From d7b5fb3d51efdb96bcd8dac490f14dd8c5e3e50f Mon Sep 17 00:00:00 2001
From: Christian Kuhn <lolli@schwarzbu.ch>
Date: Wed, 9 Nov 2022 13:52:15 +0100
Subject: [PATCH] [TASK] Deprecate fluid HtmlViewHelper in Backend context

The HtmlViewHelper relies of Frontend TypoScript
"parseFunc" functionality and has an ugly hack
to prepare Frontend rendering in Backend context.

The core no longer uses f:format.html in Backend
context since the introduction of f:sanitize.html
and f:transform.html. Using f:format.html in
Backend context should be deprecated.

Resolves: #99031
Related: #94825
Releases: main
Change-Id: I60c5ea36b664a35abde431d2ac845ee9e2bff4bb
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76519
Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Susanne Moog <look@susi.dev>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Susanne Moog <look@susi.dev>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
---
 ...-DeprecatedFformathtmlInBackendContext.rst | 46 +++++++++++++++++++
 ...ture-94825-SanitizeHtmlFluidViewHelper.rst |  2 +
 .../ViewHelpers/Format/HtmlViewHelper.php     |  6 +--
 3 files changed, 51 insertions(+), 3 deletions(-)
 create mode 100644 typo3/sysext/core/Documentation/Changelog/12.1/Deprecation-99031-DeprecatedFformathtmlInBackendContext.rst

diff --git a/typo3/sysext/core/Documentation/Changelog/12.1/Deprecation-99031-DeprecatedFformathtmlInBackendContext.rst b/typo3/sysext/core/Documentation/Changelog/12.1/Deprecation-99031-DeprecatedFformathtmlInBackendContext.rst
new file mode 100644
index 000000000000..54ad4cc3078d
--- /dev/null
+++ b/typo3/sysext/core/Documentation/Changelog/12.1/Deprecation-99031-DeprecatedFformathtmlInBackendContext.rst
@@ -0,0 +1,46 @@
+.. include:: /Includes.rst.txt
+
+.. _deprecation-99031-1667998430:
+
+=================================================================
+Deprecation: #99031 - Deprecated f:format.html in Backend context
+=================================================================
+
+See :issue:`99031`
+
+Description
+===========
+
+The :html:`<f:format.html />` ViewHelper :php:`TYPO3\CMS\Fluid\ViewHelpers\Format\HtmlViewHelper`
+should not be used in TYPO3 Backend context anymore.
+
+Using this ViewHelper in Backend context triggers Frontend :typoscript:`parseFunc` logic, which
+should be avoided in the backend.
+
+There are other ViewHelpers to output and parse HTML in Backend context. See description of
+the :ref:`f:sanitize.html <feature-94825-1667998632>` ViewHelper for more details.
+
+
+Impact
+======
+
+Using :html:`<f:format.html />` logs a deprecation level warning.
+
+
+Affected installations
+======================
+
+Instances with extensions that come with Backend modules using Fluid rendering and
+accessing :html:`<f:format.html />` are affected.
+
+
+Migration
+=========
+
+Switch to one of the other ViewHelpers instead, typically :html:`<f:sanitize.html />`
+to secure a given HTML string, :html:`<f:transform.html />` to parse links in HTML,
+or :html:`<f:format.raw />` to output the HTML as is when the input can be considered
+"secure".
+
+
+.. index:: Backend, Fluid, NotScanned, ext:fluid
diff --git a/typo3/sysext/core/Documentation/Changelog/9.5.x/Feature-94825-SanitizeHtmlFluidViewHelper.rst b/typo3/sysext/core/Documentation/Changelog/9.5.x/Feature-94825-SanitizeHtmlFluidViewHelper.rst
index 9613f185e23a..b7cb34e3fe03 100644
--- a/typo3/sysext/core/Documentation/Changelog/9.5.x/Feature-94825-SanitizeHtmlFluidViewHelper.rst
+++ b/typo3/sysext/core/Documentation/Changelog/9.5.x/Feature-94825-SanitizeHtmlFluidViewHelper.rst
@@ -1,5 +1,7 @@
 .. include:: /Includes.rst.txt
 
+.. _feature-94825-1667998632:
+
 ======================================================
 Feature: #94825 - New f:sanitize.html Fluid ViewHelper
 ======================================================
diff --git a/typo3/sysext/fluid/Classes/ViewHelpers/Format/HtmlViewHelper.php b/typo3/sysext/fluid/Classes/ViewHelpers/Format/HtmlViewHelper.php
index 12ef1d190bd6..ba7f39306676 100644
--- a/typo3/sysext/fluid/Classes/ViewHelpers/Format/HtmlViewHelper.php
+++ b/typo3/sysext/fluid/Classes/ViewHelpers/Format/HtmlViewHelper.php
@@ -151,10 +151,10 @@ final class HtmlViewHelper extends AbstractViewHelper
 
         /** @var RenderingContext $renderingContext */
         $request = $renderingContext->getRequest();
-        $isBackendRequest = $request instanceof ServerRequestInterface
-            && $request->getAttribute('applicationType')
-            && ApplicationType::fromRequest($request)->isBackend();
+        $isBackendRequest = $request instanceof ServerRequestInterface && ApplicationType::fromRequest($request)->isBackend();
         if ($isBackendRequest) {
+            // @deprecated since v12, remove in v13: Drop simulateFrontendEnvironment() and resetFrontendEnvironment() and throw a \RuntimeException here.
+            trigger_error('Using f:format.html in backend context has been deprecated in TYPO3 v12 and will be removed with v13', E_USER_DEPRECATED);
             $tsfeBackup = self::simulateFrontendEnvironment();
         }
 
-- 
GitLab