Bug #94917: styles.content.allowTags not working, renderd iframe as <iframe> - TYPO3 Core - TYPO3 Forge

Custom queries

Accessibility
Easy tasks
Forge Triage
JavaScript issues
JavaScript Issues (w/o Epics/Stories)
My open issues
No feedback within 90 days
Open Bugs
Open issues of 10
Recently modified
Regressions
Stabilization Issues
Usability or UX

Watchers (6)

Česlav Przywara
Georg Ringer
Hartmut Steglich
Reindl Bernd
Timo Webler
Tobias Schmidt

Actions

Copy link

Bug #94917

closed

styles.content.allowTags not working, renderd iframe as <iframe>

Added by Peter Friesen over 3 years ago. Updated 6 months ago.

Status:

Closed

Priority:

Should have

Assignee:

Category:

Target version:

Start date:

2021-08-17

Due date:

% Done:

Estimated time:

TYPO3 Version:

PHP Version:

7.4

Tags:

sanitizeHtml, html-sanitizer

Complexity:

Is Regression:

Sprint Focus:

Description

I run a small news website. I sometimes put iframe html-code in tx_news articles.

With TYPO3 10.4.19

<iframe src="..."></iframe>

will be transformed into

&lt;iframe src=&quot;...&quot;&gt;&lt;/iframe&gt;

after saving the article in ckeditor.

Since TYPO3 10.4.20, the iframe-code will be saved correctly in the editor. But unfortunately it is still rendering incorrectly on the homepage.

I have following in my template constants. I successfully checked it with TypoScript-Object-Browser.

styles.content.allowTags:= addToList(iframe)

In ckeditor preset yaml i have this (excerpt):

processing:
  allowTags:
    - iframe
    - img

editor:
    config:
        extraAllowedContent: "iframe,img"

It seems to be an additional problem with htmlSanitize.

Thanks :)

Files

Download all files

clipboard-202111081500-osztj.png (7.29 KB) clipboard-202111081500-osztj.png		Reindl Bernd, 2021-11-08 14:00
clipboard-202111081501-zlppo.png (21 KB) clipboard-202111081501-zlppo.png		Reindl Bernd, 2021-11-08 14:01

Related issues 1 (0 open — 1 closed)

Has duplicate TYPO3 Core - Bug #95903: iFrame is escaped in output since version 10.4.18?

Closed

2021-11-08

Actions

Issue # Delay: days Cancel

History
Notes
Property changes

Actions

Copy link

Updated by Oliver Hader about 3 years ago

Status changed from New to Needs Feedback

The scope of recent updates with HTML sanitizer were to avoid cross-site scripting, allowTags = iframe allowed the whole tag, without further restricting element attributes. As a result, the following scenarios were possible and considered cross-site scripting:

    <iframe src="javascript:alert(1)"></iframe>
    <iframe src="/anything.html" onload="alert(2)"></iframe>

Possible changes for local site¶

In case you are the only one submitting content to that site, you most probably can disable HTML sanitizer by corresponding feature flag security.frontend.htmlSanitizeParseFuncDefault completely - or adjust processing for that corresponding news template or TypoScript configuration.

→ see https://docs.typo3.org/c/typo3/cms-core/master/en-us/Changelog/9.5.x/Important-94484-IntroduceHTMLSanitizer.html

Alternatively, you also could override the default builder and add Behavior\Tag('iframe') with corresponding attributes you're using.

→ see https://gist.github.com/ohader/2239dab247e18d23e677fd1b816f4fd5 as an example

Add `iframe` in HTML sanitizer¶

The overall goal in HTML sanitizer is to avoid cross-site scripting - just allowing iframe without further restrictions and corresponding manual tests would contradict the goals in general. However, it is of course possible to do that - it's work, it just requires time and more automated test-cases.

Actions

Copy link

Updated by Peter Friesen about 3 years ago

Many thanks for the answer. I understand the problem of allowing unchecked iframes. In my case it is not a problem because only I enter the content. Of course it would be great if html-sanitizer supports iframe. I'll try the solution with Behavior\Tag(). Thank you!

Actions

Copy link

Updated by Reindl Bernd about 3 years ago

I have the same problem with <img usemap=""> and <map>...</map>.

Overriding a class is not a good solution. What happens if more than one extension want to add a Behavior.
Why didn't make this configurable via TypoScript?
So the page admin (And extension developer) can configure the sanitizer.

Actions

Copy link

Updated by Oliver Hader about 3 years ago

Reindl Bernd wrote in #note-3:

I have the same problem with <img usemap=""> and <map>...</map>.

