Breaking: #96831 - Enforce HTML sanitizer during frontend rendering¶
TYPO3 security fix TYPO3-CORE-SA-2021-013
introduced Composer package
typo3/html-sanitizer to mitigate cross-site scripting vulnerabilities in
rich-text content. In order to relax the strict invocation, a corresponding feature flag has been added
in a follow-up release - which only was a temporary solution.
The feature flag
security.frontend.htmlSanitizeParseFuncDefault is dropped, and content processing via
stdWrap.parseFunc now enables HTML sanitization per default in case it has not been
disabled explicitly in corresponding invocation.
Sites that used a version prior to TYPO3 v12.0 received a corresponding deprecation message already.
Rich-text content processed with TypoScript
stdWrap.parseFunc is HTML sanitized per default.
security.frontend.htmlSanitizeParseFuncDefault does not have any effect anymore.
All scenarios that use TypoScript
stdWrap.parseFunc, a direct invocation via PHP of
\TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer::parseFunc() or Fluid
The following documents already tackled and described the scenario and implications: