The source tag does not allow the needed attributes, but only the global ones. https://developer.mozilla.org/en-US/docs/Web/HTML/Element/source#attributes

The figure tag is missing completely. https://developer.mozilla.org/en-US/docs/Web/HTML/Element#text_content https://developer.mozilla.org/en-US/docs/Web/HTML/Element/figure

moderation side note by @ohader

HTML-encoded <figure> tags (or others) are not a bug of the typo3/html-sanitizer library per se, but instead indicate potential misconfiguration during content rendering via Fluid templates or TypoScript instructions. It is important to understand the security impact in custom templates. The fact that "it worked before" does not mean it was properly protected against cross-site scripting.

Find details at #23: Troubleshooting "broken markup after recent TYPO3 updates"

Dear @TYPO3, @TYPO3GmbH teams,

In first, I wish you a Happy New Year 2022!

Can you see for add XMPP URI support? -> XMPP URI support must be added because there actually a problem, it is detected "mailto".

Examples:

• xmpp:[email protected]
• xmpp:[email protected]?message
• xmpp:[email protected]?join

It is a standard:

• RFC5122: https://tools.ietf.org/html/rfc5122

Thanks in advance.

Hey, I'm having issues with TYPO3 HTML rendering in version 10. Every time there is an image inside a href with little text, it splits them apart, thus destroying the link:

Original

<p>TITLE <em>ITALIC TEXT</em> basic text
<a href="PDF_LINK">→<img alt="" data-htmlarea-file-uid="1787699" src="pdf_icon.png" /></a>
</p>

f:format.html output

<p>TITLE <em>ITALIC TEXT</em> basic text
<a href="PDF_LINK" target="_blank"></a>
</p>
<p>→<img src="pdf_icon.png"></p>

I tried Slack and also read this chain of issues (https://github.com/TYPO3/html-sanitizer/issues/23), but the problem still persists.

I can swap to raw, as there are typo3 internal links, that have to be rendered, and all the possible solutions either swapped to raw and broke internal links, or did nothing.

I'm running TYPO3 v10.4.20 with html-sanitizer v2.0.9 It's also a fresh update from v9.

I've come to code where custom onclick is added to a-Tags. TYPO3 already ads an onclick to allow list for a-Tags.

I could not find any way to add another allowed value to the list. Looks like the code is too robust to allow me to add or alter the already configured behaviour. I only could remove the already build a-Tag and build it from scratch / from reading original values excluding the onclick and rebuilding it again? Do I overlook something here? How should a developer use the library in such situation, where a framework already adds configuration?

That's our code which is just not called, because TYPO3 onclick value already does not match. Further values are not checked anymore. I couldn't find a way to check whether at least one value matches.

class DefaultSanitizerBuilder extends Typo3DefaultSanitizerBuilder
{
    protected function createBasicTags(): array
    {
        $tags = parent::createBasicTags();
        // Allow onlick="econdaTrackMarker();" in addition to TYPO3 native onclick code.
        $tags['a']->getAttr('onclick')->addValues(new RegExpAttrValue('#^econdaTrackMarker\(#'));
        return $tags;
    }
}

Hi, I had the same issue as #23 with

The TYPO3 standard HTML content element uses <f:format.raw>{data.bodytext}</f:format.raw> .

We have inserted iframes like this: <iframe id="auto-iframe" name="auto-iframe" src="https://lademap.ladenetz.de/?lat=48.3434118&amp;lng=10.8921117&amp;zoom=12&amp;mode=1&amp;ivin=09ut249ugn9854h8bffd43" scrolling="no" onload="AutoiFrameAdjustiFrameHeight('auto-iframe',50);" width="100%" height="650px" frameborder="0"></iframe>

But since last T3 update it is shown plain in FE.

I tried:

page.10.stdWrap.parseFunc {
    // replace --- with soft-hyphen
    short.--- = ­
    // sanitization of ALL MARKUP is NOT DESIRED here
    htmlSanitize = 0
  }

// either disable globally
lib.parseFunc.htmlSanitize = 0
lib.parseFunc_RTE.htmlSanitize = 0

But it ist not fixed. Could you please tell me how to get it work now without htmlSanitze?

