- Mar 24, 2021
-
-
Oliver Bartsch authored
With the introduction of fluid styled content in #79622, the former CType `menu` with its subtypes was splitted into dedicated content types. Since the content element preview was not adjusted, it still checked for the `menu` CType, which did not longer exist in Core, leading to no preview for any menu type was displayed in page module. The issue is fixed by adjusting the code to check for the correct content types, making the preview work again. This also replaces the last usages of LLL:EXT:lang. Resolves: #93659 Releases: master, 10.4 Change-Id: I55d40d57da5edd7083cc5c37674f3fa85039e8e4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68563 Tested-by:
TYPO3com <noreply@typo3.com> Tested-by:
core-ci <typo3@b13.com> Tested-by:
Georg Ringer <georg.ringer@gmail.com> Tested-by:
Benni Mack <benni@typo3.org> Reviewed-by:
-
Oliver Bartsch authored
When strict type comparison was introduced to the OptionViewHelper in #90540, it was not properly ensured that the values to compare are of same type. The issue is fixed by always typecasting the selected value to string, before comparing it to the value in question, which will always be a string, according to its type hint. Resolves: #93801 Releases: master, 10.4 Change-Id: I3ea1d885a35e3223919facfe6d1825332914a7ed Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68560 Tested-by:
Oliver Klee <typo3-coding@oliverklee.de> Reviewed-by:
Jonas Eberle <flightvision@googlemail.com> Reviewed-by:
-
Torben Hansen authored
With Bootstrap 5 the registration of tooltips with the "data-title" attribute does not work any more. Instead, the "title" attribute must be used. Resolves: #93790 Releases: master Change-Id: I07ce40103d642f6337fdc3b72b43c4670177e975 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68553 Tested-by:
-
- Mar 23, 2021
-
-
Benjamin Franzke authored
The previos flex-basis: auto setting caused the svg to grow from it's initial size, which may be larger than the svg tree container height. This caused visual overflows. Fix this by start flex-growing zero based (flex-basis = 0). Also ensure that the toolbar stays on top of the categories while scrolling (position: sticky) and remove an invalid flex-direction property (the svg-tree-wrapper used display:block, therefore flex-direction has no effect). Releases: master Resolves: #93802 Related: #93773 Change-Id: Ia3904caed40196f4479d762b497233bbef9f0d9a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68559 Tested-by:
Richard Haeser <richard@richardhaeser.com> Reviewed-by:
-
Daniel Goerz authored
Resolves: #93808 Releases: master Change-Id: I914c426327f3ed9a62f99f42a7c294d050ed3968 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68572 Tested-by:
Susanne Moog <look@susi.dev> Tested-by:
Oliver Bartsch <bo@cedev.de> Tested-by:
Daniel Goerz <daniel.goerz@posteo.de> Reviewed-by:
-
- Mar 22, 2021
-
-
Benni Mack authored
This change moves all related drag+drop code for the navigation components into each TypeScript class, making clear that some functionality is only meant to be used in This change: * Removes the DragDrop / Actions files and moves them into the NavigationComponent.ts files * Moves all drag+drop related functionality into proper extended EditablePageTree/EditableFileStorageTree classes. This is a pre-patch to use the actual PageTree/FileStorageTree classes in other contexts (such as Element Browser) and extend them, and only have the functionality that is needed for all places. Resolves: #93785 Releases: master Change-Id: Ifff4ba2888ed498169580b912263d0dc0914886f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68520 Tested-by:
Benjamin Franzke <bfr@qbus.de> Tested-by:
-
Sybille Peters authored
In several classes a list of array is used and passed as arguments. Sometimes a string was passed which needed to be exploded, sometimes the list was passed as array. We now add type declarations to all related arguments and always use array. Resolves: #92714 Releases: master Change-Id: Id634e8f3dbe2398f7c0b31e4986081b0c1d997b8 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66315 Tested-by:
-
Richard Haeser authored
If you have a good reason to disable the default rendering of the canonical tag, you can now use a TypoScript setting. To disable the canonical generation, you can add the following line to your TypoScript setup. .. code-block:: typoscript config.disableCanonical = 1 Resolves: #93606 Releases: master Change-Id: I9556d7ac2e0bb184c0bfe2dd74039837e11e8da7 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68258 Tested-by:
