diff --git a/typo3/sysext/fluid_styled_content/Tests/Functional/Rendering/SecureHtmlRenderingTest.php b/typo3/sysext/fluid_styled_content/Tests/Functional/Rendering/SecureHtmlRenderingTest.php
index 8627396247136e6ef0a67c9056ef836b85c248c3..db8b0f4f61e242295e81de29428f1574151185d1 100644
--- a/typo3/sysext/fluid_styled_content/Tests/Functional/Rendering/SecureHtmlRenderingTest.php
+++ b/typo3/sysext/fluid_styled_content/Tests/Functional/Rendering/SecureHtmlRenderingTest.php
@@ -234,7 +234,8 @@ class SecureHtmlRenderingTest extends FunctionalTestCase
'#01 ' . self::TYPE_EMPTY_PARSEFUNCTSPATH => [
self::TYPE_EMPTY_PARSEFUNCTSPATH,
'01: <script>alert(1)</script>',
- '01: <script>alert(1)</script>',
+ // triggers fallback to default parsefunc config, which enables htmlSanitize
+ '01: <script>alert(1)</script>',
],
'#01 ' . self::TYPE_DISABLE_HTML_SANITIZE => [
self::TYPE_DISABLE_HTML_SANITIZE,
@@ -249,7 +250,8 @@ class SecureHtmlRenderingTest extends FunctionalTestCase
'#03 ' . self::TYPE_EMPTY_PARSEFUNCTSPATH => [
self::TYPE_EMPTY_PARSEFUNCTSPATH,
'03: <img img="img" alt="alt" onerror="alert(1)">',
- '03: <img img="img" alt="alt" onerror="alert(1)">',
+ // triggers fallback to default parsefunc config, which enables htmlSanitize
+ '03: <img alt="alt">',
],
'#03 ' . self::TYPE_DISABLE_HTML_SANITIZE => [
self::TYPE_DISABLE_HTML_SANITIZE,
@@ -264,8 +266,8 @@ class SecureHtmlRenderingTest extends FunctionalTestCase
'#07 ' . self::TYPE_EMPTY_PARSEFUNCTSPATH => [
self::TYPE_EMPTY_PARSEFUNCTSPATH,
'07: <a href="t3://page?uid=1000" target="_blank" rel="noreferrer" class="button" role="button" onmouseover="alert(1)">TYPO3</a>',
- // expected, with empty parseFunc configuration internal link URN is not resolved
- '07: <a href="t3://page?uid=1000" target="_blank" rel="noreferrer" class="button" role="button" onmouseover="alert(1)">TYPO3</a>',
+ // triggers fallback to default parsefunc config, which enables htmlSanitize and resolves URNs
+ '07: <a href="/" target="_blank" rel="noreferrer" class="button" role="button">TYPO3</a>',
],
'#07 ' . self::TYPE_DISABLE_HTML_SANITIZE => [
self::TYPE_DISABLE_HTML_SANITIZE,
@@ -280,7 +282,8 @@ class SecureHtmlRenderingTest extends FunctionalTestCase
'#08 ' . self::TYPE_EMPTY_PARSEFUNCTSPATH => [
self::TYPE_EMPTY_PARSEFUNCTSPATH,
'08: <meta whatever="whatever">',
- '08: <meta whatever="whatever">',
+ // triggers fallback to default parsefunc config, which enables htmlSanitize
+ '08:',
],
'#08 ' . self::TYPE_DISABLE_HTML_SANITIZE => [
self::TYPE_DISABLE_HTML_SANITIZE,
@@ -296,7 +299,8 @@ class SecureHtmlRenderingTest extends FunctionalTestCase
'#09 ' . self::TYPE_EMPTY_PARSEFUNCTSPATH => [
self::TYPE_EMPTY_PARSEFUNCTSPATH,
'09: <sdfield onmouseover="alert(1)">',
- '09: <sdfield onmouseover="alert(1)">',
+ // triggers fallback to default parsefunc config, which enables htmlSanitize
+ '09: <sdfield onmouseover="alert(1)"></sdfield>',
],
'#09 ' . self::TYPE_DISABLE_HTML_SANITIZE => [
self::TYPE_DISABLE_HTML_SANITIZE,
diff --git a/typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php b/typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php
index 3f64ff5415fce2f16dc806023a4c279fa61a4553..198d199e152878340eb7c8328e7fc4be020b608a 100644
--- a/typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php
+++ b/typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php
@@ -3349,6 +3349,37 @@ class ContentObjectRenderer implements LoggerAwareInterface
];
$temp_conf = $this->mergeTSRef($temp_conf, 'parseFunc');
$conf = $temp_conf['parseFunc.'];
+ // Fallback configuration to always replace links. This kicks in if there is no
+ // default "lib.parsefunc" setup in given context, for instance if the RTE html
+ // parser is used in backend context and no extension adds default TypoScript.
+ // This fallback setup is kept in place here for now, but may be later refactored
+ // to be used elsewhere if needed.
+ if (empty($conf)) {
+ $conf = [
+ 'tags.' => [
+ 'a' => 'TEXT',
+ 'a.' => [
+ 'current' => 1,
+ 'typolink.' => [
+ 'parameter.' => [
+ 'data' => 'parameters:href'
+ ],
+ 'title.' => [
+ 'data' => 'parameters:title'
+ ],
+ 'ATagParams.' => [
+ 'data' => 'parameters:allParams'
+ ],
+ 'target.' => [
+ 'ifEmpty.' => [
+ 'data' => ['parameters:target']
+ ]
+ ],
+ ]
+ ]
+ ]
+ ];
+ }
}
// early return, no processing in case no configuration is given
if (empty($conf)) {
@@ -4228,7 +4259,9 @@ class ContentObjectRenderer implements LoggerAwareInterface
$fieldArray = $tsfe->page;
}
$retVal = '';
- $sections = explode('//', $string);
+ // @todo: getData should not be called with non-string as $string. example trigger:
+ // SecureHtmlRenderingTest htmlViewHelperAvoidsCrossSiteScripting set #07 PHP 8
+ $sections = is_string($string) ? explode('//', $string) : [];
foreach ($sections as $secKey => $secVal) {
if ($retVal) {
break;
@@ -4696,7 +4729,13 @@ class ContentObjectRenderer implements LoggerAwareInterface
$linkBuilder = GeneralUtility::makeInstance(
$GLOBALS['TYPO3_CONF_VARS']['FE']['typolinkBuilder'][$linkDetails['type']],
$this,
- $tsfe
+ // AbstractTypolinkBuilder type hints an optional dependency to TypoScriptFrontendController.
+ // Some core parts however "fake" $GLOBALS['TSFE'] to stdCLass() due to its long list of
+ // dependencies. f:html view helper is such a scenario. This of course crashes if given to typolink builder
+ // classes. For now, we check the instance and hand over 'null', giving the link builders the option
+ // to take care of tsfe themselfs. This scenario is for instance triggered when in BE login when sys_news
+ // records set links.
+ $tsfe instanceof TypoScriptFrontendController ? $tsfe : null
);
try {
[$this->lastTypoLinkUrl, $linkText, $target] = $linkBuilder->build($linkDetails, $linkText, $target, $conf);