[SECURITY] Ensure XSS-safe rich text rendering
Due to missing internal handling of provided RTE configuration, it was possible to directly persist XSS in database fields. Unless full blown backend RTE tag configuration is available, this patch still allows persisting potentially malicious data - which is not reflected in the backend user interface - but to be sanitized during frontend rendering (see below). Corresponding configuration directives (`removeTags`, `allowedAttribs`) are now considered again. Besides that a new, but simplified sequential HTML parser ensures that runaway node-boundaries are detected & denied. To sanitize and purge XSS from markup during frontend rendering, new custom HTML sanitizer has been introduced, based on `masterminds/html5`. Both `DefaultBuilder` and `CommonVisitor` provide common configuration which is in line with expected tags that are allowed in backend RTE. Using a custom builder instance, it is possible to adjust for individual demands - however, configuration possibilities cannot be modified using TypoScript - basically since the existing syntax does not cover all necessary scenarios. Resolves: #94375 Related: #83027 Related: #94484 Releases: master, 11.3, 10.4, 9.5 Change-Id: I5f8de43faab57b00052614ad37bd10ea9e384dc0 Security-Bulletin: TYPO3-CORE-SA-2021-013 Security-References: CVE-2021-32768 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70345 Tested-by:Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
Showing
- composer.json 1 addition, 0 deletionscomposer.json
- composer.lock 121 additions, 1 deletioncomposer.lock
- typo3/sysext/core/Classes/Html/DefaultSanitizerBuilder.php 64 additions, 0 deletionstypo3/sysext/core/Classes/Html/DefaultSanitizerBuilder.php
- typo3/sysext/core/Classes/Html/HtmlParser.php 34 additions, 15 deletionstypo3/sysext/core/Classes/Html/HtmlParser.php
- typo3/sysext/core/Classes/Html/RteHtmlParser.php 34 additions, 2 deletionstypo3/sysext/core/Classes/Html/RteHtmlParser.php
- typo3/sysext/core/Classes/Html/SanitizerBuilderFactory.php 67 additions, 0 deletionstypo3/sysext/core/Classes/Html/SanitizerBuilderFactory.php
- typo3/sysext/core/Classes/Html/SimpleNode.php 89 additions, 0 deletionstypo3/sysext/core/Classes/Html/SimpleNode.php
- typo3/sysext/core/Classes/Html/SimpleParser.php 242 additions, 0 deletionstypo3/sysext/core/Classes/Html/SimpleParser.php
- typo3/sysext/core/Configuration/DefaultConfiguration.php 4 additions, 0 deletionstypo3/sysext/core/Configuration/DefaultConfiguration.php
- typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml 3 additions, 0 deletions...t/core/Configuration/DefaultConfigurationDescription.yaml
- typo3/sysext/core/Documentation/Changelog/9.5.x/Important-94484-IntroduceHTMLSanitizer.rst 148 additions, 0 deletions...hangelog/9.5.x/Important-94484-IntroduceHTMLSanitizer.rst
- typo3/sysext/core/Tests/Functional/DataHandling/DataHandler/SecurityTest.php 293 additions, 0 deletions...ests/Functional/DataHandling/DataHandler/SecurityTest.php
- typo3/sysext/core/Tests/Functional/Html/DefaultSanitizerBuilderTest.php 134 additions, 0 deletions...ore/Tests/Functional/Html/DefaultSanitizerBuilderTest.php
- typo3/sysext/core/Tests/Unit/Html/HtmlParserTest.php 49 additions, 1 deletiontypo3/sysext/core/Tests/Unit/Html/HtmlParserTest.php
- typo3/sysext/core/Tests/Unit/Html/Parser/ParserTest.php 122 additions, 0 deletionstypo3/sysext/core/Tests/Unit/Html/Parser/ParserTest.php
- typo3/sysext/core/Tests/Unit/Html/RteHtmlParserTest.php 4 additions, 0 deletionstypo3/sysext/core/Tests/Unit/Html/RteHtmlParserTest.php
- typo3/sysext/core/composer.json 1 addition, 0 deletionstypo3/sysext/core/composer.json
- typo3/sysext/fluid_styled_content/Configuration/TypoScript/Helper/ParseFunc.typoscript 6 additions, 7 deletions...tent/Configuration/TypoScript/Helper/ParseFunc.typoscript
- typo3/sysext/fluid_styled_content/Tests/Functional/Rendering/Fixtures/SecureHtmlScenario.yaml 30 additions, 0 deletions...sts/Functional/Rendering/Fixtures/SecureHtmlScenario.yaml
- typo3/sysext/fluid_styled_content/Tests/Functional/Rendering/SecureHtmlRenderingTest.php 266 additions, 0 deletions...nt/Tests/Functional/Rendering/SecureHtmlRenderingTest.php
Please register or sign in to comment