Bug #95158

HtmlSanitizer accidentally enforced again due to sys_note changes

Added by Oliver Hader 11 months ago. Updated 10 months ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
Security
Target version:
Start date:
2021-09-10
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
TYPO3 Version:
11
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Issue #67556 introduced default configuration to be able to render links (anchor tags) in sys_note representation in backend context. Side-note: Usually the backend context does not have any frontend TypoScript config in lib.parseFunc_RTE, that's why links defined in RTE were not substituted.

As a negative side-effect <f:format.html parseFuncTSPath="">{content}</f:format.html> now (again) enforces HtmlSanitizer, which is to the expected behavior.

Possible solution:
  • revert change https://review.typo3.org/c/Packages/TYPO3.CMS/+/70740 (was for v11.4.0 only)
  • introduce new feature(sic!) <f:transform.link> (or f:format.link, I don't care about the name here)
    • which transforms <a href="t3://whatever"> into proper <a href="https://my-site.com/url"> tags
    • which is independent from any frontend and TypoScript context
    • which can be used in backend as well
  • substitute corresponding backend templates to apply HTML sanitization and link transformation, WITHOUT invoking ContentObjectRenderer::parseFunc

(in backend, e.g. the apply following replacement manually)

<f:format.html parseFuncTSPath="">{content -> f:format.raw()}</f:format.html>

to

{content -> f:transform.link() -> f:sanitize.html(build: 'default')}
// it also would be possible to define a custom HtmlSanitizer builder for e.g. sys_news, or reports, or ...

Subtasks

Feature #95176: Introduce <f:transform.html> view-helperClosed2021-09-10

Actions
Bug #95179: Transform internal URIs in backend user interfaceClosed2021-09-10

Actions

Related issues

Related to TYPO3 Core - Bug #95169: Reports ExtensionComposerStatus missing link to EMClosed2021-09-09

Actions
Related to TYPO3 Core - Bug #67556: System news cannot render RTE contentClosed2015-06-17

Actions
#1

Updated by Jochen Roth 11 months ago

  • Related to Bug #95169: Reports ExtensionComposerStatus missing link to EM added
#2

Updated by Gerrit Code Review 11 months ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/71021

#3

Updated by Christian Kuhn 11 months ago

  • Related to Bug #67556: System news cannot render RTE content added
#4

Updated by Gerrit Code Review 11 months ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/71021

#5

Updated by Oliver Hader 11 months ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
#6

Updated by Benni Mack 10 months ago

  • Status changed from Resolved to Closed
#7

Updated by Tobias Gaertner 10 months ago

This is also present in TYPO3 >= 10.4.20 and should be backported. Should I open a new Ticket for that?

#8

Updated by Oliver Hader 10 months ago

Tobias Gaertner wrote in #note-7:

This is also present in TYPO3 >= 10.4.20 and should be backported. Should I open a new Ticket for that?

I could not find the changes of issue #67556 in TYPO3 v10 (https://github.com/TYPO3/typo3/blob/10.4/typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php#L3747-L3780).
Besides that, it is true, that RTE links cannot be rendered in TYPO3 v10 - however, I (personally) would not fix it there anymore.

Also available in: Atom PDF