- Aug 12, 2021
-
-
Georg Ringer authored
Use the latest version which gets full support. composer req egulias/email-validator:^3.1 composer req egulias/email-validator:^3.1 -d typo3/sysext/core --no-update Resolves: #94830 Releases: master Change-Id: I6336a15d28401e364d343eb9c2a4d50708b520a9 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70464 Tested-by:
core-ci <typo3@b13.com> Tested-by:
Wouter Wolters <typo3@wouterwolters.nl> Tested-by:
Benni Mack <benni@typo3.org> Reviewed-by:
-
Andreas Fernandez authored
The Core Updater and Reports module were modified to render correct information about non-community supported TYPO3 releases (aka ELTS) with while no ELTS was released yet, in contrast to the Core Updater. The missing case is added with this patch. Resolves: #94827 Related: #94745 Releases: master, 10.4, 9.5 Change-Id: Ib4d8791478b89ad7e9b92930d882a98c76b809a3 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70462 Tested-by:
Frank Nägler <frank.naegler@typo3.com> Tested-by:
Andreas Fernandez <a.fernandez@scripting-base.de> Reviewed-by:
-
Andreas Fernandez authored
The method GeneralUtility::shortMD5() generates an MD5 hash and trims it to a configurable length, where 10 characters is the default. This increases the probability of conflicts whereever this method is used, either as hash stored in the database or as id decorator in DOM. Due to the issues this method brings, it is marked as deprecated now. Resolves: #94684 Releases: master Change-Id: I599211196da8ffd737643d29ed68dc6d0c0f2ae9 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70176 Tested-by:
Oliver Bartsch <bo@cedev.de> Tested-by:
-
Benni Mack authored
The replacement for fsMod comes with a bad side-effect when using the topbar. This change ensures that a "mount" can also be handed in as "null" value. Resolves: #94828 Related: #94762 Releases: master Change-Id: I3e8c7ba7a83384297d8af52807be11e7e4115d59 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70463 Tested-by:
Christian Kuhn <lolli@schwarzbu.ch> Reviewed-by:
-
Oliver Bartsch authored
Bootstrap 5.1.0, we updated to in #94752, introduced a `.vr` (vertical rule) class. This collided with our access module related styles, since we also use a `.vr` class for the legend here. To resolve the collision, our own implementation, which is only used in the access module, is now prefixed with `t3`. Resolves: #94826 Related: #94752 Releases: master Change-Id: I493baa3d0af41b78f42c9e73c9c121b29f417edd Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70456 Tested-by:
Georg Ringer <georg.ringer@gmail.com> Reviewed-by:
-
- Aug 11, 2021
-
-
Oliver Hader authored
JavaScript object :js:`top.fsMod` managing the "state" for page-tree and file-tree related contexts in the backend user-interface like this: * `top.fsMod.recentIds.web` contained the current ("recent") page or file related identifier details were shown for * `top.fsMod.navFrameHighlightedID.web` contained the currently selected identifier that was highlighted in page-tree or file-tree * `top.fsMod.currentBank` contained the current mount point or file mount ("bank") used in page-tree or file-tree To get rid of inline JavaScript and reduce usage of JavaScript `top.*`, mentioned `top.fsMod` has been deprecated and replaced by new component `ModuleStateStorage`. Reading data from `top.fsMod` is still possible as a fall-back. Resolves: #94762 Releases: master Change-Id: I9e02a1e4c59ad3a007f5244197c1cdaa2a31ce22 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67680 Tested-by: -
Oliver Bartsch authored
This patch moves the "normal" clipboard actions, such as copy and cut, into the secondary dropdown in recordlist and filelist. This means, when in "normal" clipboard mode, the actions are accessible no matter if the clipboard itself is shown or not. The clipboard related actions are divided by a horizontal line in the dropdown. Moving them into the dropdown also means, no superfluous "empty" icons are necessary when clipboard state changes, e.g. from "normal" to "multiple". Resolves: #94824 Releases: master Change-Id: I57666fe880cda9283d649a77f3a3b1bd44206e8d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70455 Tested-by:
