TYPO3 Forge: Issueshttp://forge.typo3.org/http://forge.typo3.org/themes/typo3_forge/favicon/favicon.png?17058661692023-09-28T10:21:50ZTYPO3 Forge
Redmine TYPO3 Core - Bug #102058 (New): Meta tags rendered as XHTMLhttp://forge.typo3.org/issues/1020582023-09-28T10:21:50ZOliver Haderoliver.hader@typo3.org
<pre>
<meta name="generator" content="TYPO3 CMS" />
<meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover" />
<meta name="robots" content="index,follow" />
...
<meta property="og:image:type" content="image/png" />
<meta property="og:title" content="IN.DIE.musik e.V." />
<meta name="twitter:card" content="summary" />
<meta name="twitter:site" content="@InDieMusik" />
</pre>
<p><a class="external" href="https://github.com/TYPO3/typo3/blob/main/typo3/sysext/core/Classes/MetaTag/AbstractMetaTagManager.php#L226-L239">https://github.com/TYPO3/typo3/blob/main/typo3/sysext/core/Classes/MetaTag/AbstractMetaTagManager.php#L226-L239</a></p>
<pre>
$metaTags[] = '<meta ' .
htmlspecialchars($nameAttribute) . '="' . htmlspecialchars($property) . '" ' .
htmlspecialchars($contentAttribute) . '="' . htmlspecialchars($propertyItem['content']) . '" />';
</pre> TYPO3 Core - Bug #101415 (New): Cannot localize page in backendhttp://forge.typo3.org/issues/1014152023-07-22T17:59:04ZOliver Haderoliver.hader@typo3.org
<p>(Actions performed as admin user)</p>
<p>Error message in JavaScript console:</p>
<pre>
Uncaught TypeError: Cannot convert undefined or null to object
at Function.keys (<anonymous>)
at InputTransformer.flattenObject (input-transformer.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13:641)
at input-transformer.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13:770
at Array.reduce (<anonymous>)
at InputTransformer.flattenObject (input-transformer.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13:649)
at InputTransformer.toSearchParams (input-transformer.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13:481)
at AjaxRequest.withQueryArguments (ajax-request.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13:352)
at Localization.localizeRecords (localization.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13:6623)
at Object.callback (localization.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13:5597)
at Wizard.runSlideCallback (wizard.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13:3552)
flattenObject @ input-transformer.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13
(anonymous) @ input-transformer.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13
flattenObject @ input-transformer.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13
toSearchParams @ input-transformer.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13
withQueryArguments @ ajax-request.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13
localizeRecords @ localization.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13
(anonymous) @ localization.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13
runSlideCallback @ wizard.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13
</pre>
<p>The reason is, that in <code>localization.ts</code>, the corresponding <code>action</code> is still <code>null, since there are two @availableLocalizationModes</code> (<code>copy</code> and <code>translate</code>), but the handling just expects to have one...</p>
<pre>
<a href="#" class="btn btn-default btn-sm t3js-localize" title=""
data-page="[Translate to Dansk:] 404" data-has-elements="0"
data-allow-copy="1" data-allow-translate="1" data-table="tt_content"
data-page-id="6" data-language-id="1" data-language-name="Dansk">
...
Translate
</a>
</pre> TYPO3 Core - Task #100906 (New): Handle CSP violations in browser extensionshttp://forge.typo3.org/issues/1009062023-05-20T11:55:08ZOliver Haderoliver.hader@typo3.org
<a name="General"></a>
<h3 >General<a href="#General" class="wiki-anchor">¶</a></h3>
<ul>
<li><a class="external" href="https://csper.io/blog/csp-report-filtering">https://csper.io/blog/csp-report-filtering</a></li>
<li><a class="external" href="https://dropbox.tech/security/on-csp-reporting-and-filtering">https://dropbox.tech/security/on-csp-reporting-and-filtering</a></li>
