Commit c81483f4 authored by Torben Hansen's avatar Torben Hansen Committed by Oliver Hader
Browse files

[BUGFIX] Accept JS spam protected email addresses

When TYPO3 is configured to spam protect email
addresses using an offset, then the HTML sanitizer
introduced in #94375 will remove the generated
JavaScript in the href link attribute.

This change makes the HTML sanitizer aware of the
`javascript:linkTo_UnCryptMailto` pattern for href
attribute.

Resolves: #94776
Releases: master, 11.3, 10.4, 9.5
Change-Id: If5f4ab22a686274401390a66b580a24e6d5a8f0c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70415


Tested-by: core-ci's avatarcore-ci <typo3@b13.com>
Tested-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
parent 988de489
......@@ -40,10 +40,13 @@ class DefaultSanitizerBuilder extends CommonBuilder
);
// + starting with `t3://`
$isTypo3Uri = new Behavior\RegExpAttrValue('#^t3://#');
// + TYPO3 spam protected email address using JavaScript
$isSpamProtectedEmailUri = new Behavior\RegExpAttrValue('#^javascript:linkTo_UnCryptMailto#');
// extends common attributes for TYPO3-specific URIs
$this->srcAttr->addValues($isOnCurrentHost);
$this->srcsetAttr->addValues($isOnCurrentHost);
$this->hrefAttr->addValues($isOnCurrentHost, $isTypo3Uri);
$this->hrefAttr->addValues($isOnCurrentHost, $isTypo3Uri, $isSpamProtectedEmailUri);
// @todo `style` used in Introduction Package, inline CSS should be removed
$this->globalAttrs[] = new Behavior\Attr('style');
......
......@@ -106,6 +106,18 @@ class DefaultSanitizerBuilderTest extends FunctionalTestCase
'<a href="tel:123456789" role="button">value</a>',
'<a href="tel:123456789" role="button">value</a>',
],
'#056' => [
// config.spamProtectEmailAddresses = [n]
'<a href="javascript:linkTo_UnCryptMailto(%27ocknvq%2CkphqBrtczku%5C%2Fmkghgt0fg%27);">email(at)domain.tld</a>',
'<a href="javascript:linkTo_UnCryptMailto(%27ocknvq%2CkphqBrtczku%5C%2Fmkghgt0fg%27);">email(at)domain.tld</a>',
],
'#057' => [
// config.spamProtectEmailAddresses = ascii
'<a href="&#109;&#97;&#105;&#108;&#116;&#111;&#58;&#115;&#111;&#109;&#101;&#46;&#98;&#111;&#100;&#121;&#64;&#116;&#101;&#115;&#116;&#46;&#116;&#121;&#112;&#111;&#51;&#46;&#111;&#114;&#103;">some.body(at)test.typo3(dot)org</a>',
// HTML entity encoding is not really a "protection", `Masterminds/html5-php` per default
// decodes those entities, which is good to have normalized attr values
'<a href="mailto:some.body@test.typo3.org">some.body(at)test.typo3(dot)org</a>',
],
'#090' => [
'<p data-bool><span data-bool><strong data-bool>value</strong></span></p>',
'<p data-bool><span data-bool><strong data-bool>value</strong></span></p>'
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment