[BUGFIX] Adjust default behavior of HTML sanitization in parseFunc
As a result of TYPO3-CORE-SA-2021-013, new `htmlSanitize` behavior - when invoking `ContentObjectRenderer::parseFunc` - is enabled per default, in case it was not declared otherwise. That also happened when no processing configuration was given (or could be resolved). Without having any configuration, it was obviously not possible to disable `htmlSanitize`. Fluid's `HtmlViewHelper` can be used with an empty `parseFuncTSPath` (e.g. `<f:format.html parseFuncTSPath="">`) - due to missing (empty) configuration, sanitization was enabled per default in `parseFunc`. With this change, property `htmlSanitize` either needs to be enabled or disabled explicitly - otherwise deprecation logs will be generated, if not given, the fall-back behavior is inferred from new feature flag `security.frontend.htmlSanitizeParseFuncDefault`. Invoking `ContentObjectRenderer::parseFunc` without any configuration behaves like before TYPO3-CORE-SA-2021-013 was applied - it just does not process anything. Resolves: #94786 Releases: master, 11.3, 10.4, 9.5 Change-Id: I4aee54d712ce4758f6c9c2e64a43f80b6c076406 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70404 Tested-by:core-ci <typo3@b13.com> Tested-by:
Helmut Hummel <typo3@helhum.io> Tested-by:
Benni Mack <benni@typo3.org> Reviewed-by:
Showing
- typo3/sysext/core/Classes/Html/RteHtmlParser.php 2 additions, 2 deletionstypo3/sysext/core/Classes/Html/RteHtmlParser.php
- typo3/sysext/core/Configuration/DefaultConfiguration.php 2 additions, 1 deletiontypo3/sysext/core/Configuration/DefaultConfiguration.php
- typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml 4 additions, 1 deletion...t/core/Configuration/DefaultConfigurationDescription.yaml
- typo3/sysext/core/Documentation/Changelog/9.5.x/Important-94484-IntroduceHTMLSanitizer.rst 2 additions, 2 deletions...hangelog/9.5.x/Important-94484-IntroduceHTMLSanitizer.rst
- typo3/sysext/core/Tests/Functional/DataHandling/DataHandler/SecurityTest.php 3 additions, 2 deletions...ests/Functional/DataHandling/DataHandler/SecurityTest.php
- typo3/sysext/core/Tests/Unit/Html/RteHtmlParserTest.php 2 additions, 2 deletionstypo3/sysext/core/Tests/Unit/Html/RteHtmlParserTest.php
- typo3/sysext/fluid_styled_content/Tests/Functional/Rendering/Fixtures/FluidTemplate.html 3 additions, 0 deletions...nt/Tests/Functional/Rendering/Fixtures/FluidTemplate.html
- typo3/sysext/fluid_styled_content/Tests/Functional/Rendering/SecureHtmlRenderingTest.php 142 additions, 10 deletions...nt/Tests/Functional/Rendering/SecureHtmlRenderingTest.php
- typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php 19 additions, 3 deletions.../frontend/Classes/ContentObject/ContentObjectRenderer.php
- typo3/sysext/frontend/Tests/Unit/ContentObject/ContentObjectRendererTest.php 4 additions, 510 deletions...nd/Tests/Unit/ContentObject/ContentObjectRendererTest.php
- typo3/sysext/frontend/Tests/Unit/ContentObject/ContentObjectRendererTestTrait.php 205 additions, 0 deletions...sts/Unit/ContentObject/ContentObjectRendererTestTrait.php
- typo3/sysext/frontend/Tests/UnitDeprecated/ContentObject/ContentObjectRendererTest.php 501 additions, 0 deletions...nitDeprecated/ContentObject/ContentObjectRendererTest.php
Please register or sign in to comment