Skip to content
Snippets Groups Projects
Commit 29d4ecc1 authored by Christian Kuhn's avatar Christian Kuhn Committed by Oliver Bartsch
Browse files

[BUGFIX] Avoid double hsc() in NoneElement 

TCA "type=none" with "pass_content=false" (styleguide
elements basic none_2) or without pass_content at
all (styleguide elements basic none_4) double
encodes the value. Testable using styleguide with
some DB value like "l<u>i</u>p", which needs to be
manually put into DB since none fields do not persist
data using the backend.

Note pass_content=true is documented to not hsc()
the value at all, which is not true since TYPO3 v7, a
htmlspecialchars() is still applied.

Not encoding HTML is a potential security risk, so
the patch now only fixes the "pass_content=false" and
"not set" scenario to no longer double encode, and
another patch will remove the pass_content option in v12
entirely with a TCA migration and deprecation note
stating the option did not work since 2017 anyways.

Resolves: #99522
Releases: main, 11.5
Change-Id: Ic19ad991d0f17925d5f56fb34126a7cf8f6e6aab
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77334


Tested-by: default avatarOliver Bartsch <bo@cedev.de>
Tested-by: default avatarcore-ci <typo3@b13.com>
Reviewed-by: default avatarOliver Bartsch <bo@cedev.de>
parent 439e6c29
Branches
Tags
No related merge requests found
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment