Bug #83733
Updated by Alexander Schnitzler about 6 years ago
With https://forge.typo3.org/issues/78477, the flash message handling unfortunatey became worse compared to 7.6 because it tried to do things the right way but it didn't have real life projects in mind. These are the changes I struggle with a lot: * The FlashMessageRendererResolver resolves the Renderer by some hardcoded conditions. Backend, Frontend and CLI-Context. This is not only very breaking because the default rendering was the Bootstrap-Rendering in 7.6, it also takes away the possibility to configure the renderer. It's a slap in the face when migrating templates to 8.7. * Due to security reasons, the renderers escape all output-, output, but the FlashMessageViewHelper is still configure to not escape its output-. output. This takes the option from me of not escaping stuff for single flash messages in case I need to. This has to change. Renderers must not htmlspecialchar and let the -template engine- user template engine decide. I understand that we do not want to open the doors for XSS by default (and we can do so by using sane defaults for letting the renderer configuration -letting the flashmessage viewhelper escape by default, which can then be overridden-) overridden) but there are cases, and it's many, where you want to disable escaping in flash messages.