* streamline variable names
* streamline method names
* preparation for additions in the future

Resolves: #91805
Releases: master, 10.4
Change-Id: Iaa16cfcbcda7adbd48838a498f2f459d97f4ef18
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65042


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

TYPO3 now ships a new module acting as wrapper for `sessionStorage`. It
behaves similar to `localStorage`, except that the stored data is dropped
after the browser session has ended.

Resolves: #91738
Releases: master
Change-Id: I221ac1ea7b8a8a24b8490d7ddf55b92775e37d81

When rendering child elements of a tabs, not only
the rendered HTML is collected from these child elements,
but also hidden fields HTML, assets and a lot more.

Therefore it is crucial to merge the child results regardless
of whether the "html" property is empty.

Releases: master, 10.4, 9.5
Resolves: #91636
Relates: #89094
Change-Id: If169bd6486d3001466464462b29788b94fbb0943

Instead of generating the URL to the backend login, the URI of the
current request is now used for the referrer check in backend login.
This fixes a redirect issue with password recovery links opened via
email.

The anchor-based reload detection has been replaced with a
localStorage-based solution as browsers don't trigger a new request if
the target location is already loaded, but only an achor is appended to
the URL.

Resolves: #91442
Releases: master, 10.4, 9.5
Change-Id: I577bdd8ce75c94f864852f812c0b8ad66f0d5634

nprogress is used to indicate activity when a collapsed IRRE node is
about to get loaded. In case of FlexForms the id attribute may contain a
dot which is not an issue if handled correctly.
However, nprogress doesn't treat this value as an id, but rather as a
full CSS selector which causes issues and breaks loading the IRRE node.

To work around this issue, the id of the container used to render the
progress bar is now MD5 hashed.

Resolves: #91585
Releases: master, 10.4
Change-Id: I893d0cf24ea0f384d9ffff4d84f83b0fa35341b7
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64783


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>

The JavaScript modules now utilize the native String.prototype.trim
function to trim whitespaces off string where jQuery's trim was used
before.

Resolves: #91683
Releases: master, 10.4
Change-Id: I5c7a25e508e7e052339f2969a5725593e110a3a1
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64932


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>

The JavaScript functions TBE_EDITOR.fieldChanged_fName` and its legacy
alias `TBE_EDITOR_fieldChanged_fName` used to extract the table name,
field name and uid from the incoming field name have been removed.

As a drive-by bugfix, the undefined variables
`TBE_EDITOR_setHiddenContent` and `TBE_EDITOR.setHiddenContent` have
been removed as well.

Resolves: #91578
Releases: master
Change-Id: I528fde709367d5d474b846f347a3770d15b1a227
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64678


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

Some modules have been rewritten to not use jQuery in the past. However,
there was still a dependency due to missing `ready` handling.
Since recent changes TYPO3 is capable of such handling and enables to
remove jQuery completely from some modules.

Resolves: #91598
Releases: master
Change-Id: I23fa63f9090eee8abc49cd1993df27bec12d92e2
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64832


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

A wrong label was used when using "Fluid based page module".
This resulted in "[]" instead of "[Hidden]" for records with hidden
headline.

This is fixed by using the proper label reference.

Resolves: #91628
Releases: master, 10.4
Change-Id: I7749cbf4441335f8493eadbb9386d95835dff9a9
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64850


Tested-by: Björn Jacob <bjoern.jacob@tritum.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Björn Jacob <bjoern.jacob@tritum.de>
Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>

Setting up backend layouts with colPos not set will show the content of
column 0 because of an excplicit cast of the colPos. This patch checks
if colPos is set and if not skips the assignment of records.

Resolves: #91176
Releases: master, 10.4
Change-Id: I75d9818c4330bb8a4d9a7a60130a547167a83e58
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64305


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

PageRenderer does not need to care about the actual content.
Instead of re-running everything in PageRenderer, ModuleTemplate
only calls PageRenderer->render() once.

This simplifies the PageRenderer logic and adds a bit of performance
improvements.

