Breaking: #96831 - Enforce HTML sanitizer during frontend rendering

See forge#96831


TYPO3 security fix TYPO3-CORE-SA-2021-013 introduced Composer package typo3/html-sanitizer to mitigate cross-site scripting vulnerabilities in rich-text content. In order to relax the strict invocation, a corresponding feature flag has been added in a follow-up release - which only was a temporary solution.

The feature flag security.frontend.htmlSanitizeParseFuncDefault is dropped, and content processing via TypoScript stdWrap.parseFunc now enables HTML sanitization per default in case it has not been disabled explicitly in corresponding invocation.

Sites that used a version prior to TYPO3 v12.0 received a corresponding deprecation message already.


Rich-text content processed with TypoScript stdWrap.parseFunc is HTML sanitized per default. Feature flag security.frontend.htmlSanitizeParseFuncDefault does not have any effect anymore.

Affected Installations

All scenarios that use TypoScript stdWrap.parseFunc, a direct invocation via PHP of \TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer::parseFunc() or Fluid view-helper <f:format.html>.


The following documents already tackled and described the scenario and implications: