Hi,
I had the same issue as #23 with

As you can see in the attachment, the "font" tags are outputed.
(possible attributes: "font", "color", "size").

Please add it to TYPO3\HtmlSanitizer\Builder\CommonBuilder.
Or, if you prefer, delete them altogether (since this is not an HTML5 standard).

According to #23

Thank you.

Since some versions there is a problem that iFrames are escaped in the output and the iframe is not visible. Before 10.4.18 i think it was working fine. Not the problem is that the youtube plugin for the RTE isn't working anymore.

Version is 10.4.21 (Composer latest version)

<p>&lt;iframe allowfullscreen frameborder="0" height="360"
  src="https://www.youtube.com/embed/fUEHlY8" width="640"&gt;&lt;/iframe&gt;</p>

So i have checked not a lot of tutorials and tested now over 2 hours all solutions.

In the Site TS-Config i have tested a low of things.

RTE.default.proc {
  allowTags := addToList(object,param,embed,iframe)
  allowTagsOutside := addToList(object,embed,iframe)
  entryHTMLparser_db.allowTags < .allowTags
}

But nothing is working anymore. Is there a solution or a fix to solve the Problem? Do i miss something?

I use links like webcal://domain.tld/calendar/ics for having the OS open a calendar app like Apple Calendar and offer the calendar subscription dialogue. For those links the href gets stripped from the output HTML.

It would be great to add various other common protocols like e.g. webcal, ftp, file or at least offer a simple configuration method to add these to a website instead of having to add a complicated PHP class (not to mention that at this point in time I have found a tutorial on how to allow additional tags and attributes, but not a different link protocol).

$behavior = (new Behavior())
    ->withFlags(Behavior::ENCODE_INVALID_TAG)
    ->withTags(
        (new Behavior\TagHandler('svg', \My\SvgTagHandler::class))

For this particular example using svg, e.g. https://github.com/darylldoyle/svg-sanitizer can be invoked in a to be defined SvgTagHandler. However, this library should stay independent from other libraries (the specific handler would be something for TYPO3 which already has a dependency on SVG Sanitizer).

The deprecation introduced with PR #98 at

I've come to code where custom onclick is added to a-Tags.
TYPO3 already ads an onclick to allow list for a-Tags.

I could not find any way to add another allowed value to the list.
Looks like the code is too robust to allow me to add or alter the already configured behaviour.
I only could remove the already build a-Tag and build it from scratch / from reading original values excluding the onclick and rebuilding it again?
Do I overlook something here? How should a developer use the library in such situation, where a framework already adds configuration?

That's our code which is just not called, because TYPO3 onclick value already does not match. Further values are not checked anymore. I couldn't find a way to check whether at least one value matches.

class DefaultSanitizerBuilder extends Typo3DefaultSanitizerBuilder
{
    protected function createBasicTags(): array
    {
        $tags = parent::createBasicTags();
        // Allow onlick="econdaTrackMarker();" in addition to TYPO3 native onclick code.
        $tags['a']->getAttr('onclick')->addValues(new RegExpAttrValue('#^econdaTrackMarker\(#'));
        return $tags;
    }
}

The TYPO3 standard HTML content element uses <f:format.raw>{data.bodytext}</f:format.raw> .

We have inserted iframes like this:
<iframe id="auto-iframe" name="auto-iframe" src="https://lademap.ladenetz.de/?lat=48.3434118&amp;lng=10.8921117&amp;zoom=12&amp;mode=1&amp;ivin=09ut249ugn9854h8bffd43" scrolling="no" onload="AutoiFrameAdjustiFrameHeight('auto-iframe',50);" width="100%" height="650px" frameborder="0"></iframe>

But since last T3 update it is shown plain in FE.

I tried:

page.10.stdWrap.parseFunc {
    // replace --- with soft-hyphen
    short.--- = ­
    // sanitization of ALL MARKUP is NOT DESIRED here
    htmlSanitize = 0
  }

// either disable globally
lib.parseFunc.htmlSanitize = 0
lib.parseFunc_RTE.htmlSanitize = 0

But it ist not fixed. Could you please tell me how to get it work now without htmlSanitze?

Yours,
mike

I want to use a certain tag that should be allowed to have children. In this case I'd use ALLOW_CHILDREN as a flag on my new tag.

But what if I want to allow it only if it has a specific attribute on it, like a must-have attribute?

I can't give it both flags, only one. So I have to decide whether it shows its content or shows itself if it has an attribute, but then it doesn't render the content inside of it.

Also, what is it with PURGE_WITHOUT_CHILDREN? This can't be used since you'd have to allow children in the first place. If I use this flag, I get "Tag %s does not allow children, but shall be purged without them", what's the point of setting this flag then?

Hello, I have no idea if I'm at the right place here or if this should be posted in the TYPO3 forge. Sorry if I'm wrong here.

I'm using an ELTS Version of TYPO3 8 with PHP 7.4.33 for my website. Since the 8.7.49 update I can't view any pages in the frontend or backend (page & list module) with the error
Argument 1 passed to TYPO3\HtmlSanitizer\Behavior\Tag::addAttrs() must be of the type array, object given, called in /var/www/html/src/vendor/typo3/cms/typo3/sysext/core/Classes/Html/DefaultSanitizerBuilder.php on line 75.

The release notes of that version show an upgrade to v.1.5.0 of the HTML-Sanitizer.

I'm not well-versed in anything programming related but opening the file from the error gives the following warning in PHPStorm:
Expected parameter of type '\TYPO3\HtmlSanitizer\Behavior\Attr[]', '\TYPO3\HtmlSanitizer\Behavior\Attr' provided

If I add back the removed brackets in the createBasicTags() and build() functions of the DefaultSanitizerBuilder class everything works again:

        return GeneralUtility::makeInstance(Sanitizer::class, $visitor);

        $tags['a']->addAttrs(
            (new Behavior\Attr('onclick'))
                ->addValues(new Behavior\RegExpAttrValue('#^openPic\(#'))
        );

turns into

        return GeneralUtility::makeInstance(Sanitizer::class, [$visitor]);

        $tags['a']->addAttrs([
            (new Behavior\Attr('onclick'))
                ->addValues(new Behavior\RegExpAttrValue('#^openPic\(#'))
        ]);

The return statement still shows the warning
Return value is expected to be '\TYPO3\HtmlSanitizer\Sanitizer', 'object|\TYPO3\CMS\Core\SingletonInterface' returned
but the frontend and backend load again.

Turning off the sanitizer via TypoScript also "fixes" the error.

I've searched in the forge and on other sites but couldn't find anyone with the same issue, but I feel like this is an issue directly in TYPO3 or the sanitizer and not in the environment.

Hey, I'm having issues with TYPO3 HTML rendering in version 10.
Every time there is an image inside a href with little text, it splits them apart, thus destroying the link:

Original

<p>TITLE <em>ITALIC TEXT</em> basic text
<a href="PDF_LINK">→<img alt="" data-htmlarea-file-uid="1787699" src="pdf_icon.png" /></a>
</p>

f:format.html output

<p>TITLE <em>ITALIC TEXT</em> basic text
<a href="PDF_LINK" target="_blank"></a>
</p>
<p>→<img src="pdf_icon.png"></p>

I tried Slack and also read this chain of issues (#23), but the problem still persists.

I can swap to raw, as there are typo3 internal links, that have to be rendered, and all the possible solutions either swapped to raw and broke internal links, or did nothing.

I'm running TYPO3 v10.4.20 with html-sanitizer v2.0.9
It's also a fresh update from v9.

The "loading"-attribute should not be filtered for <img>-tags.
see pull request #22

Dear @TYPO3, @TYPO3GmbH teams,

In first, I wish you a Happy New Year 2022!

Can you see for add XMPP URI support?
-> XMPP URI support must be added because there actually a problem, it is detected "mailto".

Examples:

• xmpp:[email protected]
• xmpp:[email protected]?message
• xmpp:[email protected]?join

It is a standard:

• RFC5122: https://tools.ietf.org/html/rfc5122

Thanks in advance.

