Since the release of the security patches in August 2021 that prevents Cross-Site Scripting via Rich-Text Content I noticed that the output of HTML Content Elements suddenly changed in our projects. Some tag attributes and tags got removed by the newly introduced HTML Sanitizer (when the template is modified so that t3:// style TypoLinks get rendered).
So simply overriding the default Html.html Fluid Template, changing the <f:format.raw> to <f:format.html> and adding a html decoding like in the following example is no longer sufficient.
<f:section name="Main">
<f:comment> We use this to render links and other stuff in html elements </f:comment>
<f:format.htmlentitiesDecode>
<f:format.html parseFuncTSPath="lib.parseFunc">
{data.bodytext}
</f:format.html>
</f:format.htmlentitiesDecode>
</f:section>
The easiest way to prevent changes in your html codes output provided by HTML Content Elements is to disable the sanitizer globally by adding lib.parseFunc.htmlSanitize = 0 to your TypoScript config, what is not ideal.
How can I disable the parseFunc.htmlSanitize only for this purpose?
Or is there an other solution to render TypoLinks within HTML Content Elements?
Note: You don't need to disable the HTML Sanitizer if you do not override the Html.html template!
Simply make a copy of lib.parseFunc and disable the sanitizer in this copy.
lib.parseHtmlFunc < lib.parseFunc
lib.parseHtmlFunc.htmlSanitize = 0
Then use this lib in your Html.html template.
<f:section name="Main">
<f:comment> We use this to render links and other stuff in html elements </f:comment>
<f:format.htmlentitiesDecode>
<f:format.html parseFuncTSPath="lib.parseHtmlFunc">
{data.bodytext}
</f:format.html>
</f:format.htmlentitiesDecode>
</f:section>
Thanks to #OliverHader for bringing me to the right track.
Related
What is the correct way of adding CSS to the public folder of an extension? What do I need to do in order for that CSS to be loaded in.
For example I have the following structure:
Public/Css/style.css
Configuration/TypoScript/setup.typoscript
Configuration/TypoScript/constants.typoscript
Would I have to add some code in setup.typoscript?
Since TYPO3 8.7 you can add HTML to the header or footer from your Fluid template using the HeaderAssets and FooterAssets sections. For example:
<f:section name="HeaderAssets">
<link rel="stylesheet" href="{f:uri.resource(path: 'Css/styles.css')}"/>
</f:section>
The advantage of this over page.includeCSS is that it is only included whenever that template is rendered, instead of on all pages.
Your CSS has to be in:
extensionkey/Resources/Public/Css/
And then in your typoscript (setup) you can add:
page.includeCSS.csskey = EXT:extensionkey/Resources/Public/Css/style.css
The "csskey" has to be unique identifier.
I'm a typo newbie, and was wondering, how I can make the following code work in my HTML Template file:
<img src="EXT:extension-name/Resources/Public/Images/Logo/logo-white.png" alt="logo.png">
Looking forward to your anwers, thanks.
This cannot be done in an HTML file but within a Fluid template file you should use the uri.resource viewhelper:
<img src="{f:uri.resource(path: 'Images/Logo/logo-white.png')}" alt="Actual explanation of the logo content">
If used within an Extbase plugin there is nothing else to do.
For templates using the FLUIDTEMPLATE content object you'll need to set the extension name, for example with an extensionName: 'MyExt' as argument:
<img src="{f:uri.resource(path: 'Images/Logo/logo-white.png', extensionName: 'MyExt')}" alt="Actual explanation of the logo content">
Alternatively use controllerExtensionName in your TypoScript setup.
Cany anybody tell me how to render the following structure in
typo3 without developing a new extension.
<div class="sidebar-details">
<div class="sidebar-details-title">
<h4><span>MY TITLE</span></h4>
</div>
<div class="sidebar-details-body">
<p>
TEXT
</p>
</div>
</div>
What would be the best/recommended way to achieve this ?
Start using gridelements.
Gives you exactly what you want.
http://typo3.org/extensions/repository/view/gridelements
You can activate the RTE html mode and put it in its source or make use of HTML element, but that's depending on your needs.
If you want to keep RTE functions for editing the text what I mentioned first is the recommended way. Have done it several times myself.
If you are using Template mapping using Templavoila so, you can create FCE(Flexible content element) for it and you can map this part.
If you are using fluid template mapping so, you can create gridelement for it. and map all part.
I'm using TinyMCE editor in my project and I would like to make it ignore the tag <--image-->.
Now, if I write this tag, it replaces it with <p> </p>
Is it possible to do this?
Yes, you will have to add this tag to your valid tinymce tags.
Have acloser look at the tinymce paramter valid_elements and valid_children.
I have a custom tag like this:
<content name="Home" />
When I click the Html button of the TinyMCE it was replaced with
<content name="Home"></content>
Currently my settings are: valid_elements: "content[name]"
What should I put in the valid_elements variable so that the tag will will be:
<content name="Home" />?
I am not perfectly sure, but i think this issue is not to be solved easily.
I do not think that you can configure this behavior because it is browser related and not tinies fault. Looks like the browser treats your custom html element like an html element with an opening and a closing part on default, even though you want to have a single part html element like a br-tag. The only way - i see - is to get the browser to accept your custom thlm elment as one part html element, which i do not know how to do.