[TYPO3-dev] typo3 6.2.16, security fix - Escape caption
Jigal van Hemert
jigal.van.hemert at typo3.org
Sun Dec 20 21:14:29 CET 2015
Hi,
On 20/12/2015 18:06, Alex Tuveri wrote:
> 2015-12-15 420f5ed #41690 [SECURITY] Escape caption of media
> using css_styled_content (Georg Ringer)
> ..
>
> on my experience this caused to some (my) sites some problem displaying
> the HTML used within caption.
>
> This is not good, two sites result broken - howevere I restored the
> previous behaviour overriding:
>
> tt_content.image.20.caption.1.1.htmlSpecialChars = 1
>
> with
>
> tt_content.image.20.caption.1.1.htmlSpecialChars = 0
Previously it also had:
tt_content.image.20.caption.1.1.parseFunc =< lib.parseFunc
However, the field for captions is a textarea and not an RTE, so it's
not necessary to parse anything; htmlSpecialChars is correct here to
prevent editors from injecting "evil" stuff in the caption and it being
displayed as such in the frontend.
If you are very sure that no editor will do this (perhaps because you
are the only person maintaining the content) you could override the
change. It's your own responsibility now.
> may be this is not good. I hope someone can consider to add some TS to
> allow a list of HTML tags such as:
> h1,h2,h3, p,strong and others useful to use caption in conjunction with
> styles to obtain special effects.
It's very hard to do this in a way that no "evil" code can be injected.
The only solution would be to use a full blown HTML parser, but this
takes quite a bit of processing power and is usually not worth the effort.
--
Jigal van Hemert
TYPO3 CMS Active Contributor
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the TYPO3-dev
mailing list