XML requires that all tags be closed.
htmlSanitizer will output the br Tag as <br> instead of <br />

TypoScript Workaround:

rssfeed = PAGE
rssfeed {
  typeNum = 100
  ...
  stdWrap {
    replacement
      10 {
        search = <br>
        replace = <br />
      }
    }
  }
}

Up to typo3/html-sanitizer:2.0.16 is is only possible to work on DOMElement nodes using Tag declarations, DOMComment and DOMCdataSection cannot be controlled by any declaration yet. Comments and CDATA sections are implicitly allowed currently, which would have to be considered for backward compatibility, once this behavior is adjusted.

The new declaration might look like this:

use TYPO3\HtmlSanitizer\Behavior;

$behavior = (new Behavior())
    ->withFlags(Behavior::ENCODE_INVALID_COMMENT + Behavior::ENCODE_INVALID_CDATA_SECTION)
    ->withName('scenario-test')
    ->withTags(new Behavior\Tag('div', Behavior\Tag::ALLOW_CHILDREN))
    ->withNodes(new Behavior\Comment(), new Behavior\CdataSection());

Node is a new base term for Tag, Comment and CdataSection.

after Typo3 update to 10.4.19 or above all inserted iframes inside RTE content are broken.

In our yaml config we explicity allow iframe tags with extraAllowedContent: 'iframe[*]{*}' inside RTE content.

TESTED: (Working in 10.4.18 / breaks in 10.4.19)

config {
  # ascii / -5 to 1
  spamProtectEmailAddresses = -4
  # (at)
  spamProtectEmailAddresses_atSubst = <script type="text/javascript" language="JavaScript">document.write('@');</script><noscript>@</noscript>
  # (dot)
  spamProtectEmailAddresses_lastDotSubst = <script type="text/javascript" language="JavaScript">document.write('.');</script><noscript>.</noscript>
}

output/sourcecode (yes, all the whitespaces are also rendered)

<p>
    <a href="javascript:linkTo_UnCryptMailto(%27ocknvq%2CkphqBrtczku%5C%2Fmkghgt0fg%27);">E: mail&lt;script type="text/javascript" language="JavaScript"&gt;document.write('@');&lt;/script&gt;</a>
</p>
&lt;noscript&gt;@&lt;/noscript&gt;mail&lt;script type="text/javascript" language="JavaScript"&gt;document.write('.');&lt;/script&gt;&lt;noscript&gt;.&lt;/noscript&gt;com

output rendered:

MAIL<SCRIPT TYPE="TEXT/JAVASCRIPT" LANGUAGE="JAVASCRIPT">DOCUMENT.WRITE('@');</SCRIPT>

<noscript>@</noscript>mail<script type="text/javascript" language="JavaScript">document.write('.');</script><noscript>.</noscript>com

Expected behavior
output/sourcecode before update: (This one was working perfect!)

<a href="javascript:linkTo_UnCryptMailto(%27ocknvq%2CkphqBrtczku%5C%2Fmkghgt0fg%27);">E: mail<script type="text/javascript" language="JavaScript">document.write('@');</script>@<noscript>@</noscript>mail<script type="text/javascript" language="JavaScript">document.write('.');</script>.<noscript>.</noscript>com</a>

output rendered:

E: [email protected]

To keep track of using deprecated markup, tags, attributes, a new flag shall be introduced that reflects this deprecated state.

Valid for these objects:

• Behavior\Tag
• Behavior\Attr

TYPO3 extension form not showing correct/broken if use <f:format.html parseFuncTSPath="">:

<form enctype="multipart/form-data" method="post" id="kontaktformular-50" action="/kontakt?tx_form_formframework%5Baction%5D=perform&amp;tx_form_formframework%5Bcontroller%5D=FormFrontend&amp;cHash=d158ca0e601ac70a3252a9e6aa169797#kontaktformular-50">
<div><input type="hidden" name="tx_form_formframework[kontaktformular-50][__state]" value="TzozOToiVFlQTzNcQ01TXEZvcm1cRG9tYWluXFJ1bnRpbWVcRm9ybVN0YXRlIjoyOntzOjI1OiIAKgBsYXN0RGlzcGxheWVkUGFnZUluZGV4IjtpOjA7czoxMzoiACoAZm9ybVZhbHVlcyI7YTowOnt9fQ==1d9d97296996cb07f722d829563715ae20b1e425"><input type="hidden" name="tx_form_formframework[__trustedProperties]" value="{&quot;kontaktformular-50&quot;:{&quot;QP417ulHGiL2MCpgwFoU&quot;:1,&quot;singleselect-2&quot;:1,&quot;text-1&quot;:1,&quot;text-5&quot;:1,&quot;text-6&quot;:1,&quot;text-10&quot;:1,&quot;text-11&quot;:1,&quot;textarea-1&quot;:1,&quot;checkbox-1&quot;:1,&quot;__currentPage&quot;:1}}107a6a59c816e0c73ea65ed9777a2afdb6758376">
</div>

