Breaking: #96831 - Enforce HTML sanitizer during frontend rendering

Description

TYPO3 security fix TYPO3-CORE-SA-2021-013 introduced Composer package typo3/html-sanitizer to mitigate cross-site scripting vulnerabilities in rich-text content. In order to relax the strict invocation, a corresponding feature flag has been added in a follow-up release - which only was a temporary solution.

The feature flag security.frontend.htmlSanitizeParseFuncDefault is dropped, and content processing via TypoScript stdWrap.parseFunc now enables HTML sanitization per default in case it has not been disabled explicitly in corresponding invocation.

Sites that used a version prior to TYPO3 v12.0 received a corresponding deprecation message already.

Impact

Rich-text content processed with TypoScript stdWrap.parseFunc is HTML sanitized per default. Feature flag security.frontend.htmlSanitizeParseFuncDefault does not have any effect anymore.

Affected Installations

All scenarios that use TypoScript stdWrap.parseFunc, a direct invocation via PHP of \TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer::parseFunc() or Fluid view-helper <f:format.html>.

Migration

The following documents already tackled and described the scenario and implications:

• 9.5.x: Important: #94484 - Introduce HTML Sanitizer
• 12.0: Breaking: #96520 - Enforce non-empty configuration in cObj::parseFunc