Chris Müller <typo3@krue.ml> Tested-by:
Guido Schmechel <guido.schmechel@brandung.de> Tested-by:
-
Daniel Siepmann authored
The given example does not work and is replaced by a working example. Doctrine will add ASC as fallback sorting if no sorting direction is given, leading to an invalid SQL. Resolves: #93795 Releases: master, 10.4, 9.5 Change-Id: I69f594b4e0ec65586d53ee7f1348c987234a4d19 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68554 Tested-by:
-
Oliver Bartsch authored
With #91123 a new PreviewUriBuilder class was introduced. This class features a factory method `create`, with a type hinted parameter signature. This now leads to a TypeError in EXT:workspaces, e.g. when importing datasets in tests. This is fixed by typecasting the variable to be passed to the factory method. Resolves: #93800 Releases: master Change-Id: I7b1f567514da53bad0d16ac49fdfc9a33c2b7547 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68558 Tested-by:
-
Imko Schumacher authored
The localization state selector wizard now shows up for the renderType selectTree. It never showed up, since the value 'false' is never identical to 0 or 1. Resolves: #91778 Releases: master, 10.4 Change-Id: I13cd9414e05367e5130af7b07eac55b9e137bd66 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68521 Tested-by:
-
Andreas Fernandez authored
TCA fields using the 'placeholder' functionality are not initialized in inline 'localize/synchronize' scenarios. tx_styleguide_inline_1n -> inline_1 -> input_3 has been added to show this. Solution is to call the required FormEngine "re-init" in JavaScript at a different point - not only when new inline children are added, but also when synchronizing with default language. Resolves: #93792 Releases: master, 10.4 Change-Id: Ib10826ee9bc4c305436c2474f2bb20b2d367d426 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68527 Tested-by:
Christian Kuhn <lolli@schwarzbu.ch> Reviewed-by:
-
Daniel Goerz authored
This marker is documented since ever and never worked. Resolves: #93770 Releases: master, 10.4 Change-Id: I4f313324ecf7889e181c15e9823de3a6a5861bfc Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68501 Tested-by:
-
Georg Ringer authored
The type unknown must be supported inside InputLinkElement to improve the user experience for editors. Instead of showing an error like "not implemented type unknown", the link itself must be shown. Good example are urls starting with a slash, e.g. in the redirects module. Resolves: #93788 Releases: master, 10.4 Change-Id: I346778d1aa5cfd87adceb6dfc1e45501fb80dd9a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68524 Tested-by:
-
Christian Kuhn authored
Activating inline localization appearence in TCA for inline FAL relations works only partially: The inline child in question is localized, but the 'shadowed' row does not vanish. This is due to server side behavior, which does not properly resolve an array for 'deep' relations like aTable->sys_file_reference->sys_file_metadata. The scenario has been added as tx_styleguide_inline_fal inline_5 to styleguide master & 10. Releases: master, 10.4 Resolves: #93791 Change-Id: Ia766759b607d5de644e97cf493f62f424bbe9579 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68526 Tested-by:
Andreas Fernandez <a.fernandez@scripting-base.de> Reviewed-by:
-
- Mar 21, 2021
-
-
Georg Ringer authored
If the typolink ViewHelper can't produce any link, the redirect module should still show the value provided by the editor instead of nothing. Resolves: #93787 Releases: master, 10.4 Change-Id: Ifbe30c86ca2b08a92d2f28defa2362ffaf912984 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68523 Tested-by:
Markus Klein <markus.klein@typo3.org> Tested-by:
-
- Mar 20, 2021
-
-
Philipp Kitzberger authored
Instead of a blocking the entire edit mask in case an inline child has gone missing this patch makes sure that the missing child is simply not rendered in the IRRE field and prevents the yellow flash message: `Record with uid <uid> from table <table> not found`. Resolves: #77435 Releases: master, 10.4 Change-Id: I3d545e8056ba424dbc438b9a6a385c30894a39d9 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67959 Tested-by:
-