Resolves: #91584
Releases: master
Change-Id: I2397f43a4e26f40bb885b21a67ae7a503349a614
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64735


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Frank Nägler <frank.naegler@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Frank Nägler <frank.naegler@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

Common URLs like typo3.org, tools.ietf.org or php.net are nowadays
available as HTTPS, however some places in TYPO3 still use http://
as reference. This should be streamlined to resemble https:// everywhere.

Resolves: #91581
Releases: master, 10.4
Change-Id: I76b5211f7e14cab0c6d190059d2be761bc664b53
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64733


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Björn Jacob <bjoern.jacob@tritum.de>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Björn Jacob <bjoern.jacob@tritum.de>
Reviewed-by: Benni Mack <benni@typo3.org>

Filter out pages user has no access to on query time in page tree.
This patch reintroduce a change which was reverted with
https://review.typo3.org/c/Packages/TYPO3.CMS/+/64369

Resolves: #91221
Related: #90880
Related: #91348
Releases: master, 10.4, 9.5
Change-Id: Id90752c331bc6fc12b0d3a7d047adacf08cb7804
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64346


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Uwe Trotzek <trotzek@citeq.de>
Tested-by: Richard Haeser <richard@maxserv.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Richard Haeser <richard@maxserv.com>

All code that is using the constant TYPO3_MODE is hard to test,
as this needs to be encapsulated into various places. All testing framework
places run with TYPO3_MODE=FE which makes it impossible to even
consider making parts of the testing framework compatible running a pure
Frontend-based request in the future.

On top, the constant covers up cross-dependency between core dependencies
(whereas $GLOBALS[TSFE]->fe_user is actually a dependency to EXT:frontend).

Another testing-helper in Extbase's EnvironmentService allows to switch
within Extbase to simulate Frontend behaviour.

Resolves: #91521
Releases: master, 10.4
Change-Id: I85a34029e399b40d0780f907480f9059bfdb0edb
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64598


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Andreas Fernandez <a.fernandez...

Scalar values sent via HTTP query parameters to
FileSystemNavigationFrameController are using `json_encode` instead
of `unserialize`. The parameter stream is still secured with an HMAC
before being deserialized.

Resolves: #91548
Releases: master, 10.4, 9.5
Change-Id: I57be68aac1787bdc27f2bbae40f8d71b1b33f79f
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64624


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Frank Nägler <frank.naegler@typo3.org>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Frank Nägler <frank.naegler@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

The T3_RETURN_URL and T3_THIS_LOCATION javascript constants
are removed, in addition to all code relevant in ModuleController, and dblist
(and its controllers / ViewHelpers) where this is executed.

Resolves: #91545
Related: #91473
Releases: master
Change-Id: Ie14c1c365796ac5a124573a2e01cfc9bf7e9afc2
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64619


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Frank Nägler <frank.naegler@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Frank Nägler <frank.naegler@typo3.org>

Resolves: #91544
Related: #91473
Releases: master
Change-Id: I04ce71e83d6e98835c8a8c29e82398d43de2af5c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64615


Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Frank Nägler <frank.naegler@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Frank Nägler <frank.naegler@typo3.org>

Various classes and methods are removed, that have been marked
as deprecated before.

Resolves: #91543
Related: #91473
Releases: master
Change-Id: I1dd8b773326c8960b01173003a3251b6ee1d69f1
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64616


Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>

eot, otf and ttf font formats were used to support very old browsers
like <= IE8. Since TYPO3 v10 does only support modern browsers, these
formats can be safely removed.

Used commands:
>yarn remove npm-font-source-sans-pro
>yarn add source-sans-pro
>grunt build

Resolves: #90904
Releases: master, 10.4
Change-Id: I0676bcdb2bc70454f73027e8e216bb889c419a57
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64596


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

The following class aliases are removed:

* `TYPO3\CMS\Frontend\Page\PageRepository`
* `TYPO3\CMS\Frontend\Page\PageRepositoryGetPageHookInterface`
* `TYPO3\CMS\Frontend\Page\PageRepositoryGetPageOverlayHookInterface`
* `TYPO3\CMS\Frontend\Page\PageRepositoryInitHookInterface`
* `TYPO3\CMS\Frontend\Page\PageRepositoryGetRecordOverlayHookInterface`
* `TYPO3\CMS\Lowlevel\Utility\ArrayBrowser`

Resolves: #91539
Releases: master
Change-Id: Ie11c410576eb0713746fd9261691c5bec72a34d5
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64610


Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>

Resolves: #91486
Releases: master
Change-Id: I4767e5395aad52fbe14f37d74af37609cd69e4ff
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64445


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Benni Mack <benni@typo3.org>

Resolves: #91510
Releases: master, 10.4, 9.5
Change-Id: I5bfda8310342718dc696b182fd87b1954a6cdc39
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64590


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Daniel Haupt <mail@danielhaupt.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

One of the marker-based legacy class DocumentTemplate is now
removed for TYPO3 v11.

