Allow proxies to cache the TYPO3 content by stripping the nonce from
the generated CSP header if the nonce was not actually consumed.

Also ensure that the nonce value substitution consumes a nonce
to ensure that a (replaced) nonces in cached-content receive
a matching CSP header as well.

Resolves: #103942
Releases: main, 12.4
Change-Id: I437c83de522ff4a6f4ee0ef2f13881d24bfb990c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84455


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benjamin Franzke <ben@bnf.dev>
Reviewed-by: Benjamin Franzke <ben@bnf.dev>

The stdWrap options stripHtml and htmlSpecialChars requires the value to
be a string. A typecast forces the string to avoid exceptions.

Resolves: #103085
Releases: main, 12.4
Change-Id: Ia936a19e06fdf954ca3aef442cad34c164e9c54e
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84458


Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Oliver Bartsch <bo@cedev.de>

With migration away from prophecy during v12 development, the variable
`$siteMockRevelation` is not needed anymore as phpunit mocks don't know
the concept of revelations.

Resolves: #103958
Releases: main, 12.4
Change-Id: I92497737dfbba3ef1cd99e4fbd96751e00057a16
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84457


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>

Using '%env(SOME_VARIABLE)%' within a site configuration YAML
did not resolve contents in SOME_VARIABLE that were
falsy ('false', '0', 0).

This patch now properly converts those falsy values to actual
values.

Tests are added to verify the new behavior and prevent
future regressions. Drive-by fix on Unit tests which did
not actually remove env vars after testing, putenv('var')
is needed instead of putenv('var='), because the latter
will keep the environment var around (with an empty value).

Resolves: #91710
Releases: main, 12.4
Change-Id: I99d64f080737ada38fd58a63f4e04e5b0d8c9ef3
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84453


Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>

If no icon is provided for submodule, use a fallback to the icon of the
parent module instead of directly using the empty-empty icon.

Resolves: #103904
Releases: main, 12.4
Change-Id: I4e989483880fd88df904e9028f1d2cf6cd5c29f7
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84454


Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>

Detail methods of the two TypoScript tokenizers tend
to add mental load since they often update `$this`
state.

The patch changes `splitLines()` and `parseValueForConstants()`
to return updated things instead, for consuming methods
to take care of this.

This is a pre-patch to simplify #102742.

Resolves: #103944
Related: #102742
Releases: main, 12.4
Change-Id: I1a5dbccc1bdfbfc52681e323eb1fe9a2b0bb7dc7
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84440


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

<INCLUDE_TYPOSCRIPT: source="DIR:..." condition="[tree.level > 2]">

The TypoScript tokenizers fail here since ">" within the
condition is interpreted as "end of INCLUDE_TYPOSCRIPT".

Add a couple of tests and fix it.

Resolves: #103875
Releases: main, 12.4
Change-Id: I43c59bd61645bee9ce9c175b00ce1d2cba44c023
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84436


Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

Add a filename context to page.tsconfig include nodes
(autoloaded from extensions Configuration folder or from site sets)
in order to allow relative imports to be resolved.

Releases: main, 12.4
Resolves: #79737
Change-Id: Id6404127b667a61e013d4e5b528048201ad0e6c6
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84036


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benjamin Franzke <ben@bnf.dev>
Reviewed-by: Benjamin Franzke <ben@bnf.dev>

With PHP 8.4 marking method parameter implicitly nullable
is depreacted and will emit a `E_DEPRECATED` warning. One
recommended way to resolve this, is making it explicitly
nullable using the `?` nullable operator. [1]

In cases, where are implicitly nullable parameter exists
before not-nullable parameters in a method or constructor,
making it explicitly nullable will emit a

  Optional parameter <paramname> declared before required
  parameter <paramname> is implicitly treated as a required
  parameter

since PHP 8.0 [2].

This change adds the `?` nullable operator and removes the
null default value for the first parameter, which mitigates
both issues.

This prepares the way towards PHP 8.4 compatibility.

[1] https://php.watch/versions/8.4/implicitly-marking-parameter-type-nullable-deprecated
[2] https://php.watch/versions/8.0/deprecate-required-param-after-optional

Resolves: #103927
Releases: main, 12.4, 11.5
Change-Id: I0ba574769e5b95852379aa30f03d45715aec2055
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84362


Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: core-ci <typo3@b13.com>

With PHP 8.4 marking method parameter implicitly nullable
is depreacted and will emit a `E_DEPRECATED` warning. One
recommended way to resolve this, is making it explicitly
nullable using the `?` nullable operator. [1]

In cases, where are implicitly nullable parameter exists
before not-nullable parameters in a method or constructor,
making it explicitly nullable will emit a

  Optional parameter <paramname> declared before required
  parameter <paramname> is implicitly treated as a required
  parameter

since PHP 8.0 [2].