<li><a class="external" href="https://github.com/nico3333fr/CSP-useful/tree/master/csp-wtf">https://github.com/nico3333fr/CSP-useful/tree/master/csp-wtf</a></li>
<li><a class="external" href="https://github.com/getsentry/sentry/blob/master/src/sentry/interfaces/security.py#L20">https://github.com/getsentry/sentry/blob/master/src/sentry/interfaces/security.py#L20</a></li>
<li><a class="external" href="https://github.com/jacobbednarz/go-csp-collector/blob/b3a8ff39e3835b3b9452898beb20677cee680dd0/csp_collector.go#L59">https://github.com/jacobbednarz/go-csp-collector/blob/b3a8ff39e3835b3b9452898beb20677cee680dd0/csp_collector.go#L59</a></li>
</ul>
<a name="Payloads"></a>
<h3 >Payloads<a href="#Payloads" class="wiki-anchor">¶</a></h3>
<code>{"blocked-uri":"inline","column-number":9,"disposition":"enforce","document-uri":"https:\/\/indiemusik-festival.de\/events\/festival-2023","effective-directive":"script-src-elem","line-number":33,"original-policy":"frame-src 'self' https:\/\/*.youtube-nocookie.com https:\/\/*.youtube.com https:\/\/*.vimeo.com https:\/\/instagram.com https:\/\/*.instagram.com; img-src 'self' https:\/\/*.ytimg.com https:\/\/*.vimeocdn.com data: https:\/\/instagram.com https:\/\/*.instagram.com; default-src 'self'; script-src 'self' 'nonce-XnDPuvTcc38QsmBT2aH5OLzK1Vv1G9l_HZZ-sioaqjJmVB2lpp7RXg' 'report-sample'; style-src-attr 'unsafe-inline' 'report-sample'; object-src 'none'; base-uri 'none'; style-src 'self' 'report-sample'; connect-src 'self' https:\/\/analytics.in-die-musik.de; script-src-elem 'self' 'nonce-XnDPuvTcc38QsmBT2aH5OLzK1Vv1G9l_HZZ-sioaqjJmVB2lpp7RXg' https:\/\/analytics.in-die-musik.de 'report-sample'; font-src 'self' data:; media-src 'self' https:\/\/cloud.in-die-musik.de; report-uri https:\/\/indiemusik-festival.de\/@http-reporting?csp=report&requestTime=1684526938506325","referrer":"","script-sample":"(function (NAVIGATOR, OBJECT) {\n\n if \u2026","source-file":"moz-extension","status-code":200,"violated-directive":"script-src-elem"}
</code>
<p>→ <code>"source-file":"moz-extension"</code><br />→ payload <code>(function (NAVIGATOR, OBJECT) { if </code><br />→ trigger <a class="external" href="https://github.com/EFForg/privacybadger/blob/ef6a2b38b2550e8805076b072645367c4e044a79/src/js/contentscripts/dnt.js#L23">https://github.com/EFForg/privacybadger/blob/ef6a2b38b2550e8805076b072645367c4e044a79/src/js/contentscripts/dnt.js#L23</a></p>
<hr />
<p>...</p> TYPO3 Core - Task #99046 (New): DOCS: Routing Troubleshooting Sectionhttp://forge.typo3.org/issues/990462022-11-10T11:39:03ZOliver Haderoliver.hader@typo3.org
<ul>
<li><a class="external" href="https://forge.typo3.org/issues/91530">https://forge.typo3.org/issues/91530</a>
<ul>
<li>describe consequences of using <code>PageType</code> decorator</li>
<li>concerning optional route variables (using <code>defaults</code>)</li>
</ul>
</li>
<li><a class="external" href="https://forge.typo3.org/issues/94585">https://forge.typo3.org/issues/94585</a>
<ul>
<li>describe consequences of using route without specific segment, e.g. <code>/{variable}</code></li>
<li>suggest to use specific segment, e.g. <code>/show/{variable}</code></li>
</ul>
</li>
<li><a class="external" href="https://forge.typo3.org/issues/90959#note-3">https://forge.typo3.org/issues/90959#note-3</a>
<ul>
<li>describe consequences of ambiguity</li>
</ul></li>
</ul> TYPO3 Core - Bug #96435 (New): Apply rate limiter to mail formshttp://forge.typo3.org/issues/964352021-12-27T18:09:10ZOliver Haderoliver.hader@typo3.org
<p>In order to limit sending forms again and again (which can be automated e.g. by using Selenium or similar techniques), sending out a particular form should be rate-limited (available since TYPO3 v11).</p> TYPO3 Core - Bug #95725 (New): Title shown twice with pdfinfo using PDF/X fileshttp://forge.typo3.org/issues/957252021-10-21T18:44:48ZOliver Haderoliver.hader@typo3.org
<p>The following report has been sent to me via mail by Josef Sigritz, I'm just dumping it here:</p>
<hr />
<p>wir haben ein Problem mit dem FileContentParser der Indexed_Search: pdfinfo gibt bei PDF/X-Dateien zweimal den Title aus. Dadurch wird der eigentliche Title überschrieben.</p>
<p>Beispiel:<br />pdfinfo test.pdf</p>
<pre>
*Title: BAA010718_Broschüre_Chancen_bieten_V2.indd*
Creator: Adobe InDesign CC 13.0 (Macintosh)