Jochen <rothjochen@gmail.com> Tested-by:
-
Oliver Bartsch authored
Some content elements, namely "html", "div" and "shortcut" do not display the header field value in the frontend. However, the "name" is shown as link value in menus (e.g. section index). To make this clear to the editor, a new description is added to the "header" field for those elements. Furthermore is the corresponding CSH text adjusted. Resolves: #94704 Releases: master Change-Id: I9767e41a082e4c2776f0c78e7e091bff9eed66bf Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70352 Tested-by:
-
Oliver Bartsch authored
Since #94414 directly injecting the LanguageService is deprecated. The LanguageServiceFactory has to be used instead. This patch removes some left overs, which still triggered deprecation log entries. Resolves: #94803 Related: #94414 Releases: master Change-Id: Iecbaf0c433ffbad27d82ecb71bd6c170e455c01c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69662 Tested-by:
-
Benni Mack authored
This patch updates bootstrap to version 5.1.0, introducing several bugfixes. See https://github.com/twbs/bootstrap/releases/tag/v5.1.0 for further reference. In addition, Popovers now contain the option to allow HTML at any time (HTML is sanitized by default). Executed commands: yarn add bootstrap@^5.1.0 --cwd Build/ yarn add --dev @types/bootstrap@^5.1.0 --cwd Build/ Resolves: #94752 Releases: master Change-Id: I22923798288b69e9bcab61d12ce8527030527c31 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70294 Tested-by:
-
Oliver Bartsch authored
The clipboard copy and cut actions do not longer define a returnUrl, since the action does not switch the module. This previously led to an endless loop of returnUrl parameters being added to the link. Resolves: #94813 Releases: master Change-Id: Ib267fcbc778342cd03d5d0a1a2c81283f98f87d0 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70453 Tested-by:
-
Simon Gilli authored
Sqlite needs the current table definition in the alterTable() method to be able to alter the table. This patch adds the current definition to the upgrade wizard to work properly with Sqlite databases. Resolves: #94811 Relates: #94460 Releases: master Change-Id: I199b7be03499d74608ba8e8cc2ddd0c11ca888bb Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70447 Tested-by:
Daniel Siepmann <coding@daniel-siepmann.de> Tested-by:
Markus Klein <markus.klein@typo3.org> Tested-by:
-
Robert Kärner authored
The checkbox "t3-form-field-eval-null-checkbox" lost its former CSS class "checkbox" and thus its attribute "position: relative". This happened during the recent change to streamline checkboxes in the TYPO3 Backend. This change adds the missing attribute, so that the checkbox is no longer obscured by the "t3-form-field-disable" overlay, which prevented all mouse interactions. Resolves: #94817 Related: #93310 Releases: master Change-Id: I1fba185f58cd927eb186e39feab5c6d9c783315a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70451 Tested-by:
Nikita Hovratov <nikita.h@live.de> Tested-by:
-
Daniel Siepmann authored
The autoloading was accidentally removed during #94747. Resolves: #94812 Releases: master Change-Id: Ibbabc31607f918d320013ad4ddf06567f2694ec1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70449 Tested-by:
Josef Glatz <josefglatz@gmail.com> Tested-by:
Simon Gilli <typo3@gilbertsoft.org> Tested-by:
Guido Schmechel <guido.schmechel@brandung.de> Reviewed-by:
-
Grégory Jaouën authored
Fix the Formelement selection button on first use. The variable `propertyData` might be a string and the expression `getCurrentlySelectedFormElement().get(propertyPath)` can return an undefined value. The OR operator `||` is used instead of the nullish coalescing operator `??` on browser compatibility purpose. Resolves: #92911 Releases: master, 10.4 Change-Id: Icd0333061edccef4ee0af00abb34dbb56306fe63 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66876 Tested-by:
Björn Jacob <bjoern.jacob@tritum.de> Tested-by:
waldhacker <hello@waldhacker.dev> Reviewed-by:
-
Jochen Roth authored