Yours, mike

I use links like webcal://domain.tld/calendar/ics for having the OS open a calendar app like Apple Calendar and offer the calendar subscription dialogue. For those links the href gets stripped from the output HTML.

It would be great to add various other common protocols like e.g. webcal, ftp, file or at least offer a simple configuration method to add these to a website instead of having to add a complicated PHP class (not to mention that at this point in time I have found a tutorial on how to allow additional tags and attributes, but not a different link protocol).

Hi,

we use the ordered bullet lists on our site, I know we can use the CSS "list-style-type" property to do the equivalent but for accessibility needs we have to use the [type], [start] and [reversed] attributes.

https://developer.mozilla.org/en-US/docs/Web/HTML/Element/ol

Thank you

XML requires that all tags be closed. htmlSanitizer will output the br Tag as <br> instead of <br />

TypoScript Workaround:

rssfeed = PAGE
rssfeed {
  typeNum = 100
  ...
  stdWrap {
    replacement
      10 {
        search = <br>
        replace = <br />
      }
    }
  }
}

error_reporting default is E_ALL & ~E_DEPRECATED & ~E_STRICT. In general, we should strive for E_ALL error free tests: This helps to find issues with younger PHP versions more quickly.

after Typo3 update to 10.4.19 or above all inserted iframes inside RTE content are broken.

In our yaml config we explicity allow iframe tags with extraAllowedContent: 'iframe[*]{*}' inside RTE content.

Example (uses preset declaring <iframe> and applies it):

use TYPO3\HtmlSanitizer\Behavior;
use TYPO3\HtmlSanitizer\Builder\Preset\IframePreset;

$behavior = (new Behavior())
    ->withFlags(Behavior::ENCODE_INVALID_TAG | Behavior::REMOVE_UNEXPECTED_CHILDREN)
    ->withName('scenario-test')
    ->withPreset(new IframePreset());

Related: #91

use TYPO3\HtmlSanitizer\Behavior;
use TYPO3\HtmlSanitizer\Builder\Preset\IframePreset;

$behavior = (new Behavior())
    ->withFlags(Behavior::ENCODE_INVALID_TAG | Behavior::REMOVE_UNEXPECTED_CHILDREN)
    ->withName('scenario-test')
    ->withPreset(new IframePreset());

I want to use a certain tag that should be allowed to have children. In this case I'd use ALLOW_CHILDREN as a flag on my new tag.

But what if I want to allow it only if it has a specific attribute on it, like a must-have attribute?

I can't give it both flags, only one. So I have to decide whether it shows its content or shows itself if it has an attribute, but then it doesn't render the content inside of it.

Also, what is it with PURGE_WITHOUT_CHILDREN? This can't be used since you'd have to allow children in the first place. If I use this flag, I get "Tag %s does not allow children, but shall be purged without them", what's the point of setting this flag then?

Since some versions there is a problem that iFrames are escaped in the output and the iframe is not visible. Before 10.4.18 i think it was working fine. Not the problem is that the youtube plugin for the RTE isn't working anymore.

Version is 10.4.21 (Composer latest version)

<p>&lt;iframe allowfullscreen frameborder="0" height="360"
  src="https://www.youtube.com/embed/fUEHlY8" width="640"&gt;&lt;/iframe&gt;</p>

So i have checked not a lot of tutorials and tested now over 2 hours all solutions.

In the Site TS-Config i have tested a low of things.

RTE.default.proc {
  allowTags := addToList(object,param,embed,iframe)
  allowTagsOutside := addToList(object,embed,iframe)
  entryHTMLparser_db.allowTags < .allowTags
}

But nothing is working anymore. Is there a solution or a fix to solve the Problem? Do i miss something?

To keep track of using deprecated markup, tags, attributes, a new flag shall be introduced that reflects this deprecated state.

Valid for these objects:

• Behavior\Tag
• Behavior\Attr