Producer: Adobe PDF Library 15.0
CreationDate: Thu Feb 22 15:51:27 2018 CET
ModDate: Mon Mar 12 12:12:12 2018 CET
Tagged: no
UserProperties: no
Suspects: no
Form: none
JavaScript: no
Pages: 20
Encrypted: no
Page size: 595.276 x 841.89 pts (A4)
Page rot: 0
File size: 2292621 bytes
Optimized: yes
PDF version: 1.3
PDF subtype: PDF/X-3:2002
*Title: ISO 15930 - Electronic document file format for prepress digital data exchange (PDF/X)*
Abbreviation: PDF/X-3:2002
Subtitle: Part 3: Complete exchange suitable for colour-managed workflows (PDF/X-3)
Standard: ISO 15930-3
</pre>
<p>Verbesserungsvorschlag:<br />Klasse: typo3/typo3/sysext/indexed_search/Classes/FileContentParser.php, function splitPdfInfo</p>
<pre>
public function splitPdfInfo($pdfInfoArray)
{
$res = [];
if (is_array($pdfInfoArray)) {
foreach ($pdfInfoArray as $line) {
$parts = explode(':', $line, 2);
if (count($parts) > 1 && trim($parts[0])) {
if (!array_key_exists(strtolower(trim($parts[0])), $res)){
$res[strtolower(trim($parts[0]))] = trim($parts[1]);
}
$res[strtolower(trim($parts[0]))] = trim($parts[1]);
}
}
}
return $res;
}
</pre> TYPO3 Core - Feature #91668 (New): Add system communication APIhttp://forge.typo3.org/issues/916682020-06-17T17:46:25ZOliver Haderoliver.hader@typo3.org
<p>A system communication API could be used to retrieve data from official typo3.org services or send back anonymous usage data in order to help understand TYPO3-use-cases much better.</p>
<a name="Scenarios"></a>
<h2 >Scenarios<a href="#Scenarios" class="wiki-anchor">¶</a></h2>
<ul>
<li>compare current TYPO3 version with latest TYPO3 version & warn about missing security updates</li>
<li>fetch and display vendor messages for selected topics - e.g. release updates, important security notifications, etc.</li>
<li>send anonymous usage data back to granted services (typo3.org or custom endpoints)</li>
</ul>
<a name="Requirements"></a>
<h2 >Requirements<a href="#Requirements" class="wiki-anchor">¶</a></h2>
<ul>
<li>non-blocking - most of the communication shall happen in the background or in the client only (AJAX)</li>
<li>HTTP requests need to provide as less information as possible (no referrers, no cookies, ...)</li>
<li>each used communication stream/channel must be opt-in - users or site admins have to subscribe</li>
</ul> TYPO3 Core - Task #89347 (New): Provide strong defaults for anchor noreferred/noopener attributehttp://forge.typo3.org/issues/893472019-10-04T12:02:37ZOliver Haderoliver.hader@typo3.org
<p>Issue <a class="issue tracker-2 status-5 priority-4 priority-default closed child" title="Feature: Add rel="noopener noreferrer" to links when target is set to _blank (Closed)" href="http://forge.typo3.org/issues/78488">#78488</a> introduced norefferer & noopener per default for external links, see<br /><a class="external" href="https://review.typo3.org/c/Packages/TYPO3.CMS/+/59194">https://review.typo3.org/c/Packages/TYPO3.CMS/+/59194</a></p>
<p>However there are scenarios where this has to be seen in context and scope of the website project:</p>
<a name="General"></a>
<h2 >General<a href="#General" class="wiki-anchor">¶</a></h2>
<ul>
<li><code>noopener</code> only has an effect of "opened" window contexts (e.g. <code>target="_blank"</code>)</li>
<li><code>noreferrer</code> might contradict tracking & analyzation on websites
<ul>
<li>e.g. "which site is has similar information" - good use of referrer in a scope similar to "LOD"
<ul>
<li><code>Referrer: https://typo3-website.org/resources/car-engines/abc</code> when opening <code>https://remote-vendor.com/cars/xyz</code></li>
</ul>
</li>
<li>e.g. "which site has similar problems" - bad use of referrer, when e.g. sensitive areas point public resources
<ul>
<li><code>Referrer: https://typo3-website.org/user-restricted-internal/product-abc-sucks</code> pointing to <code>https://remote-vendor.com/prodct-abc</code></li>
</ul></li>
</ul></li>
</ul>
<a name="Suggestion"></a>
<h2 >Suggestion<a href="#Suggestion" class="wiki-anchor">¶</a></h2>
<ul>
<li>make settings configurable
<ul>
<li>TypoScript <code>typolink</code></li>
<li>Site Configuration anchor behavior</li>
</ul>
</li>
<li>default settings (when not having TypoScript or Site Configuration loaded - e.g. CLI context) should be strict <code>noopener noreferrer</code> (current scenario)</li>
