TYPO3 Forge: Issueshttp://forge.typo3.org/http://forge.typo3.org/themes/typo3_forge/favicon/favicon.png?17058661692024-03-14T17:36:06ZTYPO3 Forge
Redmine TYPO3 Core - Bug #103400 (Under Review): Avoid mapping route values that are out of scopehttp://forge.typo3.org/issues/1034002024-03-14T17:36:06ZOliver Haderoliver.hader@typo3.orgTYPO3 Core - Bug #103097 (Resolved): Avoid calling LogDataTrait::formatLogDetails in non-static c...http://forge.typo3.org/issues/1030972024-02-10T17:01:06ZOliver Haderoliver.hader@typo3.orgTYPO3 Core - Bug #102942 (Resolved): Show language name in "Manage Language Packs" modalhttp://forge.typo3.org/issues/1029422024-01-26T11:59:15ZOliver Haderoliver.hader@typo3.orgTYPO3 Core - Bug #102668 (Resolved): Consider empty or invalid password policy referencehttp://forge.typo3.org/issues/1026682023-12-13T18:08:30ZOliver Haderoliver.hader@typo3.org
<p>In case <code>$GLOBALS['TYPO3_CONF_VARS']['BE']['passwordPolicy']</code> is disabled or set to a preset that actually does not exist, the backend editing view should not issue JavaScript errors on the missing <code>#password-policy-info</code> element. Currently the following error appears in the browser console:</p>
<pre>
Uncaught TypeError: Cannot read properties of null (reading 'classList')
at HTMLInputElement.<anonymous> (password-element.js?bust=2e5226ec73ecf48bcbde72dd5fdea0b0252fc4ee:13:647)
</pre> TYPO3 Core - Bug #102386 (Resolved): Consider URL encoded values for addQueryString.excludehttp://forge.typo3.org/issues/1023862023-11-16T13:57:22ZOliver Haderoliver.hader@typo3.org
<pre>
typolink {
parameter = 1
addQueryString = 1
addQueryString {
exclude = param%,param%25
}
}
</pre>
<p>URL: <code>?keep=1&param%2525=2</code></p>
<p>Result: The params to be excluded are not removed - the TypoScrip property probably(?!) refers to the internal URL-decoded representation.</p> TYPO3 Core - Bug #102136 (Resolved): Revert: Enable configuration passthrough for custom CKEditor...http://forge.typo3.org/issues/1021362023-10-10T09:38:08ZOliver Haderoliver.hader@typo3.org
<p>ext:bootstrap_package v14.0.7 does not work anymore with change of issue <a class="issue tracker-1 status-3 priority-4 priority-default closed child parent" title="Bug: CKEditor 5 - Configuration of custom CKeditor 5 plugin via RTE.editor.config.{customPlugin} not p... (Resolved)" href="http://forge.typo3.org/issues/100784">#100784</a> since <code>extraPlugins</code> is handled differently.</p> TYPO3 Core - Bug #102058 (New): Meta tags rendered as XHTMLhttp://forge.typo3.org/issues/1020582023-09-28T10:21:50ZOliver Haderoliver.hader@typo3.org
<pre>
<meta name="generator" content="TYPO3 CMS" />
<meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover" />
<meta name="robots" content="index,follow" />
...
<meta property="og:image:type" content="image/png" />
<meta property="og:title" content="IN.DIE.musik e.V." />
<meta name="twitter:card" content="summary" />
<meta name="twitter:site" content="@InDieMusik" />
</pre>
<p><a class="external" href="https://github.com/TYPO3/typo3/blob/main/typo3/sysext/core/Classes/MetaTag/AbstractMetaTagManager.php#L226-L239">https://github.com/TYPO3/typo3/blob/main/typo3/sysext/core/Classes/MetaTag/AbstractMetaTagManager.php#L226-L239</a></p>
<pre>
$metaTags[] = '<meta ' .
htmlspecialchars($nameAttribute) . '="' . htmlspecialchars($property) . '" ' .
