Skip to main content

[TASK] Deprecate type="none" "pass_content"

The "pass_content" flag for TCA type="none" is
a potential security risk and should be removed.

A bug in the implementation did not surface the
security risk until now, but instead of fixing the
bug, we deprecate this toggle entirely since the
toggle had no effect for a long time anyways.

Resolves: #99523
Related: #99522
Releases: main
Change-Id: I911f8f69bf49a21280d661d63de5aaf508bcef2f
Reviewed-by: Benni Mack <>
Tested-by: core-ci <>
Reviewed-by: Oliver Bartsch <>
Reviewed-by: Christian Kuhn <>
Tested-by: Benni Mack <>
Tested-by: Oliver Bartsch <>
Tested-by: Christian Kuhn <>

[BUGFIX] Avoid double hsc() in NoneElement

TCA "type=none" with "pass_content=false" (styleguide
elements basic none_2) or without pass_content at
all (styleguide elements basic none_4) double
encodes the value. Testable using styleguide with
some DB value like "l<u>i</u>p", which needs to be
manually put into DB since none fields do not persist
data using the backend.

Note pass_content=true is documented to not hsc()
the value at all, which is not true since TYPO3 v7, a
htmlspecialchars() is still applied.

Not encoding HTML is a potential security risk, so
the patch now only fixes the "pass_content=false" and
"not set" scenario to no longer double encode, and
another patch will remove the pass_content option in v12
entirely with a TCA migration and deprecation note
stating the option did not work since 2017 anyways.

Resolves: #99522
Releases: main, 11.5
Change-Id: Ic19ad991d0f17925d5f56fb34126a7cf8f6e6aab
Reviewed-by: Markus Klein <>
Tested-by: Christian Kuhn <>
Reviewed-by: Oliver Bartsch <>
Tested-by: Oliver Bartsch <>
Reviewed-by: Christian Kuhn <>
Tested-by: Markus Klein <>
Tested-by: core-ci <>