TYPO3: Using rte_ckeditor with entryHTMLparser_db

Question

When upgrading from TYPO3 v7 to v8.7, the new rte_ckeditor extension is used instead of rtehtmlarea.

In TYPO3 7, we used RTE PageTSconfig to filter out unwanted tags and attributes:

RTE.default {
    showButtons = bold, strong, emphasis, italic, unorderedlist, orderedlist, link, unlink, chMode
    proc {
        denyTags = blockquote, center, div, font, h1, h2, h3, h4, h5, h6, hr, img, nav, pre, span, strike, sub, sup, strike, u

        entryHTMLparser_db = 1
        entryHTMLparser_db {
            removeTags < RTE.default.proc.denyTags
            noAttrib = b, br, div, em, i, li, ol, p, strong, ul
            tags >
            tags.a.allowedAttribs = href,title,target
        }
    }
}

When saving a text content element, all the tags get removed. This can be worked around by disabling the entryHTMLparser_db with entryHTMLparser_db = 0.

The manual states that "CKEditor’s Advanced Content Filter" shall be used.

Now my questions:

1. Can I still use entryHTMLparser_db in TYPO3 v8+? How?
2. Isn't "advanced content filter" implemented in Javascript and can thus be circumvented by POSTing data to the TYPO3 backend? (which means we lose a security barrier)

Answer 1

TYPO3 indeed relied on client side filtering through CKEditor's advanced filtering, as described in https://typo3.org/article/about-the-latest-typo3-core-security-release:

We used to rely on CKEditor's sanitization logic, but it is using client-side validation that cannot always be trusted. This is now cleaned up and moved to the server side.

The server side validation was implemented in the security release versions 11.3.2, 10.4.19, 9.5.29, 8.7.42, 7.6.53 (the TYPO3 v8 and v7 releases were ELTS versions that you have to buy).