When calling the sitemap (type 1533906435) undefined key warnings are thrown. This is fixed by properly checking the array key. Resolves: #94785 Releases: master Change-Id: I2961a4b776b4e35fc3e489a0cdabd95f4b0602cf Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70402 Tested-by:
-
Claus Due authored
Allows compatibility with Fluid 3.x. The change is necessary because Fluid 3.x moves away from regular expression to detect Fluid syntax, while also allowing more detailed customisations of what can be written as inline syntax. The result is that the JSON object notation gets seen as Fluid syntax. Even if Fluid 3.x natively was more permissive about such embedding, combining it with calls to Fluid ViewHelpers would still present problems (when is a curly brace JSON and when is it Fluid? Do we process Fluid tag notation only inside strings in that JSON? How aware should Fluid be, not just of JSON but potentially also embedded XML? And can we accept a considerable increase in Fluid's internal complexity to handle these edge cases for any conceivable embedding strategy?). In order to avoid this complexity, Fluid 3.x pragma has been to make it intentionally more naive, at the cost of potentially detecting syntax that in 2.x would not be detected as Fluid syntax. As a side note: there *is* a standard way to tell Fluid "this syntax isn't Fluid" - by prefixing curly brace statements with a backslash - but this approach is not compatible with Fluid 2.x which would simply output the backslash, resulting in invalid JSON syntax. Essentially, while we keep support for Fluid 2.x we are slightly more constrained in what we can choose to embed in Fluid, because whatever we choose to embed, must be compatible with both versions. And though there *are* certain ways we could accommodate JSON-in-Fluid, none of them are straight-forward and may in the end only encourage less than ideal practices (such as embedding script tags with Fluid being used to build variables - which is something that ideally should be handled in a controller, and in TYPO3 context, integrated via the PageRenderer instead of appearing at arbitrary places in DOM). So even though much more detailed explanations/workarounds are possible, TYPO3 CMS should constitute a best-practice reference and be as compatible as we possibly can - which in this case means not embedding Fluid-processed JSON in templates, but rather use the controller and PageRenderer to do such embedding. A similar change was done to embed the "goTo_altDoc" JS function in the page module, to pass the entire function as Fluid variable instead of passing only the function body as variable. PageRenderer was not used for that, since the function was rendered as part of a modal which does not use PageRenderer for output - since PageRenderer is available in context of the Form module, it is preferable to use that strategy. Releases: master Resolves: #90867 Change-Id: I6ea8dda6e6900b236a7801020f796f05c0b0d9b2 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/63965 Tested-by:
-
Oliver Hader authored
... follow-up ... Resolves: #94797 Releases: master Change-Id: I8fedbf9ed7e67bf6db7d248680c9844b1a8c6b76 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70446 Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
-
Tomas Norre Mikkelsen authored
* remove superfluous `}` literal from PHP example * add "Troubleshooting" section of reported side-effects * add "Logging" section, supporting to spot those side-effects Resolves: #94797 Releases: master, 11.3, 10.4, 9.5 Change-Id: I4b154c849b158d920b380f40d1415762d227ae6d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70440 Tested-by:
-
Benni Mack authored
This change is a pre-requisite for allowing guzzle/psr7 2.0. Used composer command: composer req --dev codeception/codeception:^4.1.22 -W Resolves: #94800 Related: #94422 Releases: master Change-Id: I1440249440c739d52acc448285ce053aeee67579 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70442 Tested-by:
-
Wouter Wolters authored
Resolves: #94795 Releases: master Change-Id: Ia4a0123a70a2b50b4f89e04e3f15c18559489c97 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70438 Tested-by:
-
Torben Hansen authored