In addition, some tests regarding the extension scanner now use a different
class for testing purposes.

Resolves: #91514
Releases: master
Change-Id: Id2de0949032be6211f2d0f35bfb79c8fc893ad33
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64594


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>

Resolves: #91501
Releases: master, 10.4, 9.5
Change-Id: I7b77a3ee8aceac2cbdb6f3d4e0a02930b66eb863
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64591


Tested-by: Josef Glatz <josefglatz@gmail.com>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Daniel Haupt <mail@danielhaupt.de>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Josef Glatz <josefglatz@gmail.com>
Reviewed-by: Daniel Haupt <mail@danielhaupt.de>
Reviewed-by: Benni Mack <benni@typo3.org>

The library md5.js has been removed in favor of the
TYPO3/CMS/Backend/Hashing/Md5 module.

Resolves: #91485
Releases: master
Change-Id: I3e6e3419ddf84a5790421ba1117d78219a880b96
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64446


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Daniel Haupt <mail@danielhaupt.de>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>

Resolves: #91484
Releases: master
Change-Id: Ic589bd298b4f6892bb0459a1396d2d2b95d456f7
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64447


Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: TYPO3com <noreply@typo3.com>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

The module `jquery.clearable` has been removed in favor of
TYPO3/CMS/Backend/Input/Clearable.

Resolves: #91483
Releases: master
Change-Id: I52d14faed7e871dab9e79af5e2af4e9ebd7b5c67
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64448


Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: TYPO3com <noreply@typo3.com>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

The following previously deprecate static methods
are now removed:

- TYPO3\CMS\Backend\Utility\BackendUtility::getRawPagesTSconfig()
- TYPO3\CMS\Backend\Utility\BackendUtility::editOnClick()
- TYPO3\CMS\Backend\Utility\BackendUtility::getViewDomain()
- TYPO3\CMS\Backend\Utility\BackendUtility::getBackendScript()
- TYPO3\CMS\Backend\Utility\BackendUtility::TYPO3_copyRightNotice()

Resolves: #91481
Releases: master
Change-Id: I8943f2e14ce1dbcb1195fffef5afe329b5f3ab79
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64585


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

This change removes all triggers ("SlotReplacement classes") to Signals
that were used until TYPO3 v10 LTS.

The SignalSlot Dispatcher still stay for the time being, but it is unused in
TYPO3 Core now.

Resolves: #91474
Related: #91473
Releases: master
Change-Id: I08867cb5837f605e52a067457a91f40288556fab
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64578


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Benni Mack <benni@typo3.org>

This change reflects the master branch to be targeted to v11.

Testing framework is raised as well to support v11.

This also means that all bugfixes now need to target "master, 10.4"
or "master, 10.4, 9.5" for critical bugfixes.

All features go into master branch again.

Resolves: #91469
Releases: master
Change-Id: Ife0f9d0fcf5ff13d55acb89dee5138e0e0b781e9
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64573


Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Resolves: #91459
Relates: #91302
Releases: master
Change-Id: Ic4af3247d7557a6c12a8d538e85795c507eab69a
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64561


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>

With the removal of `selicon_field_path` in #87937 also the
automatic record type icon mapping was removed.

As a result the record icon of a select item based on `foreign_table`
is not resolved anymore. In addition, the `selectIcons` list is therefore
no longer displayed.

The previous functionality is now restored.