<li>use <code>Referrer-Policy</code> HTTP header as site-wide default instead, use HTML attr to override the default behavior
<ul>
<li>different per site (frontend)</li>
<li>common for admin UI (backend)</li>
</ul></li>
</ul>
<a name="Side-note"></a>
<h2 >Side-note<a href="#Side-note" class="wiki-anchor">¶</a></h2>
There is a difference between TYPO3 backend and frontend as well. Basically
<ul>
<li>strict default for backend should be <code>noopener noreferrer</code></li>
<li>individual behavior for frontend as outlined in previous sections</li>
</ul> TYPO3 Core - Epic #77562 (Accepted): Misbehaviors with datetime values and timezoneshttp://forge.typo3.org/issues/775622016-08-21T21:00:33ZOliver Haderoliver.hader@typo3.org
<p>This issue serves as an umbrella collector.</p>
<p>We can do little to fix stuff in v7, but we shall fix a lot in v8.</p>
<p>The goals for v8 are:</p>
<ul>
<li>Same DB content as in v7</li>
<li>Values written to FormEngine must contain the server's timezone in the ISO-format</li>
<li>FormEngine JS must be aware of the timezone used in BE to write back correct values</li>
</ul> TYPO3 Core - Bug #59851 (Closed): Image thumbnails sometimes in backend not shownhttp://forge.typo3.org/issues/598512014-06-24T15:41:39ZOliver Haderoliver.hader@typo3.org
<p>Sometime the image thumbnails in the page module are not shown in the TYPO3 backend.<br />The reason for that could be missing reference count values in tt_content.image.</p>
<p>A work-around is to update those counters in SQL (don't use if workspaces are enabled and used):<br /><code><br />UPDATE tt_content<br />SET image=(SELECT COUNT(*) FROM sys_file_reference<br />WHERE uid_foreign = tt_content.uid) WHERE uid IN (SELECT uid_foreign FROM sys_file_reference);<br /></code></p> TYPO3 Core - Bug #55454 (Closed): Buttons for explicit translation are not shownhttp://forge.typo3.org/issues/554542014-01-30T13:19:39ZOliver Haderoliver.hader@typo3.org
Steps:
<ul>
<li>enable $GLOBALS['TYPO3_CONF_VARS']['BE']['explicitConfirmationOfTranslation'] in Install Tool</li>
<li>e.g. create or modify a record in the backend</li>
<li>the additional translation buttons are not rendered correctly</li>
</ul>
<p><img src="http://forge.typo3.org/attachments/download/25925/translation_buttons.png" alt="" loading="lazy" /></p>
<p>I'm not sure whether this feature is used or documented at all.<br />It seems, that the original commit for this feature was this:<br /><a class="changeset" title="* Feature added to disable automatic update of diff data for translation when saving records. Ins..." href="http://forge.typo3.org/projects/typo3cms-core/repository/1749/revisions/a19fb26a51243b4a74d2f8d13f882900fc12df99">a19fb26a51243b4a74d2f8d13f882900fc12df99</a></p> TYPO3 Core - Bug #50531 (Closed): Deleted state is not persisted in file objectshttp://forge.typo3.org/issues/505312013-07-29T18:53:05ZOliver Haderoliver.hader@typo3.org
<p>The deleted state of file objects of the file abstraction layer is not persisted and thus to carried to the database.<br />Since the concept of using the deleted flag is not used at all, additional checks and processors to set and unset the state need to be integrated.</p> TYPO3 Core - Bug #48451 (Closed): Backend Layouts not visualizedhttp://forge.typo3.org/issues/484512013-05-22T14:16:21ZOliver Haderoliver.hader@typo3.org
<p>Backend Layouts columns are not shown in the Web>Page view.</p> TYPO3 Core - Feature #9754 (Rejected): Module: Implement Workspaces List tabhttp://forge.typo3.org/issues/97542010-09-16T12:01:32ZOliver Haderoliver.hader@typo3.org
<p>Implement Workspaces List tab</p> TYPO3 Core - Bug #21726 (Closed): Updating translations from repository in extension manager fail...http://forge.typo3.org/issues/217262009-11-28T15:53:33ZOliver Haderoliver.hader@typo3.org
<p>Updating translations from repository in extension manager fails in Safari 4.0.4 on Mac OS X. Just a white page is shown - after a while, when all packages have been downloaded, suddenly the full status appears. Thus, showing the process dynamically does not work.</p>
<p>In Firefox everything works as expected.</p>
<p>(issue imported from #M12822)</p>