Security
New in version 13.1.5
Comprehensive security measures including protocol blocking, file validation, and XSS prevention.
Security features and best practices for the RTE CKEditor Image extension.
Table of contents
Security architecture
The extension implements security at multiple layers:
Protocol blocking
The
Image blocks dangerous URL protocols:
javascript:- Prevents script execution via URLs.file:- Prevents local file system access.data:- Prevents HTML injection via data URIs.text/ html vbscript:- Prevents VBScript execution (legacy IE).
Safe protocols allowed:
http://andhttps://- Standard web URLs./- Relative paths.t3://- TYPO3 link handler URLs.
File visibility validation
Before rendering, the extension validates:
- File exists: FAL file reference must be valid.
- File accessible: File must not be hidden or restricted.
- Storage accessible: File storage must be publicly accessible.
If validation fails, the original unprocessed content is returned.
XSS prevention
All user-controlled content is sanitized:
Caption text
// Caption is sanitized with htmlspecialchars()
$caption = htmlspecialchars($rawCaption, ENT_QUOTES | ENT_HTML5, 'UTF-8');Alt and title attributes
Alt and title text are sanitized before inclusion in HTML output.
CSS classes
CSS class names are validated and encoded to prevent attribute injection.
Immutable DTOs
The
Image and
Link are declared as
readonly:
final readonly class ImageRenderingDto
{
// Properties cannot be modified after construction
}This ensures:
- Data integrity: Validated data cannot be corrupted.
- Audit trail: Security validation happens once, at creation.
- Thread safety: No race conditions on property access.
External link security (rel="noreferrer")
Automatic rel="noreferrer" on figure-wrapped linked images, mirroring
TYPO3 typolink semantics. Closes
#799
(see CHANGELOG.md
for the version this shipped in).
Linked images that are wrapped in <figure> (e.g. when a caption is set)
are rendered through the Fluid Link. partial, which constructs
the <a> tag directly rather than going through TYPO3's Link.
That means Link — the core helper that
appends rel="noreferrer" to external target="_ links to prevent
referrer leakage — never ran on this code path. The extension now mirrors
the typolink semantics in PHP via the
Security service.
When the rule fires
rel="noreferrer" is appended automatically when both conditions hold:
- The link target opens a new browsing context — i.e.
targetis set and not one of_self,_parent,_top(case-insensitive, whitespace-tolerant per the HTML living standard). -
The URL is external — defined as either:
- An absolute
http://orhttps://URL. - A protocol-relative URL (e.g.
//, RFC 3986 §4.2 network-path reference) that inherits the page scheme but resolves to a different host.example. com/ image. jpg
- An absolute
Relative paths (/fileadmin/...), fragment links (#section),
mailto: / tel: schemes, and t3:// URIs (already resolved before
this point) are treated as internal and don't trigger the addition.
Token preservation
Pre-existing rel tokens from the source <a> tag — nofollow,
sponsored, noopener, custom values — are preserved through
Security, which lowercases, deduplicates,
and collapses whitespace. noreferrer is added at most once; if the
source already declares it, no duplicate is appended.
Example
<a href="https://example.com" target="_blank">
<img src="/fileadmin/_processed_/image.jpg" alt="..." />
</a>After rendering through the figure-wrapped path:
rel="noreferrer" injected automatically
<figure>
<a href="https://example.com" target="_blank" rel="noreferrer">
<img src="/fileadmin/_processed_/image.jpg" alt="..." />
</a>
<figcaption>...</figcaption>
</figure>Internal links (e.g. /about or t3://) and links without
a target continue to render without rel, matching typolink behavior.
SVG security
Warning
SVG files can contain embedded JavaScript and are potential XSS vectors. The extension does not sanitize SVG content.
Recommendations:
- Sanitize before upload: Use server-side SVG sanitization libraries.
- Restrict uploads: Consider limiting SVG uploads to trusted users.
- Content Security Policy: Implement CSP headers to mitigate XSS risks.
Note
The allow option was removed in v13.1.5 due to security
concerns. SVG files are now handled via the standard image workflow
with automatic noScale mode.
Best practices
File upload restrictions
Configure allowed file extensions in TYPO3:
$GLOBALS['TYPO3_CONF_VARS']['GFX']['imagefile_ext'] = 'gif,jpg,jpeg,png,webp';Restrict in RTE configuration:
editor:
externalPlugins:
typo3image:
allowedExtensions: "jpg,jpeg,png,gif,webp"Backend user permissions
- Configure appropriate file mounts for backend users.
- Restrict upload folder access to necessary directories.
- Use TYPO3 backend user groups for granular control.
Content Security Policy
Implement CSP headers for additional protection:
Header set Content-Security-Policy "default-src 'self'; img-src 'self' data: https:;"External image fetching
The fetch option downloads external images to FAL:
$GLOBALS['TYPO3_CONF_VARS']['EXTENSIONS']['rte_ckeditor_image'] = [
'fetchExternalImages' => true, // Recommended: download to local storage
];This prevents:
- Hotlinking to external resources.
- Privacy leaks via external image loading.
- Broken images when external sources change.
Regular updates
Keep the extension and TYPO3 core updated to receive security patches:
composer update netresearch/rte-ckeditor-imageSecurity reporting
Report security vulnerabilities to:
- TYPO3 Security Team: security@typo3.org
- Extension maintainer: Via GitHub issues (for non-critical issues)