    <input autocomplete="QP417ulHGiL2MCpgwFoU" aria-hidden="true" id="kontaktformular-50-QP417ulHGiL2MCpgwFoU" style="position:absolute; margin:0 0 0 -999em;" tabindex="-1" type="text" name="tx_form_formframework[kontaktformular-50][QP417ulHGiL2MCpgwFoU]">

https://datatracker.ietf.org/doc/html/rfc2392

<IMG SRC="cid:foo4*[email protected]" ALT="IETF logo">
<A HREF= "mid:[email protected]/[email protected]">

cid-url := "cid" ":" content-id
mid-url := "mid" ":" message-id [ "/" content-id ]

https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs

• effective for src attr
• omitting mime-type means text/plain
• different for corresponding use-case (image, video, audio, ...)

Add Sanitizer deprecations again, that have been disabled in issue #99, PR #100 (after v2.1.0 release).

This issue aims to give some basic support concerning recent changes using this typo3/html-sanitizer package in order to mitigate cross-site scripting in user-submitted content.

• tracking of related issues in TYPO3 CMS (forge.typo3.org)
• documentation/explanation of HTML sanitizer (docs.typo3.org)

FAQ

Q: Will there be new TYPO3 releases?
→ A: Yes, it happened already. TYPO3 version 11.3.3, 10.4.20, 9.5.30 have been release on Aug 16th, 2021 addressing these topics.

Broken markup, e.g. <figure>, <script>, <meta> (or similar) tags shown as content

In most cases this is caused by either an explicit parseFunc invocation in TypoScript or a <f:format.html> wrapping huge generated content blocks or data from external (and safe) sources.

Caused in FLUIDTEMPLATE (TypoScript)

parseFunc in the example below implicitly triggers HTML sanitization for every markup that has been generated - and leads to removing "invalid" tags - however sanitization only should be applied to user-submitted data (like rich-text input fields).

page.10 = FLUIDTEMPLATE
page.10 {
  variables { ... }
  stdWrap.parseFunc {
    short.--- = ­
  }
}

ℹ️ How to solve?
Since parseFunc triggers sanitization, it has to be disabled in that particular scenario, using htmlSanitize = 0 like shown below

page.10 = FLUIDTEMPLATE
page.10 {
  variables { ... }
  stdWrap.parseFunc {
    short.--- = ­
    // disable sanitization for top level rendering
    htmlSanitize = 0
  }
}

Caused by <f:format.html> (Fluid)

Fluid view-helper invocation <f:format.html>{content}</f:format.html> (or its inline variant {content -> f:format.html()}) internally uses lib.parseFunc_RTE, which again invokes ContentObjectRenderer::parseFunc() and triggers HTML sanitization.

<f:format.html>{content}</f:format.html>

ℹ️ How to solve?
In case {content} consists of generated markup that can be considered "safe", and if it actually should be used as it is, one might consider using <f:format.raw> which directly passes through the given {content}.

In case {content} is directly resolved from a rich-text field, retrieved from the database (e.g. like tt_content.bodytext), one should keep <f:format.html> to ensure proper mitigation of cross-site scripting. In this case, it really might be the case, that tags and/or attributes are missing in this typo3/html-sanitizer package.

<f:format.raw>{content}</f:format.raw>
<f:comment><!-- in case content really shall be taken "as is" --></f:comment>

Otherwise, in case content from rich-text fields contains tags and/or attributes that are missing in this html-sanitizer package, please create a new issue.

Caused by <f:format.html parseFuncTSPath=""> (Fluid)

Leaving parseFuncTSPath empty still calls ContentObjectRenderer::parseFunc() internally, but without providing any configuration.

