Daniel Siepmann - Friendica | TYPO3 Commits @ Daniel Siepmann

TYPO3 Commits

typo3commits@friendica.daniel-siepmann.de

All commits to TYPO3 main branch, taken from GitHub feed: https://github.com/TYPO3/typo3/commits.atom

(News)

https://daniel-siepmann.de/typo3-fediverse-news-accounts.html

TYPO3 Commits

10 months ago from Feed

TYPO3 Commits
10 months ago from Feed

[TASK] Deprecate type="none" "pass_content"

The "pass_content" flag for TCA type="none" is
a potential security risk and should be removed.

A bug in the implementation did not surface the
security risk until now, but instead of fixing the
bug, we deprecate this toggle entirely since the
toggle had no effect for a long time anyways.

Resolves: #99523
Related: #99522
Releases: main
Change-Id: I911f8f69bf49a21280d661d63de5aaf508bcef2f
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77359
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

[TASK] Deprecate type="none" "pass_content" · TYPO3/typo3@da35ce4

The "pass_content" flag for TCA type="none" is a potential security risk and should be removed. A bug in the implementation did not surface the security risk until now, but ins...

^GitHub

#99522 #99523

TYPO3 Commits

10 months ago from Feed

TYPO3 Commits
10 months ago from Feed

[BUGFIX] Avoid double hsc() in NoneElement

TCA "type=none" with "pass_content=false" (styleguide
elements basic none_2) or without pass_content at
all (styleguide elements basic none_4) double
encodes the value. Testable using styleguide with
some DB value like "l<u>i</u>p", which needs to be
manually put into DB since none fields do not persist
data using the backend.

Note pass_content=true is documented to not hsc()
the value at all, which is not true since TYPO3 v7, a
htmlspecialchars() is still applied.

Not encoding HTML is a potential security risk, so
the patch now only fixes the "pass_content=false" and
"not set" scenario to no longer double encode, and
another patch will remove the pass_content option in v12
entirely with a TCA migration and deprecation note
stating the option did not work since 2017 anyways.

Resolves: #99522
Releases: main, 11.5
Change-Id: Ic19ad991d0f17925d5f56fb34126a7cf8f6e6aab
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77355
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: core-ci <typo3@b13.com>

[BUGFIX] Avoid double hsc() in NoneElement · TYPO3/typo3@9dd9106

TCA "type=none" with "pass_content=false" (styleguide elements basic none_2) or without pass_content at all (styleguide elements basic none_4) double encodes the value. Testable...

^GitHub

#99522

⇧