• Oliver Hader's avatar
    [SECURITY] Ensure XSS-safe rich text rendering · 3dca584c
    Oliver Hader authored and Oliver Hader's avatar Oliver Hader committed
    Due to missing internal handling of provided RTE configuration, it
    was possible to directly persist XSS in database fields. Unless full
    blown backend RTE tag configuration is available, this patch still
    allows persisting potentially malicious data - which is not reflected
    in the backend user interface - but to be sanitized during frontend
    rendering (see below).
    Corresponding configuration directives (`removeTags`, `allowedAttribs`)
    are now considered again. Besides that a new, but simplified sequential
    HTML parser ensures that runaway node-boundaries are detected & denied.
    To sanitize and purge XSS from markup during frontend rendering, new
    custom HTML sanitizer has been introduced, based on `masterminds/html5`.
    Both `DefaultBuilder` and `CommonVisitor` provide common configuration
    which is in line with expected tags that are allowed in backend RTE.
    Using a custom builder instance, it is possible to adjust for individual
    demands - however, configuration possibilities cannot be modified using
    TypoScript - basically since the existing syntax does not cover all
    necessary scenarios.
    Resolves: #94375
    Related: #83027
    Related: #94484
    Releases: master, 11.3, 10.4, 9.5
    Change-Id: I5f8de43faab57b00052614ad37bd10ea9e384dc0
    Security-Bulletin: TYPO3-CORE-SA-2021-013
    Security-References: CVE-2021-32768
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70345
    Tested-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
    Reviewed-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
Analyzing file…