-
Due to missing internal handling of provided RTE configuration, it was possible to directly persist XSS in database fields. Unless full blown backend RTE tag configuration is available, this patch still allows persisting potentially malicious data - which is not reflected in the backend user interface - but to be sanitized during frontend rendering (see below). Corresponding configuration directives (`removeTags`, `allowedAttribs`) are now considered again. Besides that a new, but simplified sequential HTML parser ensures that runaway node-boundaries are detected & denied. To sanitize and purge XSS from markup during frontend rendering, new custom HTML sanitizer has been introduced, based on `masterminds/html5`. Both `DefaultBuilder` and `CommonVisitor` provide common configuration which is in line with expected tags that are allowed in backend RTE. Using a custom builder instance, it is possible to adjust for individual demands - however, configuration possibilities cannot be modified using TypoScript - basically since the existing syntax does not cover all necessary scenarios. Resolves: #94375 Related: #83027 Related: #94484 Releases: master, 11.3, 10.4, 9.5 Change-Id: I5f8de43faab57b00052614ad37bd10ea9e384dc0 Security-Bulletin: TYPO3-CORE-SA-2021-013 Security-References: CVE-2021-32768 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70345 Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
3dca584c
