[TYPO3-dev] typo3 6.2.16, security fix - Escape caption

Jigal van Hemert jigal.van.hemert at typo3.org
Sun Dec 20 21:14:29 CET 2015


Hi,

On 20/12/2015 18:06, Alex Tuveri wrote:
> 2015-12-15  420f5ed  #41690          [SECURITY] Escape caption of media
> using css_styled_content (Georg Ringer)
> ..
>
> on my experience this caused to some (my) sites some problem displaying
> the HTML used within caption.
>
> This is not good, two sites result broken -  howevere I restored the
> previous behaviour overriding:
>
> tt_content.image.20.caption.1.1.htmlSpecialChars = 1
>
> with
>
> tt_content.image.20.caption.1.1.htmlSpecialChars = 0

Previously it also had:

tt_content.image.20.caption.1.1.parseFunc =< lib.parseFunc

However, the field for captions is a textarea and not an RTE, so it's 
not necessary to parse anything; htmlSpecialChars is correct here to 
prevent editors from injecting "evil" stuff in the caption and it being 
displayed as such in the frontend.

If you are very sure that no editor will do this (perhaps because you 
are the only person maintaining the content) you could override the 
change. It's your own responsibility now.

> may be this is not good. I hope someone can consider to add some TS to
> allow a list of HTML tags such as:
> h1,h2,h3, p,strong and others useful to use caption in conjunction with
> styles to obtain special effects.

It's very hard to do this in a way that no "evil" code can be injected. 
The only solution would be to use a full blown HTML parser, but this 
takes quite a bit of processing power and is usually not worth the effort.

-- 
Jigal van Hemert
TYPO3 CMS Active Contributor

TYPO3 .... inspiring people to share!
Get involved: typo3.org



More information about the TYPO3-dev mailing list