Bug #94917
open
styles.content.allowTags not working, renderd iframe as <iframe>
0%
Description
I run a small news website. I sometimes put iframe html-code in tx_news articles.
With TYPO3 10.4.19
<iframe src="..."></iframe>
will be transformed into
<iframe src="..."></iframe>
after saving the article in ckeditor.
Since TYPO3 10.4.20, the iframe-code will be saved correctly in the editor. But unfortunately it is still rendering incorrectly on the homepage.
I have following in my template constants. I successfully checked it with TypoScript-Object-Browser.
styles.content.allowTags:= addToList(iframe)
In ckeditor preset yaml i have this (excerpt):
processing:
allowTags:
- iframe
- img
editor:
config:
extraAllowedContent: "iframe,img"
It seems to be an additional problem with htmlSanitize.
Thanks :)
Files
Updated by Oliver Hader over 2 years ago
- Status changed from New to Needs Feedback
The scope of recent updates with HTML sanitizer were to avoid cross-site scripting, allowTags = iframe allowed the whole tag, without further restricting element attributes. As a result, the following scenarios were possible and considered cross-site scripting:
<iframe src="javascript:alert(1)"></iframe>
<iframe src="/anything.html" onload="alert(2)"></iframe>
Possible changes for local site¶
In case you are the only one submitting content to that site, you most probably can disable HTML sanitizer by corresponding feature flag security.frontend.htmlSanitizeParseFuncDefault completely - or adjust processing for that corresponding news template or TypoScript configuration.
Alternatively, you also could override the default builder and add Behavior\Tag('iframe') with corresponding attributes you're using.
→ see https://gist.github.com/ohader/2239dab247e18d23e677fd1b816f4fd5 as an example
Add iframe in HTML sanitizer¶
The overall goal in HTML sanitizer is to avoid cross-site scripting - just allowing iframe without further restrictions and corresponding manual tests would contradict the goals in general. However, it is of course possible to do that - it's work, it just requires time and more automated test-cases.
Updated by Peter Friesen over 2 years ago
Many thanks for the answer. I understand the problem of allowing unchecked iframes. In my case it is not a problem because only I enter the content. Of course it would be great if html-sanitizer supports iframe. I'll try the solution with Behavior\Tag(). Thank you!
Updated by Reindl Bernd over 2 years ago
I have the same problem with <img usemap=""> and <map>...</map>.
Overriding a class is not a good solution. What happens if more than one extension want to add a Behavior.
Why didn't make this configurable via TypoScript?
So the page admin (And extension developer) can configure the sanitizer.
Updated by Oliver Hader over 2 years ago
Reindl Bernd wrote in #note-3:
I have the same problem with <img usemap=""> and <map>...</map>.
Overriding a class is not a good solution. What happens if more than one extension want to add a Behavior.
Why didn't make this configurable via TypoScript?
So the page admin (And extension developer) can configure the sanitizer.
Can those image map items be declared as rich-text content within CKEditor (or similar)? If not, please consider moving them out of <f:format.html> sections (or whatever triggers sanitization of that part of your templates, see https://github.com/TYPO3/html-sanitizer/issues/23).
Existing capabilities of TypoScript HTMLparser were not sufficient to declare secure/allowed markup nodes - that's why package typo3/html-sanitizer has been integrated to have a strict handling to avoid cross-site scripting.
→ please see my comments at https://github.com/TYPO3/html-sanitizer/issues/70#issuecomment-963059852 demonstrating how easy it is to have insecure TypoScript settings
Updated by Reindl Bernd over 2 years ago
- File clipboard-202111081500-osztj.png clipboard-202111081500-osztj.png added
- File clipboard-202111081501-zlppo.png clipboard-202111081501-zlppo.png added
They are not inside <f:format.html>.
The <map> tag is inside a partial which is called by a FLUIDTEMPLATE
It wasn't like this before 10.4.20. It seems that since 10.4.20 the whole FLUIDTEMPLATE is parsed with html-sanitizer.
Best regards
Bernd
Oliver Hader wrote in #note-4:
Reindl Bernd wrote in #note-3:
I have the same problem with <img usemap=""> and <map>...</map>.
Overriding a class is not a good solution. What happens if more than one extension want to add a Behavior.
Why didn't make this configurable via TypoScript?
So the page admin (And extension developer) can configure the sanitizer.Can those image map items be declared as rich-text content within CKEditor (or similar)? If not, please consider moving them out of
<f:format.html>sections (or whatever triggers sanitization of that part of your templates, see https://github.com/TYPO3/html-sanitizer/issues/23).Existing capabilities of TypoScript
HTMLparserwere not sufficient to declare secure/allowed markup nodes - that's why packagetypo3/html-sanitizerhas been integrated to have a strict handling to avoid cross-site scripting.→ please see my comments at https://github.com/TYPO3/html-sanitizer/issues/70#issuecomment-963059852 demonstrating how easy it is to have insecure TypoScript settings
Updated by Oliver Hader over 2 years ago
- Related to Bug #95903: iFrame is escaped in output since version 10.4.18? added
Updated by Oliver Hader over 2 years ago
- Related to deleted (Bug #95903: iFrame is escaped in output since version 10.4.18?)
Updated by Oliver Hader over 2 years ago
- Has duplicate Bug #95903: iFrame is escaped in output since version 10.4.18? added
Updated by Oliver Hader over 2 years ago
I've created a pull-request at https://github.com/TYPO3/html-sanitizer/pull/74 which actually would allow iframe - currently in custom sanitizer scenarios - relying on the mandatory sandbox attribute.