Overriding a class is not a good solution. What happens if more than one extension want to add a Behavior.
Why didn't make this configurable via TypoScript?
So the page admin (And extension developer) can configure the sanitizer.

Can those image map items be declared as rich-text content within CKEditor (or similar)? If not, please consider moving them out of <f:format.html> sections (or whatever triggers sanitization of that part of your templates, see https://github.com/TYPO3/html-sanitizer/issues/23).

Existing capabilities of TypoScript HTMLparser were not sufficient to declare secure/allowed markup nodes - that's why package typo3/html-sanitizer has been integrated to have a strict handling to avoid cross-site scripting.

→ please see my comments at https://github.com/TYPO3/html-sanitizer/issues/70#issuecomment-963059852 demonstrating how easy it is to have insecure TypoScript settings

Actions

Copy link Download all files

Updated by Reindl Bernd about 3 years ago

File clipboard-202111081500-osztj.png clipboard-202111081500-osztj.png added
File clipboard-202111081501-zlppo.png clipboard-202111081501-zlppo.png added

They are not inside <f:format.html>.
The <map> tag is inside a partial which is called by a FLUIDTEMPLATE

It wasn't like this before 10.4.20. It seems that since 10.4.20 the whole FLUIDTEMPLATE is parsed with html-sanitizer.

Best regards
Bernd

Oliver Hader wrote in #note-4:

Reindl Bernd wrote in #note-3:

I have the same problem with <img usemap=""> and <map>...</map>.

Overriding a class is not a good solution. What happens if more than one extension want to add a Behavior.
Why didn't make this configurable via TypoScript?
So the page admin (And extension developer) can configure the sanitizer.

Can those image map items be declared as rich-text content within CKEditor (or similar)? If not, please consider moving them out of <f:format.html> sections (or whatever triggers sanitization of that part of your templates, see https://github.com/TYPO3/html-sanitizer/issues/23).

Existing capabilities of TypoScript HTMLparser were not sufficient to declare secure/allowed markup nodes - that's why package typo3/html-sanitizer has been integrated to have a strict handling to avoid cross-site scripting.

→ please see my comments at https://github.com/TYPO3/html-sanitizer/issues/70#issuecomment-963059852 demonstrating how easy it is to have insecure TypoScript settings

Actions

Copy link

Updated by Oliver Hader about 3 years ago

Related to Bug #95903: iFrame is escaped in output since version 10.4.18? added

Actions

Copy link

Updated by Oliver Hader about 3 years ago

Related to deleted (Bug #95903: iFrame is escaped in output since version 10.4.18?)

Actions

Copy link

Updated by Oliver Hader about 3 years ago

Has duplicate Bug #95903: iFrame is escaped in output since version 10.4.18? added

Actions

Copy link

Updated by Oliver Hader almost 3 years ago

I've created a pull-request at https://github.com/TYPO3/html-sanitizer/pull/74 which actually would allow iframe - currently in custom sanitizer scenarios - relying on the mandatory sandbox attribute.

Actions

Copy link

#10

Updated by Georg Ringer 6 months ago

Status changed from Needs Feedback to Closed

nothing to do, closing issue

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

TYPO3 Core

Custom queries

Watchers (6)

Bug #94917

styles.content.allowTags not working, renderd iframe as <iframe>

Updated by Oliver Hader about 3 years ago

Possible changes for local site¶

Add `iframe` in HTML sanitizer¶

Updated by Peter Friesen about 3 years ago

Updated by Reindl Bernd about 3 years ago

Updated by Oliver Hader about 3 years ago

Updated by Reindl Bernd about 3 years ago

Updated by Oliver Hader about 3 years ago

Updated by Oliver Hader about 3 years ago

Updated by Oliver Hader about 3 years ago

Updated by Oliver Hader almost 3 years ago

Updated by Georg Ringer 6 months ago

Project

General

Profile

TYPO3 Core

Custom queries

Watchers (6)

Bug #94917

styles.content.allowTags not working, renderd iframe as &lt;iframe&gt;

Updated by Oliver Hader about 3 years ago

Possible changes for local site¶

Add iframe in HTML sanitizer¶

Updated by Peter Friesen about 3 years ago

Updated by Reindl Bernd about 3 years ago

Updated by Oliver Hader about 3 years ago

Updated by Reindl Bernd about 3 years ago

Updated by Oliver Hader about 3 years ago

Updated by Oliver Hader about 3 years ago

Updated by Oliver Hader about 3 years ago

Updated by Oliver Hader almost 3 years ago

Updated by Georg Ringer 6 months ago

styles.content.allowTags not working, renderd iframe as <iframe>

Add `iframe` in HTML sanitizer¶