<f:format.html parseFuncTSPath="">{content}</f:format.html>

As a result, htmlSanitize property also is not given (since no parseFunc configuration was given) - but was enabled as a "strong secure default".

ℹ️ How to solve?
<f:format.html parseFuncTSPath=""> did not have much effect and behaved like <f:format.raw>.
In this scenario only the encoding behavior of Fluid was disabled, but no tags were filtered and most probably cross-site scripting was possible in these custom templates.

<f:format.raw>{content}</f:format.raw>

Missing email links, using spamProtectEmailAddresses (TypoScript)

Using TypoScript config.spamProtectEmailAddresses creates something like shown below to obfuscate email addresses. URIs starting with javascript: are (correctly) considered harmful and typically using in cross-site scripting attacks.

<a href="javascript:linkTo_UnCryptMailto(%27ocknvq%2CkphqBrtczku%5C%2Fmkghgt0fg%27);">
  info(at)example.com</a>

ℹ️ How to solve?
This is considered a bug, a corresponding fix allows URI prefix javascript:linkTo_UnCryptMailto explicitly.
→ please see https://forge.typo3.org/issues/94776

Missing table attributes from CKEditor input

CKEditor in TYPO3 CMS allows to define tables and to define (legacy) HTML attributes like align, cellspacing and similar. It has been discovered that those legacy and deprecated attributes were removed.

ℹ️ How to solve?
This is considered a bug, a corresponding fix adds these missing attribute declaration to typo3/html-sanitizer.
→ please see https://github.com/TYPO3/html-sanitizer/pull/19/files

Hi,

we use the ordered bullet lists on our site, I know we can use the CSS "list-style-type" property to do the equivalent but for accessibility needs we have to use the [type], [start] and [reversed] attributes.

https://developer.mozilla.org/en-US/docs/Web/HTML/Element/ol

Thank you

see https://github.com/tgalopin/html-sanitizer/blob/master/src/Sanitizer/StringSanitizerTrait.php#L19-L37

• probably integrate as well (source uses MIT license)
• see tgalopin/html-sanitizer#6
• credit https://github.com/tgalopin

TYPO3-Version: 9.5.30

Today we had an issue with a content element of type "table". The editor had there a <font color="#f00"> tag used to highlight specific parts of the words in a cell. Since the update from 9.5.28 to 9.5.30 this behaviour has been occurred. We now fixed it by changing <f:format.html><f:format.nl2br>{cell}</f:format.nl2br></f:format.html> to <f:format.raw><f:format.nl2br>{cell}</f:format.nl2br></f:format.html> acoording to the advice given in #23.

Kind regards!

The name ReplaceDomNodeException reflects better what it actually does. Besides that, class alias has to be added for backward compatibility.

With htmlSanitize mailto attribute is enabled, but if we have
config.spamProtectEmailAddresses = 1
then the generated tag looks like this:
<a href="javascript:linkTo_UnCryptMailto('ocknvq,hqqBdct0vnf');">foo(at)bar.tld</a>

The tag is generated before of sanitizing, and so the attribute href is being removed.

Dear @TYPO3, @TYPO3GmbH teams,

I have a problem, I do not received the lost password email from my.typo3.org.

My username is same than here.

Can you look?

Thanks in advance.

missing svg and use tag

According to #23

need other Psr/src/log

The source tag does not allow the needed attributes, but only the global ones.
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/source#attributes

The figure tag is missing completely.
https://developer.mozilla.org/en-US/docs/Web/HTML/Element#text_content
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/figure

moderation side note by @ohader

HTML-encoded <figure> tags (or others) are not a bug of the typo3/html-sanitizer library per se, but instead indicate potential misconfiguration during content rendering via Fluid templates or TypoScript instructions. It is important to understand the security impact in custom templates. The fact that "it worked before" does not mean it was properly protected against cross-site scripting.

Find details at #23: Troubleshooting "broken markup after recent TYPO3 updates"

see https://github.com/TYPO3/html-sanitizer/blob/HEAD/src/Builder/CommonBuilder.php#L169-L170

In order to detect potential flaws a new InitiatorInterface shall be introduced that contains individual stack-trace information and needs to be implemented by corresponding consumers (e.g. the TYPO3 CMS framework). This allows to debug invocations and their context better.