TYPO3 Core

The only possibility I see is to remove -> f:sanitize.html() from corresponding template, introduced in https://review.typo3.org/c/Packages/TYPO3.CMS/+/71020/4/typo3/sysext/reports/Resources/Private/Templates/Report/Detail.html

Allowing <script> or similar with typo3/html-sanitizer does not make much sense and contradicts the aim to mitigate potential cross-site scripting occurrences.

In order to be compatible with future content-security-policy headers, I'd suggest to

• avoid inline SVG, but use <img src="icon.svg"> instead
• avoid inline JavaScript, but use a dedicated ES6 module (or RequireJS module) instead

Oliver Hader wrote in #note-3:

The only possibility I see is to remove -> f:sanitize.html() from corresponding template, introduced in https://review.typo3.org/c/Packages/TYPO3.CMS/+/71020/4/typo3/sysext/reports/Resources/Private/Templates/Report/Detail.html

Allowing <script> or similar with typo3/html-sanitizer does not make much sense and contradicts the aim to mitigate potential cross-site scripting occurrences.

In order to be compatible with future content-security-policy headers, I'd suggest to

• avoid inline SVG, but use <img src="icon.svg"> instead
• avoid inline JavaScript, but use a dedicated ES6 module (or RequireJS module) instead

Ok, for the <img src="icon.svg"> thats what i do but that's a shame we cannot use viewhelpers here.

And for the javascript, i agree too, BUT, i cannot add input,select,form,etc... to make my menu. The problem is the same here, we are very limited (in reports module of course).