TYPO3 Core

The scope of recent updates with HTML sanitizer were to avoid cross-site scripting, allowTags = iframe allowed the whole tag, without further restricting element attributes. As a result, the following scenarios were possible and considered cross-site scripting:

    <iframe src="javascript:alert(1)"></iframe>
    <iframe src="/anything.html" onload="alert(2)"></iframe>

Possible changes for local site¶

In case you are the only one submitting content to that site, you most probably can disable HTML sanitizer by corresponding feature flag security.frontend.htmlSanitizeParseFuncDefault completely - or adjust processing for that corresponding news template or TypoScript configuration.

→ see https://docs.typo3.org/c/typo3/cms-core/master/en-us/Changelog/9.5.x/Important-94484-IntroduceHTMLSanitizer.html

Alternatively, you also could override the default builder and add Behavior\Tag('iframe') with corresponding attributes you're using.

→ see https://gist.github.com/ohader/2239dab247e18d23e677fd1b816f4fd5 as an example

Add iframe in HTML sanitizer¶

The overall goal in HTML sanitizer is to avoid cross-site scripting - just allowing iframe without further restrictions and corresponding manual tests would contradict the goals in general. However, it is of course possible to do that - it's work, it just requires time and more automated test-cases.

They are not inside <f:format.html>.
The <map> tag is inside a partial which is called by a FLUIDTEMPLATE

It wasn't like this before 10.4.20. It seems that since 10.4.20 the whole FLUIDTEMPLATE is parsed with html-sanitizer.

Best regards
Bernd

Oliver Hader wrote in #note-4:

Reindl Bernd wrote in #note-3:

I have the same problem with <img usemap=""> and <map>...</map>.

Overriding a class is not a good solution. What happens if more than one extension want to add a Behavior.
Why didn't make this configurable via TypoScript?
So the page admin (And extension developer) can configure the sanitizer.

Can those image map items be declared as rich-text content within CKEditor (or similar)? If not, please consider moving them out of <f:format.html> sections (or whatever triggers sanitization of that part of your templates, see https://github.com/TYPO3/html-sanitizer/issues/23).

Existing capabilities of TypoScript HTMLparser were not sufficient to declare secure/allowed markup nodes - that's why package typo3/html-sanitizer has been integrated to have a strict handling to avoid cross-site scripting.

→ please see my comments at https://github.com/TYPO3/html-sanitizer/issues/70#issuecomment-963059852 demonstrating how easy it is to have insecure TypoScript settings