Skip to content

Commit

Permalink
[SECURITY] Upgrade to typo3/html-sanitizer v2.1.4
Browse files Browse the repository at this point in the history 
See https://github.com/TYPO3/html-sanitizer/releases/tag/v2.1.4

composer req typo3/html-sanitizer:^2.1.4
composer req typo3/html-sanitizer:^2.1.4 \
   -d typo3/sysext/core --no-update

Resolves: #102169
Releases: main, 12.4, 11.5
Change-Id: I76edb7ff0dc66d3308d5c0875c2db56ca02addd7
Security-Bulletin: TYPO3-CORE-SA-2023-007
Security-References: CVE-2023-47125
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/81732
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
  • Loading branch information
@bnf @ohader
bnf authored and ohader committed Nov 14, 2023
1 parent 8fdec56 commit 707e319
Show file tree
Hide file tree
Showing 7 changed files with 39 additions and 10 deletions.
2 changes: 1 addition & 1 deletion composer.json
View file
Expand Up @@ -97,7 +97,7 @@
"typo3/class-alias-loader": "^1.1.4",
"typo3/cms-cli": "^3.1",
"typo3/cms-composer-installers": "^2.0 || ^3.0 || ^4.0",
"typo3/html-sanitizer": "^2.1.3",
"typo3/html-sanitizer": "^2.1.4",
"typo3/phar-stream-wrapper": "^3.1.7",
"typo3/symfony-psr-event-dispatcher-adapter": "^1.0 || ^2.0",
"typo3fluid/fluid": "^2.7.2"
Expand Down
16 changes: 8 additions & 8 deletions composer.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

7 changes: 7 additions & 0 deletions typo3/sysext/core/Tests/Functional/DataHandling/DataHandler/SecurityTest.php
View file
Expand Up @@ -226,6 +226,13 @@ public function crossSiteScriptingDataProvider(): array
'<p><a href="t3://page?uid=1" target="_blank" rel="noreferrer" role="button" onmouseover="alert(1)">text</a></p>',
],
],
[
'<?xml >s<img src=x onerror=alert(1)> ?>',
[
'&lt;?xml &gt;s&lt;img src=x onerror=alert(1)&gt; ?&gt;',
'<?xml >s<img src=x onerror=alert(1)> ?>',
],
],
];
}

Expand Down
13 changes: 13 additions & 0 deletions typo3/sysext/core/Tests/Functional/Html/DefaultSanitizerBuilderTest.php
View file
Expand Up @@ -162,6 +162,18 @@ public static function isSanitizedDataProvider(): array
'<span style="color: orange">value</span>',
'<span style="color: orange">value</span>',
],
'#912' => [
'<!---><p>',
'<!---&gt;&lt;p&gt;-->',
],
'#913' => [
'<!---!><p>',
'<!---!&gt;&lt;p&gt;-->',
],
'#941' => [
'<?xml >s<img src=x onerror=alert(1)> ?>',
'&lt;?xml &gt;s&lt;img src=x onerror=alert(1)&gt; ?&gt;',
],
];
}

Expand Down Expand Up @@ -221,6 +233,7 @@ public function incidentIsLogged(): void
$sanitizer->sanitize('<script>alert(1)</script>', new SanitizerInitiator($trace));
$logItemDataExpectation = [
'behavior' => 'default',
'nodeType' => 1,
'nodeName' => 'script',
'initiator' => $trace,
];
Expand Down
2 changes: 1 addition & 1 deletion typo3/sysext/core/composer.json
View file
Expand Up @@ -73,7 +73,7 @@
"typo3/class-alias-loader": "^1.1.4",
"typo3/cms-cli": "^3.1",
"typo3/cms-composer-installers": "^2.0 || ^3.0 || ^4.0",
"typo3/html-sanitizer": "^2.1.3",
"typo3/html-sanitizer": "^2.1.4",
"typo3/phar-stream-wrapper": "^3.1.7",
"typo3/symfony-psr-event-dispatcher-adapter": "^1.0 || ^2.0",
"typo3fluid/fluid": "^2.7.2"
Expand Down
1 change: 1 addition & 0 deletions typo3/sysext/fluid/Tests/Functional/ViewHelpers/Sanitize/HtmlViewHelperTest.php
View file
Expand Up @@ -98,6 +98,7 @@ public function incidentIsLogged(): void

$logItemDataExpectation = [
'behavior' => 'default',
'nodeType' => 1,
'nodeName' => 'script',
'initiator' => HtmlViewHelper::class,
];
Expand Down
8 changes: 8 additions & 0 deletions typo3/sysext/fluid_styled_content/Tests/Functional/Rendering/SecureHtmlRenderingTest.php
View file
Expand Up @@ -119,6 +119,14 @@ public function defaultParseFuncRteAvoidsCrossSiteScriptingDataProvider(): array
'07: <a href="t3://page?uid=1000" target="_blank" rel="noreferrer" class="button" role="button" onmouseover="alert(1)">TYPO3</a>',
'<p>07: <a href="/" target="_blank" rel="noreferrer" class="button" role="button">TYPO3</a></p>',
],
'#08' => [
'08: <?xml >s<img src=x onerror=alert(1)> ?>',
// Note: The TYPO3 HTML Parser encodes processing instructions, it's therefore
// expected and "OK" that the img tag is not encoded but sanitized.
// If the HTML Parser would not run, the expected result would be:
// '<p>08: &lt;?xml &gt;s&lt;img src=x onerror=alert(1)&gt; ?&gt;</p>',
'<p>08: &lt;?xml &gt;s<img src="x"> ?&gt;</p>',
],
];
}

Expand Down

0 comments on commit 707e319

Please sign in to comment.