Bug #95713

Reports module and html sanitizer is limiting output (icon, javascript...)

Added by Yohann CERDAN 10 months ago. Updated 10 months ago.

Status:
Resolved
Priority:
Should have
Assignee:
Category:
Security
Target version:
-
Start date:
2021-10-20
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
11
PHP Version:
7.4
Tags:
Complexity:
Is Regression:
Yes
Sprint Focus:

Description

Hi,

I use to maintain a complex reporting extension who use "Reports" (https://extensions.typo3.org/extension/additional_reports).
Since typo3 v11, reports apply a global sanitize to the output like this :

typo3/sysext/reports/Resources/Private/Templates/Report/Detail.html
{content -> f:transform.html() -> f:sanitize.html()}

But this is limiting us A LOT in the output, for example :
- we cannot use IconFactory like <core:icon identifier="apps-pagetree-page-default" size="small" /> in our StandaloneView
- we cannot include any javascript in our StandaloneView (i use to have a mini menu that filter datas)

Everything will be encoded, is it possible to find a workarround for this?

Thanks


Related issues

Related to TYPO3 Core - Bug #95179: Transform internal URIs in backend user interfaceClosed2021-09-10

Actions
Related to TYPO3 Core - Bug #97542: TYPO3 Module Reports throws Exception if no site existsUnder Review2022-05-03

Actions
#1

Updated by Oliver Hader 10 months ago

  • Status changed from New to Needs Feedback

Can you please point me to corresponding parts on GitHub that trigger those kind of markup?

#2

Updated by Oliver Hader 10 months ago

  • Related to Bug #95179: Transform internal URIs in backend user interface added
#3

Updated by Oliver Hader 10 months ago

The only possibility I see is to remove -> f:sanitize.html() from corresponding template, introduced in https://review.typo3.org/c/Packages/TYPO3.CMS/+/71020/4/typo3/sysext/reports/Resources/Private/Templates/Report/Detail.html

Allowing <script> or similar with typo3/html-sanitizer does not make much sense and contradicts the aim to mitigate potential cross-site scripting occurrences.

In order to be compatible with future content-security-policy headers, I'd suggest to

  • avoid inline SVG, but use <img src="icon.svg"> instead
  • avoid inline JavaScript, but use a dedicated ES6 module (or RequireJS module) instead
#4

Updated by Gerrit Code Review 10 months ago

  • Status changed from Needs Feedback to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/71903

#5

Updated by Yohann CERDAN 10 months ago

Oliver Hader wrote in #note-3:

The only possibility I see is to remove -> f:sanitize.html() from corresponding template, introduced in https://review.typo3.org/c/Packages/TYPO3.CMS/+/71020/4/typo3/sysext/reports/Resources/Private/Templates/Report/Detail.html

Allowing <script> or similar with typo3/html-sanitizer does not make much sense and contradicts the aim to mitigate potential cross-site scripting occurrences.

In order to be compatible with future content-security-policy headers, I'd suggest to

  • avoid inline SVG, but use <img src="icon.svg"> instead
  • avoid inline JavaScript, but use a dedicated ES6 module (or RequireJS module) instead

Ok, for the <img src="icon.svg"> thats what i do but that's a shame we cannot use viewhelpers here.

And for the javascript, i agree too, BUT, i cannot add input,select,form,etc... to make my menu. The problem is the same here, we are very limited (in reports module of course).

#6

Updated by Oliver Hader 10 months ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
#7

Updated by Georg Ringer 3 months ago

  • Related to Bug #97542: TYPO3 Module Reports throws Exception if no site exists added

Also available in: Atom PDF