htmlspecialchars($contentAttribute) . '="' . htmlspecialchars($propertyItem['content']) . '" />';
</pre> TYPO3 Core - Bug #102057 (New): W3C validator complains about base64 values in CSPhttp://forge.typo3.org/issues/1020572023-09-28T09:21:37ZOliver Haderoliver.hader@typo3.org
<p>From <a class="external" href="https://validator.w3.org/nu/">https://validator.w3.org/nu/</a></p>
<blockquote>
<p>Warning: Content-Security-Policy HTTP header: Bad content security policy: Invalid base64-value (should be multiple of 4 bytes: 54)</p>
</blockquote>
<p>From the specs at <a class="external" href="https://www.w3.org/TR/CSP3/#framework-directive-source-list">https://www.w3.org/TR/CSP3/#framework-directive-source-list</a></p>
<blockquote>
<p>; Nonces: 'nonce-[nonce goes here]'<br />nonce-source = "'nonce-" base64-value "'"</p>
<p>The base64-value grammar allows both base64 and base64url encoding. These encodings are treated as equivalant when processing hash-source values. Nonces, however, are strict string matches: we use the base64-value grammar to limit the characters available, and reduce the complexity for the server-side operator (encodings, etc), but the user agent doesn’t actually care about any underlying value, nor does it do any decoding of the nonce-source value.</p>
</blockquote>
<hr />
<p>For context, the used nonce value was <code>'nonce-GFsVtSG1EzqppYEFujbWjoMJS2r8FDH_Y8mRjRl-sKg9L0sLpQqsrA'</code></p>
<ul>
<li>that's <code>GFsVtSG1EzqppYEFujbWjoMJS2r8FDH_Y8mRjRl-sKg9L0sLpQqsrA</code> in base64web</li>
<li>that's <code>GFsVtSG1EzqppYEFujbWjoMJS2r8FDH/Y8mRjRl+sKg9L0sLpQqsrA</code> in base64 (shortened)</li>
<li>that's <code>GFsVtSG1EzqppYEFujbWjoMJS2r8FDH/Y8mRjRl+sKg9L0sLpQqsrA==</code> in base64 (complete, 56 chars, 56 mod 4 = 0)</li>
</ul> TYPO3 Core - Bug #101809 (Resolved): Ensure minimal dependency order in PackageManagerhttp://forge.typo3.org/issues/1018092023-08-31T10:23:22ZOliver Haderoliver.hader@typo3.orgTYPO3 Core - Bug #101797 (Resolved): Replace mutation mode extend by inherit & appendhttp://forge.typo3.org/issues/1017972023-08-30T11:10:10ZOliver Haderoliver.hader@typo3.orgTYPO3 Core - Bug #101753 (Closed): DDEV & Traefic substitute semi-colon to ampersand in URLshttp://forge.typo3.org/issues/1017532023-08-25T13:23:39ZOliver Haderoliver.hader@typo3.org
<p>With v1.22+ DDEV recently started to use Traefic as routing service - and Traefic has an issue with substituting ";" to "&" in URLs:</p>
<ul>
<li><a class="external" href="https://ddev.readthedocs.io/en/stable/users/extend/traefik-router/">https://ddev.readthedocs.io/en/stable/users/extend/traefik-router/</a></li>
<li><a class="external" href="https://github.com/traefik/traefik/issues/9164">https://github.com/traefik/traefik/issues/9164</a></li>
<li><a class="external" href="https://github.com/traefik/traefik/pull/9131/files#diff-f7d7f0e8fef165ce3ca78be8f4d887b323d564a29b25d416a6a7d2b0e9ff7df7R50">https://github.com/traefik/traefik/pull/9131/files#diff-f7d7f0e8fef165ce3ca78be8f4d887b323d564a29b25d416a6a7d2b0e9ff7df7R50</a></li>
</ul>
<p>Traeffic offers the option <a href="https://doc.traefik.io/traefik/routing/entrypoints/#encodequerysemicolons" class="external"><code>encodeQuerySemicolons</code></a> to actually control the behavior, however I was not able to adjust the corresponding configuration in DDEV.</p>
<p>For the time being, Traeffic can be disabled in general, by using <code>ddev poweroff && ddev config global --router=nginx-proxy</code>.</p>
<p>This affects how URLs in the TYPO3 backend scope are handled, e.g (this list is probably not complete, yet):</p>
<ul>