- Mar 19, 2021
-
-
Benni Mack authored
This change reduces the overhead of the d3 framework by using native CustomEvents on the actual Lit element of the SVG instead of d3-dispatch logic: * typo3:svg-tree:nodes-prepared (enrich node data) * typo3:svg-tree:expand-toggle (expand/collapse) * typo3:svg-tree:node-context (clickmenu) * typo3:svg-tree:node-selected (on-click) As shown in the patch, the actual logic of interacting with the outside framework (Persistent, ContextMenu, window.) is moved to the actual Lit components, making the SVG tree slimmer and easier to maintain. Resolves: #93782 Releases: master Change-Id: I6f5227579eb16ec218bbe67de2aecbcaaabb3fcc Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68464 Tested-by:
-
- Mar 18, 2021
-
-
Torben Hansen authored
Update copyright year to 2021 Resolves: #93769 Releases: master, 10.4, 9.5 Change-Id: Iec3214352aca9df579a3a1574eaf61222a6d2689 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68500 Tested-by:
-
Benni Mack authored
The SVG Tree class is now a lit element, allowing for further reduction of d3 usage in favor of native HTML5 APIs. Resolves: #93773 Releases: master Signed-off-by:
-
Benjamin Franzke authored
Whenever a topbar refresh is triggered, e.g. by activating/deactivating of an extension in the extension manager, or when changing the backend users language, the topbar link events (such as "user settings") need to be re-added. Resolves: #93757 Related: #92704 Releases: master Change-Id: I3580ea1ad890ba9a8dc79903f1f2d43bb212de72 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68495 Tested-by:
Michael Telgkamp <michael.telgkamp@mindscreen.de> Tested-by:
-
- Mar 17, 2021
-
-
Markus Klein authored
The DatabaseCachePreset now sets options/compression to `true` instead of 1. This is necessary because the option is of type boolean in the backend code. This fails hard if the backend is validating the option, like the Redis backend does. Resolves: #93767 Releases: master, 10.4 Change-Id: I8db3bebfa73b80e0d2e9d0a062183cd3f7cc36d1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68493 Tested-by:
-
Oliver Bartsch authored
Since bootstrap 5 an active tab is highlighted by setting the `.active` class on the tab item link (`.nav-link`) instead of the tab item (`.nav-item`) itself. Therefore, this must also be done in templates defining the initially active tab item, which is usually just the first one. See: https://getbootstrap.com/docs/5.0/components/navs-tabs/#fill-and-justify Resolves: #93763 Releases: master Change-Id: I56f7024a3b4d7f62e01e8dc9e25d508203359366 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68471 Tested-by:
-
Benni Mack authored
The element browser now shows the active state again of the tab (Page, File, Folder etc), because the active class needs to reside on the link and not on the <li> element. Resolves: #93761 Releases: master Change-Id: Ie7db46b1b6b321546d5a976fea35e747d8848806 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68470 Tested-by:
-
Benni Mack authored
Since the upgrade of bootstrap, the radio button inside the upgrade wizards' buttons are shown. The change utilizes btn-check functionality from Bootstrap 5 Resolves: #93653 Releases: master Change-Id: I718ff5390c039ba5c14881ecdbca7d29817ce8d1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68187 Tested-by:
-
Markus Klein authored
Set the current content element record as data for the cObj used to generate the click-enlarge code for images. This ensures that the default dataWrap used in TypoScript actually gets the uid of the content element and not the current page. Resolves: #93700 Releases: master, 10.4 Change-Id: I066c8fcb568b752b57439fffaf969ec002032d3a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68310 Tested-by:
-
- Mar 16, 2021
-
-
Oliver Bartsch authored
Since #93663 the setup module uses the be_users.lang field for the UI language. Therefore, when switching languages, the corresponding value is not longer found on the root level of the form data array, but in the `be_users` subarray. Resolves: #93756 Releases: master Change-Id: Ib593f969a61ddfc72030c21a85ba3b3ab401d181 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68467 Tested-by:
Wouter Wolters <typo3@wouterwolters.nl> Reviewed-by:
-
Benni Mack authored
