Skip to content
Snippets Groups Projects
Commit 9dd9106f authored by Christian Kuhn's avatar Christian Kuhn Committed by Oliver Bartsch
Browse files

[BUGFIX] Avoid double hsc() in NoneElement

TCA "type=none" with "pass_content=false" (styleguide
elements basic none_2) or without pass_content at
all (styleguide elements basic none_4) double
encodes the value. Testable using styleguide with
some DB value like "l<u>i</u>p", which needs to be
manually put into DB since none fields do not persist
data using the backend.

Note pass_content=true is documented to not hsc()
the value at all, which is not true since TYPO3 v7, a
htmlspecialchars() is still applied.

Not encoding HTML is a potential security risk, so
the patch now only fixes the "pass_content=false" and
"not set" scenario to no longer double encode, and
another patch will remove the pass_content option in v12
entirely with a TCA migration and deprecation note
stating the option did not work since 2017 anyways.

Resolves: #99522
Releases: main, 11.5
Change-Id: Ic19ad991d0f17925d5f56fb34126a7cf8f6e6aab
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77355


Reviewed-by: default avatarMarkus Klein <markus.klein@typo3.org>
Tested-by: default avatarChristian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: default avatarOliver Bartsch <bo@cedev.de>
Tested-by: default avatarOliver Bartsch <bo@cedev.de>
Reviewed-by: default avatarChristian Kuhn <lolli@schwarzbu.ch>
Tested-by: default avatarMarkus Klein <markus.klein@typo3.org>
Tested-by: default avatarcore-ci <typo3@b13.com>
parent 7424ce3d
Branches
Tags
No related merge requests found
......@@ -55,9 +55,6 @@ class NoneElement extends AbstractFormElement
$formatOptions = $config['format.'] ?? [];
$itemValue = $this->formatValue($config['format'], $itemValue, $formatOptions);
}
if (!($config['pass_content'] ?? false)) {
$itemValue = htmlspecialchars($itemValue);
}
$size = $config['size'] ?? $this->defaultInputWidth;
$size = MathUtility::forceIntegerInRange($size, $this->minimumInputWidth, $this->maxInputWidth);
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment