TYPO3 v14: Building a System for Community-Driven AI Integrations
Artificial Intelligence is no longer just a trend — it's becoming a key component in many CMS environments. Interest in AI-powered features for…
TYPO3 allows to upload files either in the backend user interface as well as in custom developed extensions. To reduce the possibility to upload potential malicious code TYPO3 uses the fileDenyPattern to deny e.g. user submitted PHP scripts from being persisted. Besides that it is possible for any editor to upload file assets using the file module (fileadmin) or changing their avatar image shown in the TYPO3 backend.
Per default TYPO3 allows to upload and store HTML and SVG files as well using the mentioned functionalities. Custom extension implementations probably would also accept those files when only the fileDenyPattern is evaluated.
Since HTML and SVG files - which might contain executable JavaScript code per W3C standard - could be directly displayed in web clients, the whole web application is exposed to be vulnerable concerning Cross-Site Scripting. Currently the following scenarios are known - given an authenticated regular editor is able to upload files using the TYPO3 backend:
SVG files that are embedded using an <img src=”malicious.svg”> tag are not vulnerable since potential scripts are not executed in these scenarios (see https://www.w3.org/wiki/SVG_Security). The icon API of TYPO3 is not scope of this announcement since SVG icons need to be registered using an individual implementation, which is not considered as user submitted content.
The real solution to avoid user submitted content and Cross Site Scripting in HTML and SVG files is to disable the possibility to upload those files in general. The TYPO3 install tool provides according settings in TYPO3_CONF_VARS/SYS which shall not contain HTML and SVG file extensions anymore.
In case editors having access to the TYPO3 backend are not considered as “trustworthy”, administrators have to manually adjust their configuration in order to disallow using these file types in corresponding install tool settings:
While disabling HTML to be uploaded might be possible, disallowing SVG files might not be an option when being used as media assets. For this scenario the additional TYPO3 extension svg_sanitizer has been implemented which makes use of the 3rd party composer package enshrined/svg-sanitize. The scope of this extension is to sanitize and remove potential malicious code from SVG files when being uploaded which concerns the following scenarios:
Besides that, the extension svg_sanitizer is shipped with an upgrade wizard, which allows to sanitize existing SVG files which are persisted in file storages. This can be done by invoking its upgrade wizard using the TYPO3 install tool.
The extension svg_sanitizer at least requires TYPO3 version 8.7.13 or 9.2.0 in order to make use of the mentioned hooks in class GeneralUtility. The extension can be obtained from the following sources:
Credits go to Mohamed Keffous and Nguyen Thanh Nguyen (FortiGuard Labs) who reported the vulnerability concerning SVG files and to TYPO3 framework merger Frank Nägler for providing the additional svg_sanitizer extension - the work time in order to achieve this has been sponsored by TYPO3 GmbH.
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.
Artificial Intelligence is no longer just a trend — it's becoming a key component in many CMS environments. Interest in AI-powered features for…
Jeffrey A. “jam” McGuire explores TYPO3’s journey from “survival” to “resurrection” and its global impact through democratic open source governance at…
In early May, over 30 TYPO3 community members from across Europe gathered on the island of Fuerteventura for a week full of coding, learning, and…
We are pleased to announce that all official TYPO3 certifications are now available for TYPO3 v13. This includes updated exams for the four major…
The TYPO3 Association member poll for the Q3/2025 budget ideas has been finished and this time five winning ideas will be funded by the TYPO3…
A lot has happened since the TYPO3 GitLab Project Template was first introduced in 2023. Jochen Roth shares the latest on this community-driven effort…