A new TCA type "language" is added, in order to make life easier to set up new TCA. The main issue (as can be seen in core already) is that each TCA adds different implementations on how to deal with "-1". Now "-1" is added for any record except "pages", where the "-1 / All Languages" concept is not implemented. In addition, this decouples the select type from sys_language, effectively reducing the logic where a direct access is necessary to the "sys_language" table. This effectively also removes the now mis-use of `foreign_table` from the TCA "languageField" field by properly handling languages internally. This furthermore makes any relation handling superfluous, reducing quite an amount of code and complexity in the DataHandler. Instead, all columns, defined as "[ctrl][languageField]", are now automatically migrated to the new "type=language", with no specific configuration, as TYPO3 is managing this field, taking care of the user specific configuration. Furthermore, are all columns, using the “special=languages” option, migrated to the new TCA type. This allows to get rid of this special case as well, reducing complexity in FormEngine and DataHandler. The new TCA type also properly handles the field for records on root level, or on a page outside of a site context. The only exception is the `allowed_languages` field in be_users and be_groups, where a new itemsProcFunc is used. Resolves: #57082 Releases: master Change-Id: Ic4878326c0cdc6ce1f233fa29f07419bf6b572a4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60293 Tested-by:
-
Oliver Bartsch authored
Some TCA configurations were still using strings for class references in the itemsProcFunc option. Since this is error-prone and also prevents proper IDE support, all remaining places are changed to use the automatic PHP class name resolution with ::class. Resolves: #93753 Releases: master Change-Id: I853492ae7f590171d7a3e8e422f40728f7e879b1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68466 Tested-by:
-
Markus Klein authored
If port 465 is used for SMTP the `transport_smtp_encrypt` feature is automatically enabled by the underlying symfony component. Resolves: #93749 Releases: master, 10.4 Change-Id: Id4a1822da7e744fb02fc7b0e9db6784e966c2403 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68462 Tested-by:
-
Christian Kuhn authored
The recent extbase related class schema revert introduced a warning within functional PHP 8 tests leading to test fails. Run the mariadb functionals with PHP 7.4 instead of PHP 8 for the moment again. Additionally a minor type hint from one of the recent security patches is added in ext:form area to make phpstan happy again. Related: #93745 Resolves: #93751 Releases: master Change-Id: Idac9c953d7029c3f67d6d1060354edfa5fa972dc Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68463 Tested-by:
-
Oliver Bartsch authored
The content element preview for menus displays the menu type label along with the record title of the defined pages and categories. Since the output was not properly encoded, this led to a XSS vulnerability in the page module. The issue is addressed by properly encoding user input. Note: Because of a bug in `PreviewRenderer`, the vulnerable code was most likely not executed in any TYPO3 installation after v8.6.0. Resolves: #93664 Releases: master, 11.1, 10.4, 9.5 Change-Id: I56ec17f5f07ff4d7c28f2241e0c9eeee9affd71f Security-Bulletin: TYPO3-CORE-SA-2021-008 Security-References: CVE-2021-21370 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68453 Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
-
Andreas Fernandez authored
The PreviewRenderer pattern introduced with #78450 makes use of the TCA feature `descriptionColumn` to render the content of this column in a content element's preview in the page module. The content of the column however was not properly escaped allowing a persistent XSS abuse. This patch adds a `htmlspecialchars()` to the output to escape the content properly Resolves: #93562 Related: #78450 Releases: master, 11.1, 10.4 Change-Id: I144c6c2d7f4f61f4479fac3c2d400a21f5d72405 Security-Bulletin: TYPO3-CORE-SA-2021-007 Security-References: CVE-2021-21340 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68452 Tested-by:
-
Oliver Hader authored
`AbstractUserAuthentication::$uc['moduleSessionID']` still stored plain session identifier, which has been replaced by corresponding HMAC. Resolves: #93359 Releases: master, 11.1, 10.4, 9.5 Change-Id: I920b8d3b364c249d2ec3a6deb42e141e5a1b8ff7 Security-Bulletin: TYPO3-CORE-SA-2021-006 Security-References: CVE-2021-21339 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68439 Tested-by:
