Feature: #94825 - New f:sanitize.html Fluid ViewHelper¶
See Issue #94825
A new Fluid ViewHelper
<f:sanitize.html> is available
for use in any Fluid Template.
<f:format.html> the new ViewHelper does not fully rewrite
the contents of the ViewHelper, but only cleans the HTML for
incorrect / possibly bad code.
The htmlSanitize keeps all HTML code as is, but cleans up invalid
and malicious code based on the third-party package
An optional view-helper argument
build allows using a defined preset, or a
fully qualified class name of a builder instance as alternative, which has
If not given, the configuration falls back to the best-practice
sanitization preset for TYPO3’s base RTE configuration (called “default”).
The “default” preset of
to explicitly sanitize user-submitted markup - for instance provided in
rich-text input fields using the TYPO3 backend user interface. The
default preset only supports common HTML tags and attributes that usually are
expected to be safe - for instance
similar elements are not supported (currently) and not supposed to be defined
by users or editors, but rather by the actual HTML Template which shouldn’t
be fully wrapped in
When to use the different ViewHelpers:
Use this for wrapping fields produced by RTE fields, which parses
HTML and adds attributes, replaces TYPO3-internal links to pages or files,
lib.parseFunc_RTE. For this reason, it is recommended to use
this ViewHelper mainly in Frontend rendering.
This ViewHelper calls TYPO3’s “parseFunc”, which means that
activated by default in TYPO3 installations.
<f:format.html> does HTML sanitization plus rebuilding
the HTML output based on the configuration from
This ViewHelper takes the HTML as is, and removes malicious HTML code. This is useful for HTML returned from external sources where the HTML-based content is untrusted. It can be used in Frontend and Backend environments.
This ViewHelper just outputs the content as is, including all HTML. Use this ViewHelper only if the content can be fully trusted.
All of the ViewHelpers above do not escape any of the contents.