This change removes the `null` default value and adds the `?`
nullable operator to the previousException parameter for the
`\TYPO3\CMS\Backend\Form\Exception\DatabaseRecordException`
constructor.

This prepares the way towards PHP 8.4 compatibility.

[1] https://php.watch/versions/8.4/implicitly-marking-parameter-type-nullable-deprecated
[2] https://php.watch/versions/8.0/deprecate-required-param-after-optional

Resolves: #103926
Releases: main, 12.4, 11.5
Change-Id: I4d1506b24b3113a74b37b986fa4f23f24e6219fb
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84360


Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: core-ci <typo3@b13.com>

`\TYPO3\CMS\Core\Tests\Unit\Database\ConnectionTest` containes
code to mock Connection methods conditionally, based on their
existance surrounded by a `@todo` comment to remove this, when
`doctrine/dbal` has been required with 2.11.0 as minimal version.

The version raise has been done already a long time ago, however
the removal of this conditional test mock has been missed.

This change removes the conditional mocking now.

Resolves: #103929
Releases: main, 12.4, 11.5
Change-Id: I4cc2d5942149f69e044c25379c82388f1c4b9f45
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84422


Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: core-ci <typo3@b13.com>

$this->count() in phpunit always returns 1 and has no arguments
as correctly found by phpstan. Fix a test to actually assert
subject result count.

Resolves: #103924
Releases: main, 12.4
Change-Id: I396b695eaeaa986a4cd9883e028ed6032d2f6339
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84413


Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

GeneralUtility::callUserFunction() has only three
parameters, as detected by phpstan.

Resolves: #103923
Releases: main, 12.4
Change-Id: I31fc48f343558dd2e0d73feeb3933e249fa625a4
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84411


Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

And rename the method since those general
getButtons() methods are ugly.

Resolves: #103914
Related: #103903
Releases: main, 12.4
Change-Id: Iaa428d711b98d2bf178aa0ba54ab507f7ca1c09b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84358


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

TYPO3 works with various DBMS. Avoid a specific
mention of MySQL in README.md, the version matrix
reveals details.

Releases: main, 12.4
Resolves: #103719
Change-Id: I38cc50be00838643cb0095b3c848ef1d8a0c3014
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84359


Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: core-ci <typo3@b13.com>

The shortcut button requires the resolved name as display name and not
the LLL path.

Resolves: #103903
Releases: main, 12.4
Change-Id: I59e38bf9c40f0a940fecb6ac3178b2976f168069
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84398


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

The configuration `foreign_table` of the type `select` is optional.
Add a check to avoid PHP warnings.

Resolves: #103825
Releases: main, 12.4, 11.5
Change-Id: I65925bae287a0ed340c67923ac4e4a2c72ce9d28
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84395


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

The test setup used a dataProvider and in order to get it's own
setup right, it reverses and resets leftover instances from the
previous run. It is way easier to split the test setup according
the admin flag, that decides about the resets, and run on a
clear dedicated environment.

Additionally, the system under test is in itself a mocked instance,
which is neither necessary in this case, nor generally recommended.
The mock has been resolved.

Resolves: #103901
Releases: main, 12.4, 11.5
Change-Id: If40ef38a0e0fc2e73dd5f0bc8caff923cc48d661
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84392


Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: core-ci <typo3@b13.com>

Instead of prefixing the type (user, group) for every option an optgroup
is used. With this change it is possible to use the keyboard to jump to
a specific letter.

Furthermore BackendUtility::getRecordTitle is used to retrieve the label
instead of using a hardcoded field name.

Resolves: #103893
Releases: main, 12.4
Change-Id: I6e9bcd46c2b953660c1b4419eaf567c2d8dc8c80
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84357


Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Andreas Kienast <a.fernandez@scripting-base.de>
Tested-by: Andreas Kienast <a.fernandez@scripting-base.de>

This change adds some tests for the `EXT:backend`
ThumbnailViewHelper, mainly to cover fix #102571.

Resolves: #103846
Related: #102571
Releases: main, 12.4
Change-Id: Id1acf6ddf6bc68c2dff0bfb7875859e07768e2af
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84353


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>

This change removes a 5 years old todo in extbase persistence backend.
Although the affected feature `newRecordStoragePid` currently is not
documented, it is used in various TER extensions and most likely
also in custom projects.

