Breaking: #96831 - Enforce HTML sanitizer during frontend rendering¶
See forge#96831
Description¶
TYPO3 security fix TYPO3-CORE-SA-2021-013
introduced Composer package typo3/html-sanitizer
to mitigate cross-site scripting vulnerabilities in
rich-text content. In order to relax the strict invocation, a corresponding feature flag has been added
in a follow-up release - which only was a temporary solution.
The feature flag security.frontend.htmlSanitizeParseFuncDefault
is dropped, and content processing via
TypoScript stdWrap.parseFunc
now enables HTML sanitization per default in case it has not been
disabled explicitly in corresponding invocation.
Sites that used a version prior to TYPO3 v12.0 received a corresponding deprecation message already.
Impact¶
Rich-text content processed with TypoScript stdWrap.parseFunc
is HTML sanitized per default.
Feature flag security.frontend.htmlSanitizeParseFuncDefault
does not have any effect anymore.
Affected Installations¶
All scenarios that use TypoScript stdWrap.parseFunc
, a direct invocation via PHP of
\TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer::parseFunc()
or Fluid
view-helper <f:format.html>
.
Migration¶
The following documents already tackled and described the scenario and implications: