[BUGFIX] Prevent XSS in ViewHelpers
[Packages/TYPO3.CMS.git] / typo3 / sysext / fluid / Classes / ViewHelpers / Format / HtmlViewHelper.php
1 <?php
2 namespace TYPO3\CMS\Fluid\ViewHelpers\Format;
3
4 /*
5 * This file is part of the TYPO3 CMS project.
6 *
7 * It is free software; you can redistribute it and/or modify it under
8 * the terms of the GNU General Public License, either version 2
9 * of the License, or any later version.
10 *
11 * For the full copyright and license information, please read the
12 * LICENSE.txt file that was distributed with this source code.
13 *
14 * The TYPO3 project - inspiring people to share!
15 */
16
17 use TYPO3\CMS\Core\Utility\GeneralUtility;
18 use TYPO3\CMS\Extbase\Configuration\ConfigurationManagerInterface;
19 use TYPO3\CMS\Extbase\Object\ObjectManager;
20 use TYPO3\CMS\Fluid\Core\Rendering\RenderingContextInterface;
21 use TYPO3\CMS\Fluid\Core\ViewHelper\AbstractViewHelper;
22 use TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer;
23
24 /**
25 * Renders a string by passing it to a TYPO3 parseFunc.
26 * You can either specify a path to the TypoScript setting or set the parseFunc options directly.
27 * By default lib.parseFunc_RTE is used to parse the string.
28 *
29 * == Examples ==
30 *
31 * <code title="Default parameters">
32 * <f:format.html>foo <b>bar</b>. Some <LINK 1>link</LINK>.</f:format.html>
33 * </code>
34 * <output>
35 * <p class="bodytext">foo <b>bar</b>. Some <a href="index.php?id=1" >link</a>.</p>
36 * (depending on your TYPO3 setup)
37 * </output>
38 *
39 * <code title="Custom parseFunc">
40 * <f:format.html parseFuncTSPath="lib.parseFunc">foo <b>bar</b>. Some <LINK 1>link</LINK>.</f:format.html>
41 * </code>
42 * <output>
43 * foo <b>bar</b>. Some <a href="index.php?id=1" >link</a>.
44 * </output>
45 *
46 * <code title="Inline notation">
47 * {someText -> f:format.html(parseFuncTSPath: 'lib.parseFunc')}
48 * </code>
49 * <output>
50 * foo <b>bar</b>. Some <a href="index.php?id=1" >link</a>.
51 * </output>
52 *
53 * @see https://docs.typo3.org/typo3cms/TyposcriptReference/Functions/Parsefunc/
54 */
55 class HtmlViewHelper extends AbstractViewHelper
56 {
57 /**
58 * @var \TYPO3\CMS\Frontend\Controller\TypoScriptFrontendController contains a backup of the current $GLOBALS['TSFE'] if used in BE mode
59 */
60 protected static $tsfeBackup;
61
62 /**
63 * Disable escaping of child nodes' output
64 *
65 * @var bool
66 */
67 protected $escapeChildren = false;
68
69 /**
70 * Plain HTML should be returned, no output escaping allowed
71 *
72 * @var bool
73 */
74 protected $escapeOutput = false;
75
76 /**
77 * @param string $parseFuncTSPath path to TypoScript parseFunc setup.
78 * @return string the parsed string.
79 */
80 public function render($parseFuncTSPath = 'lib.parseFunc_RTE')
81 {
82 return static::renderStatic(
83 array(
84 'parseFuncTSPath' => $parseFuncTSPath,
85 ),
86 $this->buildRenderChildrenClosure(),
87 $this->renderingContext
88 );
89 }
90
91 /**
92 * @param array $arguments
93 * @param callable $renderChildrenClosure
94 * @param RenderingContextInterface $renderingContext
95 *
96 * @return string
97 */
98 public static function renderStatic(array $arguments, \Closure $renderChildrenClosure, RenderingContextInterface $renderingContext)
99 {
100 $parseFuncTSPath = $arguments['parseFuncTSPath'];
101 if (TYPO3_MODE === 'BE') {
102 GeneralUtility::deprecationLog('The usage of the viewhelper "f:format.html" in the backend context is discouraged, and will stop working with CMS 9. '
103 . 'Use the viewhelper "f:format.raw" instead.');
104 self::simulateFrontendEnvironment();
105 }
106 $value = $renderChildrenClosure();
107 $contentObject = GeneralUtility::makeInstance(ContentObjectRenderer::class);
108 $content = $contentObject->parseFunc($value, array(), '< ' . $parseFuncTSPath);
109 if (TYPO3_MODE === 'BE') {
110 self::resetFrontendEnvironment();
111 }
112 return $content;
113 }
114
115 /**
116 * Copies the specified parseFunc configuration to $GLOBALS['TSFE']->tmpl->setup in Backend mode
117 * This somewhat hacky work around is currently needed because the parseFunc() function of \TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer relies on those variables to be set
118 *
119 * @return void
120 */
121 protected static function simulateFrontendEnvironment()
122 {
123 self::$tsfeBackup = isset($GLOBALS['TSFE']) ? $GLOBALS['TSFE'] : null;
124 $GLOBALS['TSFE'] = new \stdClass();
125 $GLOBALS['TSFE']->tmpl = new \stdClass();
126 $objectManager = GeneralUtility::makeInstance(ObjectManager::class);
127 $configurationManager = $objectManager->get(ConfigurationManagerInterface::class);
128 $GLOBALS['TSFE']->tmpl->setup = $configurationManager->getConfiguration(ConfigurationManagerInterface::CONFIGURATION_TYPE_FULL_TYPOSCRIPT);
129 }
130
131 /**
132 * Resets $GLOBALS['TSFE'] if it was previously changed by simulateFrontendEnvironment()
133 *
134 * @return void
135 * @see simulateFrontendEnvironment()
136 */
137 protected static function resetFrontendEnvironment()
138 {
139 $GLOBALS['TSFE'] = self::$tsfeBackup;
140 }
141 }