Resolves: #91302
Relates: #87937
Releases: master
Change-Id: If62f4ba65ef54ec2345131f6c117ce4336e76c4c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64560


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>

To highlight difference between BackendUtility::BEgetRootLine()
and RootlineUtility->get()

Resolves: #91455
Releases: 9.5, master
Change-Id: I63d7ca395d5a052d29d718316474b69d6519ebc9
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64554


Tested-by: Daniel Goerz <daniel.goerz@posteo.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Richard Haeser <richard@maxserv.com>
Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Richard Haeser <richard@maxserv.com>

Change-Id: I22eb57766cd6ddd8aa31447ccd374e52920c2010
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64529


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: TYPO3com <noreply@typo3.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Change-Id: Ifd8e3cc62c5b0a27b0bc938e5dbc8cb136a1d07c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64528


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

With TYPO3-CORE-SA-2020-006 (SSRF via XSS) a strict referrer handling
has been introduced to avoid the TYPO3 backend being called from other
non same-origin locations. In case a HTTP referrer header was empty
the system tried to refresh the view - otherwise the request was
denied completely.

It turned out that this scenario was probably too strict, disabling
feature `security.backend.enforceReferrer` was the only work-around
for site administrators.

This change adds new options for handling referrers in backend routes:
* refresh-empty (existed already): refresh in case referrer is empty
* refresh-same-site: refresh in case referrer is on same site, like
  `https://example.org/?eID=auth` calling `https://example.org/typo3/`
* refresh-always: refresh always in case there is not valid referrer

TYPO3's main backend route is using `refresh-always` now to be more
relaxed on handling same-site and cross-site referrers as well.

The term "refreshing" relates to trigger a reload in the browser to
get the referrer of the current location. This still block direct
CSRF/SSRF requests since the refreshing HTML instructions are
delivered back to the client. Besides that, cross-site requests are
covered by the `same-site` cookie policy, and existing CSRF tokens.

Resolves: #91396
Releases: master, 9.5
Change-Id: Ib3756671fa60c6f41ba992d0e645f03da1730d19
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64492


Tested-by: Susanne Moog <look@susi.dev>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Richard Haeser <richard@maxserv.com>
Reviewed-by: Susanne Moog <look@susi.dev>
Reviewed-by: Richard Haeser <richard@maxserv.com>

When a null placeholder checkbox is changed, the linked form field is
now marked as "changed", which triggers the confirmation when leaving
the form while being unsaved.

Resolves: #91351
Releases: master, 9.5
Change-Id: I1b3ac08223a4a4c588a980abe70f22ff9814b13f
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64444


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Josef Glatz <josefglatz@gmail.com>
Tested-by: Xavier Perseguers <xavier@typo3.org>
Tested-by: Susanne Moog <look@susi.dev>
Reviewed-by: Josef Glatz <josefglatz@gmail.com>
Reviewed-by: Xavier Perseguers <xavier@typo3.org>
Reviewed-by: Susanne Moog <look@susi.dev>

HTML element with identifier `t3js-login-url` is used to check whether
referrer handling is activated and suported. In case the `Login.html`
template has been overridden, mentioned element might not be given at
all - which leads to a corresponding JavaScript error.

Resolves: #91385
Releases: master, 9.5
Change-Id: Ie986a94209809c32cdfb217aa00b42f4369c525a
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64484


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Susanne Moog <look@susi.dev>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Susanne Moog <look@susi.dev>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

A context can be provided, when opening the CSH (Context Sensitive Help).

E.g. when opening the CSH for a backend module or specific table field,
the help entry for that module or field will be opened.

This patch restores the described functionality by adding the action
to the link opened via JavaScript.

The "see also" links, used for cross referencing different CSH entries
are fixed as well. Cross referencing links are now build using the proper
ViewHelper to use backend module routing, instead of extbase routing.
This ensures arguments are not moved into an arbitrary extbase plugin
namespace.

Resolves: #91370
Releases: master
Change-Id: Ib6361e5a5f4ef441e098a595fa344f484a07ddc0
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64477


Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Josef Glatz <josefglatz@gmail.com>
Reviewed-by: Sebastian Klein <laitnin@gmx.net>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Sebastian Klein <laitnin@gmx.net>
Tested-by: Josef Glatz <josefglatz@gmail.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>

Change-Id: I6e8b59634266786e07a0d80a6271914a26a7d7e4
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64475


Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>