When TYPO3 is configured to spam protect email addresses using an offset, then the HTML sanitizer introduced in #94375 will remove the generated JavaScript in the href link attribute. This change makes the HTML sanitizer aware of the `javascript:linkTo_UnCryptMailto` pattern for href attribute. Resolves: #94776 Releases: master, 11.3, 10.4, 9.5 Change-Id: If5f4ab22a686274401390a66b580a24e6d5a8f0c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70411 Tested-by:
-
- Aug 10, 2021
-
-
Oliver Hader authored
This reverts commit c35316f6. Not defining replaced version of `t3g/svg-sanitizer` leads to problems with `roave/security-advisories`. Overall it seems to be better, to completely revert previous change. Resolves: #94782 Reverts: #94719 Releases: master, 11.3, 10.4, 9.5 Change-Id: I43c2ea986ffec72bc0c8eb740a84daad33e9257f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70433 Tested-by:
-
Wouter Wolters authored
Resolves: #94788 Releases: master Change-Id: I687ce575ddd15f8a2f9ce4ba9ded6f3087e4b66f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70405 Tested-by:
crell <larry@garfieldtech.com> Reviewed-by:
-
Oliver Bartsch authored
The clipboard related header links are refactored to not longer rely on inline JavaScript, but to use event listeners instead. Resolves: #94777 Releases: master Change-Id: I457b2b334672c5c4b727cf733e30adfb7817c677 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70396 Tested-by:
-
Benni Mack authored
The option RTE.enableWordClean = 1 is related to RteHtmlparser and not related to TYPO3 Core. In order to avoid confusion if people grep the source code for this option, an unrelated test is now using a different property. Resolves: #93870 Releases: master, 10.4 Change-Id: I6967e0fd46871829ae7f8516fbaae8a5567384c5 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70409 Tested-by:
-
Larry Garfield authored
The channel field is more flexible than types, and will be populated by PSR-3 loggers as well. Switch belog to use that instead of the old type ints. Resolves: #94439 Relates to: 94356 Releases: master Change-Id: Ia834a63be88e17aaca62d806940d0404273050ae Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69663 Tested-by:
-
Nikita Hovratov authored
Since bootstrap v5.0.2 the popover module removes empty title and content html nodes. This plays however against our strategy to load csh text on demand. To prevent the automatic removal, an empty p-tag is set in the data-bs-content attribute. In addition this fixes another two small bugs: 1. Remove the unexpected argument in the setContent method. 2. Add a new update method in Popover to update the arrow position after fetching csh text. Resolves: #94482 Releases: master Change-Id: I70ba510b793e10fa6b096d9f8bf54ccf1a823a19 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69719 Tested-by:
Riccardo De Contardi <erredeco@gmail.com> Tested-by:
-
Oliver Bartsch authored
Replace GeneralUtility::linkThisScript with proper usage of UriBuilder in combination with the PSR-7 Request. Resolves: #94767 Releases: master Change-Id: Iba909c8d8bcc8bfaf21284edfc598a363a202e0a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70318 Tested-by:
-
Albrecht Koehnlein authored
Respect 'ignoreRootLevelRestriction' TCA setting when fetching history records. This is required for non-admins to be able to revert auto generated redirects. Otherwise the page access check always would fail, because the redirects are created on page id 0 where a non-admin user never has access to. Resolves: #91559 Releases: master, 10.4 Change-Id: I4fa2432b1a9d613766e956ae773380acf7b63f67 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69634 Tested-by:
Henrik Elsner <helsner@dfau.de> Tested-by:
Xavier Perseguers <xavier@typo3.org> Reviewed-by:
-
Benni Mack authored
This change replaces an inline JavaScript code to update the form URL of the constant editor to jump to the last changed field when saving the Constant Editor module. Resolves: #94770 Releases: master Change-Id: I7a387dd2cd8ba1d5d89f0a2484bc9305b964c0d1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70341 Tested-by:
-
Jochen Roth authored