In relation to this change, a PR for the TYPO3 documentation has
been created on GitHub, so the setting will be documented.

Resolves: #103895
Releases: main, 12.4
Change-Id: I5c5cf7e87fdb50ab08e409e69aff2b373d39a022
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84356


Tested-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

There is no word 'postparation' according to native speaker Sarah McCarthy.

And also the sentence was hard to understand for non-native speakers.

The command is not only useful during deployment so we mention other usecases.

Resolves: #103857
Releases: main, 12.4
Change-Id: I602d8fe70ccbe6831278669fb2078318be4bcf63
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84355


Tested-by: Benjamin Franzke <ben@bnf.dev>
Reviewed-by: Benjamin Franzke <ben@bnf.dev>
Tested-by: core-ci <typo3@b13.com>

The GenericMetaTagManager as well as the abstract
class (used by extensions) does now properly respect
the current doctype and therefore omits the ending
slash at the end for HTML5.

Resolves: #102058
Releases: main, 12.4
Change-Id: I4ce6bcb61a44aff6eda738f52fe2f2548818ee95
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84354


Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Oliver Bartsch <bo@cedev.de>

`\TYPO3\CMS\Extbase\Persistence\Generic\Query::execute()` has
a boolean flag to define if the result should be a raw result
without data mapping to an object. In this case a raw array
is returned and not an array with objects. The annotation
has been fixed at several places to be in sync with underlying
\Doctrine\DBAL\Result::fetchAllAssociative() return type.

Resolves: #103874
Releases: main, 12.4
Change-Id: Iea3eda9e805ca064d290f088d6130a44c06c1a42
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84348


Tested-by: core-ci <typo3@b13.com>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>

Less jobs while keeping general pipeline times low.

* Simplify runner cache configuration
* sqlite pre-merge 3 instead of 5 jobs
* sqlite nightly 4 instead of 6 jobs
* merge checkGruntClean to general js job
* merge php lint jobs into one
* avoid composerInstall for unitJavascript
* merge acceptance install jobs into less jobs
* update acceptance test matrix to run less jobs
  in nightly while still catching many configuration
  permutations in addition to pre-merge.

Note backports are similar but deviate in details.

Change-Id: I832543e002824977a98d3ffb35c3d08355b1f5be
Resolves: #103869
Releases: main, 12.4, 11.5
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84344


Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>

The cache identifier of TSCconfig strings is now hashed with the current
TYPO3 version number in preparation for an upcoming cache-content
change (#79737) which is to be included in an upcoming v12 release.

Resolves: #103839
Related: #79737
Releases: main, 12.4
Change-Id: I0864deddc350c6775c5cfe42fc05cfa1b974050e
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84340


Tested-by: core-ci <typo3@b13.com>
Tested-by: Andreas Kienast <a.fernandez@scripting-base.de>
Reviewed-by: Andreas Kienast <a.fernandez@scripting-base.de>
Tested-by: Benjamin Franzke <ben@bnf.dev>
Reviewed-by: Benjamin Franzke <ben@bnf.dev>

The value of an `label_alt` field might be
an array, e.g. for TCA type `select` fields.

Those values must not be formatted as this
is done by `BU::getProcessedValue()` after
resolving the correct record relation.

Resolves: #103838
Releases: main, 12.4
Change-Id: Ibfec36d2df94661fde2d82eb60bb2736205d17c3
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84352


Reviewed-by: Oliver Bartsch <bo@cedev.de>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>

Use all available CPUs with `Build/Scripts/runTests.sh -s lintPhp`.

Note podman CI is configured with a cpu-share to prevent starving
other jobs when one is greedy, so this change is ok with CI, too.

Resolves: #103864
Related: #103851
Related: #102385
Releases: main, 12.4, 11.5
Change-Id: I1cb7079f119677b36d6f4004398ae24bd8c5d284
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84318


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

The documentation of EXT:scheduler falsely referred to the Admin Panel
extension, which is now corrected.

Releases: main, 12.4
Resolves: #103854
Change-Id: I81fe65069bfe0309ba62a5e376e30da4e6f65075
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84295


Tested-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

Use parallel runner to use more than 1 CPU.

composer require --dev friendsofphp/php-cs-fixer:^3.57.1

Resolves: #103851
Releases: main, 12.4, 11.5
Change-Id: I59b5e2566a385792cad1b6c11b9b84b63fd21b98
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84289


Reviewed-by: Andreas Kienast <a.fernandez@scripting-base.de>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Andreas Kienast <a.fernandez@scripting-base.de>

It has come up a few times that users face problems how to properly
utilize the new `_assets/` hashed symlinks for `Resources/Public`
assets of extensions.

