Bug #95713
closed
Reports module and html sanitizer is limiting output (icon, javascript...)
100%
Description
Hi,
I use to maintain a complex reporting extension who use "Reports" (https://extensions.typo3.org/extension/additional_reports).
Since typo3 v11, reports apply a global sanitize to the output like this :
typo3/sysext/reports/Resources/Private/Templates/Report/Detail.html
{content -> f:transform.html() -> f:sanitize.html()}
But this is limiting us A LOT in the output, for example :
- we cannot use IconFactory like <core:icon identifier="apps-pagetree-page-default" size="small" /> in our StandaloneView
- we cannot include any javascript in our StandaloneView (i use to have a mini menu that filter datas)
Everything will be encoded, is it possible to find a workarround for this?
Thanks
Updated by Oliver Hader over 2 years ago
- Status changed from New to Needs Feedback
Can you please point me to corresponding parts on GitHub that trigger those kind of markup?
Updated by Oliver Hader over 2 years ago
- Related to Bug #95179: Transform internal URIs in backend user interface added
Updated by Oliver Hader over 2 years ago
The only possibility I see is to remove -> f:sanitize.html() from corresponding template, introduced in https://review.typo3.org/c/Packages/TYPO3.CMS/+/71020/4/typo3/sysext/reports/Resources/Private/Templates/Report/Detail.html
Allowing <script> or similar with typo3/html-sanitizer does not make much sense and contradicts the aim to mitigate potential cross-site scripting occurrences.
In order to be compatible with future content-security-policy headers, I'd suggest to
- avoid inline SVG, but use
<img src="icon.svg">instead - avoid inline JavaScript, but use a dedicated ES6 module (or RequireJS module) instead
Updated by Gerrit Code Review over 2 years ago
- Status changed from Needs Feedback to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/71903
Updated by Yohann CERDAN over 2 years ago
Oliver Hader wrote in #note-3:
The only possibility I see is to remove
-> f:sanitize.html()from corresponding template, introduced in https://review.typo3.org/c/Packages/TYPO3.CMS/+/71020/4/typo3/sysext/reports/Resources/Private/Templates/Report/Detail.htmlAllowing
<script>or similar withtypo3/html-sanitizerdoes not make much sense and contradicts the aim to mitigate potential cross-site scripting occurrences.In order to be compatible with future content-security-policy headers, I'd suggest to
- avoid inline SVG, but use
<img src="icon.svg">instead- avoid inline JavaScript, but use a dedicated ES6 module (or RequireJS module) instead
Ok, for the <img src="icon.svg"> thats what i do but that's a shame we cannot use viewhelpers here.
And for the javascript, i agree too, BUT, i cannot add input,select,form,etc... to make my menu. The problem is the same here, we are very limited (in reports module of course).
Updated by Oliver Hader over 2 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset a167909c85dae3b42f11ca4d93427758269102fb.
Updated by Georg Ringer almost 2 years ago
- Related to Bug #97542: TYPO3 Module Reports throws Exception if no site exists added
Updated by