[BUGFIX] Avoid double hsc() in NoneElement

TCA "type=none" with "pass_content=false" (styleguide elements basic none_2) or without pass_content at all (styleguide elements basic none_4) double encodes the value. Testable using styleguide with some DB value like "l<u>i</u>p", which needs to be manually put into DB since none fields do not persist data using the backend. Note pass_content=true is documented to not hsc() the value at all, which is not true since TYPO3 v7, a htmlspecialchars() is still applied. Not encoding HTML is a potential security risk, so the patch now only fixes the "pass_content=false" and "not set" scenario to no longer double encode, and another patch will remove the pass_content option in v12 entirely with a TCA migration and deprecation note stating the option did not work since 2017 anyways. Resolves: #99522 Releases: main, 11.5 Change-Id: Ic19ad991d0f17925d5f56fb34126a7cf8f6e6aab Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77334 Tested-by: Oliver Bartsch <bo@cedev.de> Tested-by: core-ci <typo3@b13.com> Reviewed-by: Oliver Bartsch <bo@cedev.de>

[BUGFIX] Avoid double hsc() in NoneElement
TCA "type=none" with "pass_content=false" (styleguide elements basic none_2) or without pass_content at all (styleguide elements basic none_4) double encodes the value. Testable using styleguide with some DB value like "l<u>i</u>p", which needs to be manually put into DB since none fields do not persist data using the backend. Note pass_content=true is documented to not hsc() the value at all, which is not true since TYPO3 v7, a htmlspecialchars() is still applied. Not encoding HTML is a potential security risk, so the patch now only fixes the "pass_content=false" and "not set" scenario to no longer double encode, and another patch will remove the pass_content option in v12 entirely with a TCA migration and deprecation note stating the option did not work since 2017 anyways. Resolves: #99522 Releases: main, 11.5 Change-Id: Ic19ad991d0f17925d5f56fb34126a7cf8f6e6aab Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77334 Tested-by: Oliver Bartsch <bo@cedev.de> Tested-by: core-ci <typo3@b13.com> Reviewed-by: Oliver Bartsch <bo@cedev.de>
29d4ecc1 · Christian Kuhn · Oliver Bartsch · 439e6c29 · 29d4ecc1
Commit 29d4ecc1 authored 2 years ago by Christian Kuhn Committed by Oliver Bartsch 2 years ago
--- a/typo3/sysext/backend/Classes/Form/Element/NoneElement.php
+++ b/typo3/sysext/backend/Classes/Form/Element/NoneElement.php
@@ -50,9 +50,6 @@ class NoneElement extends AbstractFormElement
            $formatOptions = $config['format.'] ?? [];
            $itemValue = $this->formatValue($config['format'], $itemValue, $formatOptions);
        }
-        if (!($config['pass_content'] ?? false)) {
-            $itemValue = htmlspecialchars($itemValue);
-        }
        $cols = ($config['cols'] ?? false) ?: ($config['size'] ?? false) ?: $this->defaultInputWidth;
        $size = MathUtility::forceIntegerInRange($cols, 5, $this->maxInputWidth);