The current ChangeLog entry does not mention key searchwords
like `_assets` or `Resources/Public`. Also, vital information is
only available on external blog articles.

This patch tries to provide a central entry point and may
also be ported to the Core-API documentation once the mentioned
concepts are approved by the core-team.

ChangeLog entries are the vital source of truth for migration
instructions and basis for the documentation, thus this is the
first place to be addressed.

Resolves: #103845
Releases: main, 12.4
Change-Id: Iadeae5de624027b5303a4240b36ca501ae29a31a
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84294


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>

With #103692 remembering the sub-module route within the backend user
module has been fixed to open the last opened module sub-route.

Due to another splitting of composer acceptance tests, the backend
user groups tests are executed before the backend user tests within
the same instance - and thus staying on the backend user groups view.

`ListUserCest` does not ensure to select the backend user lists like
it is done for `ListGroupCest`.

This change ensures to switch to the backend users sub-route, when the
`backend user` module is selected in the `ListUserCest::_before()`
similar to `ListGroupCest::_beore()`.

Resolves: #103837
Related: #103692
Releases: main, 12.4
Change-Id: If54812a7bfc95e317f5e72737c3f88461da3fda2
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84293


Tested-by: core-ci <typo3@b13.com>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>

The label for the delete action was encoded twice, leading to text
issues in case special characters are involved. This commit makes use of
`GeneralUtility::implodeAttributes()` to solve this issue properly.

Resolves: #103827
Releases: main, 12.4, 11.5
Change-Id: Ia9f7ba5adf46b470a33b9065e49b8599a24fdfad
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84274


Tested-by: core-ci <typo3@b13.com>
Tested-by: Andreas Kienast <a.fernandez@scripting-base.de>
Reviewed-by: Andreas Kienast <a.fernandez@scripting-base.de>

This change allows for search for UIDs
of versioned records in the page tree,
which have been created within the workspace.

Resolves: #103237
Releases: main, 12.4
Change-Id: Ia836d6ff50a9a8dccce69666a1f3614e959a2b19
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84292


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

Change-Id: I38c57b5342892945c8b91bb72570faa9b5a28665
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84271


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Change-Id: Iedbda8b0217bab62bb7647a7c962f564faaf003e
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84270


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

The "frame" parameter is no longer evaluated in the showpic eID as
it allowed uncontrolled resource consumption. This parameter was
actually never used by ContentObjectRenderer and existed since
the initial commit and is therefore put behind a feature flag.

Resolves: #103306
Releases: main, 13.1, 12.4, 11.5
Change-Id: I87019e58c078c8ccafc0b7ce42fe28b49dc068e4
Security-Bulletin: TYPO3-CORE-SA-2024-010
Security-References: CVE-2024-34358
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84259


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

Resolves: #103303
Releases: main, 13.1, 12.4, 11.5
Change-Id: I2842cefd5dfc0aff920e61b5fd16f029db8ada4c
Security-Bulletin: TYPO3-CORE-SA-2024-009
Security-References: CVE-2024-34357
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84258


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Encode non prepared output of BackendUtility::getRecordTitle.
The string returned by getRecordTitle is only HTML encoded if
the third parameter (`$prep`) is set to true, ensure that
non-prepared usages are encoded on render.

Resolves: #103782
Releases: main, 13.1, 12.4, 11.5
Change-Id: I96b9530d118a21163d6679ebf7120aa40c7ac7b6
Security-Bulletin: TYPO3-CORE-SA-2024-008
Security-References: CVE-2024-34356
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84257


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

The last used action is now properly resolved
again in the backend user module. Due to the
fact that accessing the module, extbase always
uses `index` as the selected action, the stored
user state was never resolved.

This is now fixed by using the index action
as forward action, forwarding to either the
stored default action or falling back the
new "listAction" which now acts as the main
entry point.

Resolves: #103692
Releases: main, 12.4
Change-Id: I764d130dc1a53a8fed25dadfaecaab5dd4eb58de
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84252


Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Andreas Kienast <a.fernandez@scripting-base.de>
Tested-by: Andreas Kienast <a.fernandez@scripting-base.de>