1. 16 Aug, 2021 2 commits
  2. 10 Aug, 2021 2 commits
    • Oliver Hader's avatar
      [TASK] Set TYPO3 version to 11.3.3-dev · b4dda785
      Oliver Hader authored and Benni Mack's avatar Benni Mack committed
      Change-Id: I0438870130ee9be5eb1e359c922fb9b62c23d9c4
      Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70351
      
      
      Tested-by: core-ci's avatarcore-ci <typo3@b13.com>
      Tested-by: Benni Mack's avatarBenni Mack <benni@typo3.org>
      Reviewed-by: Benni Mack's avatarBenni Mack <benni@typo3.org>
      b4dda785
    • Oliver Hader's avatar
      [SECURITY] Ensure XSS-safe rich text rendering · 216250a3
      Oliver Hader authored and Oliver Hader's avatar Oliver Hader committed
      Due to missing internal handling of provided RTE configuration, it
      was possible to directly persist XSS in database fields. Unless full
      blown backend RTE tag configuration is available, this patch still
      allows persisting potentially malicious data - which is not reflected
      in the backend user interface - but to be sanitized during frontend
      rendering (see below).
      
      Corresponding configuration directives (`removeTags`, `allowedAttribs`)
      are now considered again. Besides that a new, but simplified sequential
      HTML parser ensures that runaway node-boundaries are detected & denied.
      
      To sanitize and purge XSS from markup during frontend rendering, new
      custom HTML sanitizer has been introduced, based on `masterminds/html5`.
      Both `DefaultBuilder` and `CommonVisitor` provide common configuration
      which is in line with expected tags that are allowed in backend RTE.
      Using a custom builder instance, it is possible to adjust for individual
      demands - however, configuration possibilities cannot be modified using
      TypoScript - basically since the existing syntax does not cover all
      necessary scenarios.
      
      Resolves: #94375
      Related: #83027
      Related: #94484
      Releases: master, 11.3, 10.4, 9.5
      Change-Id: I5f8de43faab57b00052614ad37bd10ea9e384dc0
      Security-Bulletin: TYPO3-CORE-SA-2021-013
      Security-References: CVE-2021-32768
      Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70344
      
      
      Tested-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
      Reviewed-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
      216250a3
  3. 09 Aug, 2021 1 commit
    • Nikita Hovratov's avatar
      [BUGFIX] Skip range validation if input value and default are both "0" · 3c2e213a
      Nikita Hovratov authored and Oliver Hader's avatar Oliver Hader committed
      This patch fixes a regression originally introduced in #94103. The
      problem there was simply an erroneous strict comparison, which further
      got completely removed in #94527 due to a misconception.
      
      The mentioned condition is important for date type fields with a lower
      range set in TCA. If the user doesn't provide a value for that date
      field, the range validation should be skipped. Otherwise this empty
      value would always be interpreted as 0, resulting the validation to
      change it to the lower range value.
      
      As this is a special case, the condition was extracted and rewritten,
      to only apply for this exact scenario. Other than that the validation
      should not be skipped.
      
      An acceptance test and a unit test are added to ensure this behavior
      can't break anymore.
      
      Resolves: #94621
      Related: #94103
      Related: #94527
      Releases: master, 11.3, 10.4
      Change-Id: I54c1a815077e48064f9f6eeba9584184c5f760d7
      Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70232
      
      
      Tested-by: core-ci's avatarcore-ci <typo3@b13.com>
      Tested-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
      Reviewed-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
      3c2e213a
  4. 20 Jul, 2021 2 commits
  5. 16 Jul, 2021 1 commit
  6. 12 Jul, 2021 3 commits
  7. 30 Jun, 2021 2 commits
  8. 22 Jun, 2021 1 commit
  9. 17 Jun, 2021 1 commit
  10. 16 Jun, 2021 3 commits
  11. 15 Jun, 2021 1 commit
  12. 11 Jun, 2021 1 commit
  13. 03 Jun, 2021 1 commit
  14. 25 May, 2021 1 commit
  15. 21 May, 2021 1 commit
  16. 20 May, 2021 1 commit
  17. 19 May, 2021 1 commit
  18. 17 May, 2021 1 commit
  19. 14 May, 2021 1 commit
  20. 11 May, 2021 1 commit
  21. 07 May, 2021 1 commit
  22. 06 May, 2021 1 commit
  23. 04 May, 2021 1 commit
  24. 03 May, 2021 2 commits
  25. 29 Apr, 2021 2 commits
  26. 25 Apr, 2021 1 commit
  27. 15 Apr, 2021 1 commit
  28. 07 Apr, 2021 1 commit
  29. 01 Apr, 2021 1 commit
  30. 30 Mar, 2021 1 commit