<li>/typo3/wizard/record/browse?token=[...]&mode=file&bparams=|||allowed=gif,jpg,jpeg,tif,tiff,bmp,pcx,tga,png,pdf,ai,svg <code>;</code> disallowed=|data-138-tt_content-1850-background_image-sys_file_reference&contentOnly=1&expandFolder=1%3A%2Ft3con23%2Fimages%2F
<ul>
<li>will be interpreted as<br /> /typo3/wizard/record/browse?token=[...]&mode=file&bparams=|||allowed=gif,jpg,jpeg,tif,tiff,bmp,pcx,tga,png,pdf,ai,svg <code>&</code> disallowed=|data-138-tt_content-1850-background_image-sys_file_reference&contentOnly=1&expandFolder=1%3A%2Ft3con23%2Fimages%2F</li>
<li>causes a failure in <code>\TYPO3\CMS\Filelist\ElementBrowser\FileBrowser::initialize</code></li>
</ul></li>
</ul>
<hr />
<p>Long-term, these URLs (especially the semi-colon "&") should be correctly URL-encoded.</p> TYPO3 Core - Bug #101748 (Resolved): Undefined array key in DataMapProcessorhttp://forge.typo3.org/issues/1017482023-08-24T11:08:14ZOliver Haderoliver.hader@typo3.orgTYPO3 Core - Bug #101709 (Resolved): TypoLink forceAbsoluteUrl is not working anymore on processe...http://forge.typo3.org/issues/1017092023-08-18T13:24:24ZOliver Haderoliver.hader@typo3.org
<pre>
page = page
page {
meta {
twitter:image {
attribute = property
cObject = TEXT
cObject {
typolink.parameter.cObject = IMG_RESOURCE
typolink.parameter.cObject {
file = EXT:site/Resources/Public/Images/indie-logo-inverted.png
file.width = 1200m
file.height = 628m
}
typolink.forceAbsoluteUrl = 1
typolink.returnLast = url
}
}
}
}
</pre>
<ul>
<li>the generated result of <code>IMG_RESOURCE</code> is something like <code>/typo3temp/assets/_processed_/8/e/csm_indie-logo-inverted_f323361c00.png</code></li>
<li><code>LegacyLinkNotationConverter</code> considers this to be handled by <code>LinkService::TYPE_URL</code>, since it was generated in the root-file-storage (storage-uid=0)</li>
<li><code>ExternalUrlLinkBuilder</code> (used for <code>LinkService::TYPE_URL</code>) does not consider <code>forceAbsoluteUrl</code></li>
</ul>
<p>This results in the incorrect output of having:</p>
<pre>
<meta name="twitter:image" content="/typo3temp/assets/_processed_/8/e/csm_indie-logo-inverted_f323361c00.png" />
</pre>
<p>But, it actually should contain the domain as well:</p>
<pre>
<meta name="twitter:image" content="https://indiemusik-festival.de/typo3temp/assets/_processed_/8/e/csm_indie-logo-inverted_f323361c00.png" />
</pre> TYPO3 Core - Bug #101705 (Resolved): Update composer.lock for typo3/html-sanitizer:2.1.3http://forge.typo3.org/issues/1017052023-08-17T11:03:20ZOliver Haderoliver.hader@typo3.org
<p>see <a class="external" href="https://stackoverflow.com/questions/76920144/typo3-11-5-30-error-after-bootstrap-update-undefined-function-mb-split">https://stackoverflow.com/questions/76920144/typo3-11-5-30-error-after-bootstrap-update-undefined-function-mb-split</a></p> TYPO3 Core - Bug #101477 (Resolved): Extend CSP directives and sourceshttp://forge.typo3.org/issues/1014772023-07-28T17:48:41ZOliver Haderoliver.hader@typo3.org
<p>The CSP directives 'report-to', 'require-trusted-types-for' and<br />'trusted-types' have been added. Albeit there aren't any typed value<br />counterparts yet, they can be wrapped in a RawValue object, e.g.</p>
<pre>
new Mutation(
MutationMode::Set,
Directive::RequireTrustedTypesFor,
new RawValue("'script'")
),
</pre>
<p>The cases for 'unsafe-hashes' and 'strict-dynamic' were accidentally<br />added as directives instead of source keywords and have been removed.</p>
<p>The source schemes 'filesystem:' and 'mediastream' have been added.</p>
<p>Besides that, the frontend CSP configuration now limits using the<br /><code><base></code> element to same-origin URIs. The backend CSP configuration<br />is now even stricter since using <code><base></code> , <code><embed></code> and <code><object></code><br />elements is blocked.</p>