Last active
January 9, 2023 10:49
-
-
Save ohader/2239dab247e18d23e677fd1b816f4fd5 to your computer and use it in GitHub Desktop.
TYPO3 override DefaultSanitizerBuilder via custom site-extension - origin https://forge.typo3.org/issues/94917
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
// in my_extension/ext_localconf.php | |
defined('TYPO3') or die(); | |
// overrides `default` builder globally | |
$GLOBALS['TYPO3_CONF_VARS']['SYS']['htmlSanitizer']['default'] = \OliverHader\MyExtension\MyDefaultBuilder::class; | |
// actually it would be better, to declare a new `my` builder | |
// to be used individually via TypoScript `stdWrap.parseFunc.htmlSanitize.build = my` | |
$GLOBALS['TYPO3_CONF_VARS']['SYS']['htmlSanitizer']['my'] = \OliverHader\MyExtension\MyDefaultBuilder::class; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
// in my_extension/Classes/MyDefaultBuilder.php | |
namespace OliverHader\MyExtension; | |
class MyDefaultBuilder extends \TYPO3\CMS\Core\Html\DefaultSanitizerBuilder | |
{ | |
protected function createBehavior(): \TYPO3\HtmlSanitizer\Behavior | |
{ | |
// overrides TYPO3's default builder | |
// allows `iframe` tag with attrs `src` and `sandbox` | |
// the `src` attr is limited further to | |
// + regexp ^(https?://|/(?!/)|[^/:][^:]*$) | |
// + or being an URI on the current TYPO3 host | |
$behavior = parent::createBehavior(); | |
$iframeTag = (new \TYPO3\HtmlSanitizer\Behavior\Tag('iframe')) | |
->addAttrs($this->srcAttr, ...$this->createAttrs('sandbox')); | |
$behavior = $behavior->withTags($iframeTag); | |
return $behavior; | |
} | |
} |
And if someone else arrives there, here is a common definition for iframe:
$iframeTag = (new Tag('iframe')) ->addAttrs( array_merge( $this->globalAttrs, [$this->srcAttr], $this->createAttrs('allow', 'sandbox', 'frameborder', 'height', 'width') ) );
This throw an error on my setup.
Argument 1 passed to TYPO3\HtmlSanitizer\Behavior\Tag::addAttrs() must be an instance of TYPO3\HtmlSanitizer\Behavior\Attr, array given
I changed it to:
->addAttrs(
...array_merge(
$this->globalAttrs,
[$this->srcAttr],
$this->createAttrs('allow', 'sandbox', 'frameborder', 'height', 'width')
)
);
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Side-note: Omitting to declare the
sandbox
attribute, might (I did not test it in detail, therefore "might") introduce new security risks.My tests so far included the following:
Again: Not completely tested!
Another nice tweak is using
tel:
iniframe
- in the past, some mobile clients directly called the given number.