-
Frank Naegler authored
To prevent DoS attacks by using page-based error handling, the content of the error page is now cached, this prevents fetching the content of the error pages again and again. Resolves: #88824 Releases: master, 11.1, 10.4, 9.5 Change-Id: I6dea5200dc710a182b66deedfbeb2110ea829117 Security-Bulletin: TYPO3-CORE-SA-2021-005 Security-References: CVE-2021-21359 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68438 Tested-by:
-
Andreas Fernandez authored
The form name is rendered multiple times in the form wizard when either creating or cloning a form. Any input is now sanitized to avoid XSS in the summary step of the form wizard. Resolves: #93560 Releases: master, 11.1, 10.4 Change-Id: I3ddce48e38e32456318c695774bbcd035115b5ae Security-Bulletin: TYPO3-CORE-SA-2021-004 Security-References: CVE-2021-21358 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68437 Tested-by:
-
Ralf Zimmermann authored
Form editors which provide only a limited set of allowed values (like single-select or multi-select form editors) now validate the submitted values against the set of allowed values (configured within the form setup). Resolves: #93581 Releases: master, 11.1, 10.4, 9.5 Change-Id: Iae0a34c20cacdbcfc4eff9c4b1add966c1657010 Security-Bulletin: TYPO3-CORE-SA-2021-003 Security-References: CVE-2021-21357 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68436 Tested-by:
-
Oliver Hader authored
File handling implementation in `UploadedFileReferenceConverter` of `ext:form` creates files in `/fileadmin/user_uploads/` whenever some Extbase controller is (implicitly) dealing with `FileReference` models, unless particular implementations assign specific type converters or register type converters having a higher processing priority. As a side-effect this could lead to by-passing mime-type validators, allowing to plant cross-site scripting and other malicious binaries to public accessible `/fileadmin/` storage. PHP files and similar are blocked since `fileDenyPattern` rule is active in any case. This change makes the usage of `UploadedFileReferenceConverter` more specific in the scope of processing contact forms with `ext:form` * use random folder names for files, `.../form_abcde12345/image.png` * removes `UploadedFileReferenceConverter` from being used implicitly by other Extbase implementations dealing with `FileReference` models `PseudoFileReference` has been introduced to limit properties being serialized to `uid` (in case it's a real file reference) or `uidLocal` (in case it's a transient reference, pointing to a file). Direct URLs to uploaded files are substituted by `fileDump` eID script now, enforcing corresponding FAL mime-type and denying the web server from guessing/interpreting a different mime-type based on file suffix. A unique form `__session` value has been introduce, serving as seed to derive for instance mentioned folder names for uploaded files. In addition to that, form `__state` is only parsed when having been submitted via expected `FormFrontendController::performAction`. Resolves: #92136 Releases: master, 11.1, 10.4, 9.5 Change-Id: I7c33803443a68d6b3c895ec74da802a70bd390c1 Security-Bulletin: TYPO3-CORE-SA-2021-002 Security-References: CVE-2021-21355 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68435 Tested-by:
-
Torben Hansen authored
A missing check in GeneralUtility::sanitizeLocalUrl() resulted in an url starting with `//` to be considered as a local url. This change ensures, that urls starting with `//` are not considered local. Corresponding unit tests are fixed and extended, since they need a full environment to process correctly. Resolves: #92891 Releases: master, 11.1, 10.4, 9.5 Change-Id: I41eb16776742b3e0d2cffd064dd0408e4faa7c78 Security-Bulletin: TYPO3-CORE-SA-2021-001 Security-References: CVE-2021-21338 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68434 Tested-by:
-
- Mar 15, 2021
-
-
Benni Mack authored
The change makes "e712dc9e" existing Extbase installations broken, so this is reverted. Change-Id: I141e100a1dcbfe6c2d9b41af090c1c120052a8f4 Resolves: #93745 Reverts: #92946 Releases: master, 10.4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68329 Tested-by:
-
