Skip to content
  • Oliver Hader's avatar
    [BUGFIX] Adjust default behavior of HTML sanitization in parseFunc · 9d2ce55e
    Oliver Hader authored and Benni Mack's avatar Benni Mack committed
    As a result of TYPO3-CORE-SA-2021-013, new `htmlSanitize` behavior -
    when invoking `ContentObjectRenderer::parseFunc` - is enabled per
    default, in case it was not declared otherwise. That also happened
    when no processing configuration was given (or could be resolved).
    Without having any configuration, it was obviously not possible to
    disable `htmlSanitize`.
    
    Fluid's `HtmlViewHelper` can be used with an empty `parseFuncTSPath`
    (e.g. `<f:format.html parseFuncTSPath="">`) - due to missing (empty)
    configuration, sanitization was enabled per default in `parseFunc`.
    
    With this change, property `htmlSanitize` either needs to be enabled
    or disabled explicitly - otherwise deprecation logs will be generated,
    if not given, the fall-back behavior is inferred from new feature flag
    `security.frontend.htmlSanitizeParseFuncDefault`.
    
    Invoking `ContentObjectRenderer::parseFunc` without any configuration
    behaves like before TYPO3-CORE-SA-2021-013 was applied - it just does
    not process anything.
    
    Resolves: #94786
    Releases: master, 11.3, 10.4, 9.5
    Change-Id: I4aee54d712ce4758f6c9c2e64a43f80b6c076406
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70588
    
    
    Tested-by: default avatarBenni Mack <benni@typo3.org>
    Tested-by: default avatarcore-ci <typo3@b13.com>
    Reviewed-by: default avatarBenni Mack <benni@typo3.org>
    9d2ce55e