When transferring a item to the clipboard on the root page (uid=0), an undefined array key warning is thrown. This is fixed by properly checking the array key. Resolves: #94771 Releases: master Change-Id: I2280468ee37b3fdeb264a384e6ec82f855a5476e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70392 Tested-by:
-
Nikita Hovratov authored
In patch #93478 (66cd4ab5) the SVG Tree Drag & Drop got a little rework. While removing some magic strings and replacing them with enums, one string got a wrong replacement. This caused some faulty behaviour of the persistence of dropped pages. Changing it back to the previous value "before" restores the old behaviour. Resolves: #93548 Releases: master Change-Id: I65bf14aec5540a3ae3c91dade72fad739743a5e3 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70185 Tested-by:
-
Guido Schmechel authored
Resolves: #94389 Releases: master, 10.4 Change-Id: I6bbc99de19fbfb30f45bc7f7b03b313667daa6e3 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69915 Tested-by:
-
Simon Gilli authored
This patch avoids exceptions during the upgrade from pre 11.3 versions where the column sys_log.channel does not exist. Resolves: #94708 Releases: master Change-Id: I4f1a7a2facfd9775126a13cb093347f332b9b6f3 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70197 Tested-by:
-
Oliver Hader authored
Due to missing internal handling of provided RTE configuration, it was possible to directly persist XSS in database fields. Unless full blown backend RTE tag configuration is available, this patch still allows persisting potentially malicious data - which is not reflected in the backend user interface - but to be sanitized during frontend rendering (see below). Corresponding configuration directives (`removeTags`, `allowedAttribs`) are now considered again. Besides that a new, but simplified sequential HTML parser ensures that runaway node-boundaries are detected & denied. To sanitize and purge XSS from markup during frontend rendering, new custom HTML sanitizer has been introduced, based on `masterminds/html5`. Both `DefaultBuilder` and `CommonVisitor` provide common configuration which is in line with expected tags that are allowed in backend RTE. Using a custom builder instance, it is possible to adjust for individual demands - however, configuration possibilities cannot be modified using TypoScript - basically since the existing syntax does not cover all necessary scenarios. Resolves: #94375 Related: #83027 Related: #94484 Releases: master, 11.3, 10.4, 9.5 Change-Id: I5f8de43faab57b00052614ad37bd10ea9e384dc0 Security-Bulletin: TYPO3-CORE-SA-2021-013 Security-References: CVE-2021-32768 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70345 Tested-by:
-
Oliver Hader authored
Functionality of package t3g/svg-sanitizer has been integrated into the TYPO3 core. Resolves: #94719 Releases: master, 11.3, 10.4, 9.5 Change-Id: I9bef46af0b76275844aa4acb2b54214f37936ecc Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70210 Tested-by:
-
Wouter Wolters authored
The constants of the DateTime class are deprecated and moved to DateTimeInterface. Move all usages in the core over to DateTimeInterface. Resolves: #94759 Releases: master Change-Id: If723da5d5439535735d47cbe9d68bf75d7b5a885 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70303 Tested-by:
-
Wouter Wolters authored
Resolves: #94761 Releases: master Change-Id: If8c407d284ab24a489835b3397d340f59ab53045 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70305 Tested-by:
-
Christian Kuhn authored
composer.json fields marked as root-only in https://getcomposer.org/doc/04-schema.md are only used if the composer.json is used as project root. Core extensions and split repositories are never used as project root directly and also won't work as such. Testing is always performed on the monorepo. All root-only fields are thus obsolete in extensions composer.json, namely: require-dev, autoload-dev, minimum-stability, prefer-stable, repositories, config, scripts. sortpackages: true in config field is kept since this is useful when updating packages using componer req something -d typo3/sysext/core_ext Resolves: #94747 Releases: master Change-Id: I9712703c35ef3d00c098bc58218032d1e19306d4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70288 Tested-by:
-
