/TYPO3/html-sanitizer/issues/70#issuecomment-963059852 demonstrating how easy it is to have insecure TypoScript settings

#5

Updated by Reindl Bernd 19 days ago

They are not inside <f:format.html>.
The <map> tag is inside a partial which is called by a FLUIDTEMPLATE

It wasn't like this before 10.4.20. It seems that since 10.4.20 the whole FLUIDTEMPLATE is parsed with html-sanitizer.

Best regards
Bernd

Oliver Hader wrote in #note-4:

Reindl Bernd wrote in #note-3:

I have the same problem with <img usemap=""> and <map>...</map>.

Overriding a class is not a good solution. What happens if more than one extension want to add a Behavior.
Why didn't make this configurable via TypoScript?
So the page admin (And extension developer) can configure the sanitizer.

Can those image map items be declared as rich-text content within CKEditor (or similar)? If not, please consider moving them out of <f:format.html> sections (or whatever triggers sanitization of that part of your templates, see https://github.com/TYPO3/html-sanitizer/issues/23).

Existing capabilities of TypoScript HTMLparser were not sufficient to declare secure/allowed markup nodes - that's why package typo3/html-sanitizer has been integrated to have a strict handling to avoid cross-site scripting.

→ please see my comments at https://github.com/TYPO3/html-sanitizer/issues/70#issuecomment-963059852 demonstrating how easy it is to have insecure TypoScript settings

#6

Updated by Oliver Hader 11 days ago

  • Related to Bug #95903: iFrame is escaped in output since version 10.4.18? added
#7

Updated by Oliver Hader 11 days ago

  • Related to deleted (Bug #95903: iFrame is escaped in output since version 10.4.18?)
#8

Updated by Oliver Hader 11 days ago

  • Has duplicate Bug #95903: iFrame is escaped in output since version 10.4.18? added

Also available in: Atom PDF