TYPO3 Forge: Issueshttp://forge.typo3.org/http://forge.typo3.org/themes/typo3_forge/favicon/favicon.png?17058661692023-09-28T10:21:50ZTYPO3 Forge
Redmine TYPO3 Core - Bug #102058 (New): Meta tags rendered as XHTMLhttp://forge.typo3.org/issues/1020582023-09-28T10:21:50ZOliver Haderoliver.hader@typo3.org
<pre>
<meta name="generator" content="TYPO3 CMS" />
<meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover" />
<meta name="robots" content="index,follow" />
...
<meta property="og:image:type" content="image/png" />
<meta property="og:title" content="IN.DIE.musik e.V." />
<meta name="twitter:card" content="summary" />
<meta name="twitter:site" content="@InDieMusik" />
</pre>
<p><a class="external" href="https://github.com/TYPO3/typo3/blob/main/typo3/sysext/core/Classes/MetaTag/AbstractMetaTagManager.php#L226-L239">https://github.com/TYPO3/typo3/blob/main/typo3/sysext/core/Classes/MetaTag/AbstractMetaTagManager.php#L226-L239</a></p>
<pre>
$metaTags[] = '<meta ' .
htmlspecialchars($nameAttribute) . '="' . htmlspecialchars($property) . '" ' .
htmlspecialchars($contentAttribute) . '="' . htmlspecialchars($propertyItem['content']) . '" />';
</pre> TYPO3 Core - Task #100906 (New): Handle CSP violations in browser extensionshttp://forge.typo3.org/issues/1009062023-05-20T11:55:08ZOliver Haderoliver.hader@typo3.org
<a name="General"></a>
<h3 >General<a href="#General" class="wiki-anchor">¶</a></h3>
<ul>
<li><a class="external" href="https://csper.io/blog/csp-report-filtering">https://csper.io/blog/csp-report-filtering</a></li>
<li><a class="external" href="https://dropbox.tech/security/on-csp-reporting-and-filtering">https://dropbox.tech/security/on-csp-reporting-and-filtering</a></li>
<li><a class="external" href="https://github.com/nico3333fr/CSP-useful/tree/master/csp-wtf">https://github.com/nico3333fr/CSP-useful/tree/master/csp-wtf</a></li>
<li><a class="external" href="https://github.com/getsentry/sentry/blob/master/src/sentry/interfaces/security.py#L20">https://github.com/getsentry/sentry/blob/master/src/sentry/interfaces/security.py#L20</a></li>
<li><a class="external" href="https://github.com/jacobbednarz/go-csp-collector/blob/b3a8ff39e3835b3b9452898beb20677cee680dd0/csp_collector.go#L59">https://github.com/jacobbednarz/go-csp-collector/blob/b3a8ff39e3835b3b9452898beb20677cee680dd0/csp_collector.go#L59</a></li>
</ul>
<a name="Payloads"></a>
<h3 >Payloads<a href="#Payloads" class="wiki-anchor">¶</a></h3>
<code>{"blocked-uri":"inline","column-number":9,"disposition":"enforce","document-uri":"https:\/\/indiemusik-festival.de\/events\/festival-2023","effective-directive":"script-src-elem","line-number":33,"original-policy":"frame-src 'self' https:\/\/*.youtube-nocookie.com https:\/\/*.youtube.com https:\/\/*.vimeo.com https:\/\/instagram.com https:\/\/*.instagram.com; img-src 'self' https:\/\/*.ytimg.com https:\/\/*.vimeocdn.com data: https:\/\/instagram.com https:\/\/*.instagram.com; default-src 'self'; script-src 'self' 'nonce-XnDPuvTcc38QsmBT2aH5OLzK1Vv1G9l_HZZ-sioaqjJmVB2lpp7RXg' 'report-sample'; style-src-attr 'unsafe-inline' 'report-sample'; object-src 'none'; base-uri 'none'; style-src 'self' 'report-sample'; connect-src 'self' https:\/\/analytics.in-die-musik.de; script-src-elem 'self' 'nonce-XnDPuvTcc38QsmBT2aH5OLzK1Vv1G9l_HZZ-sioaqjJmVB2lpp7RXg' https:\/\/analytics.in-die-musik.de 'report-sample'; font-src 'self' data:; media-src 'self' https:\/\/cloud.in-die-musik.de; report-uri https:\/\/indiemusik-festival.de\/@http-reporting?csp=report&requestTime=1684526938506325","referrer":"","script-sample":"(function (NAVIGATOR, OBJECT) {\n\n if \u2026","source-file":"moz-extension","status-code":200,"violated-directive":"script-src-elem"}
</code>
<p>→ <code>"source-file":"moz-extension"</code><br />→ payload <code>(function (NAVIGATOR, OBJECT) { if </code><br />→ trigger <a class="external" href="https://github.com/EFForg/privacybadger/blob/ef6a2b38b2550e8805076b072645367c4e044a79/src/js/contentscripts/dnt.js#L23">https://github.com/EFForg/privacybadger/blob/ef6a2b38b2550e8805076b072645367c4e044a79/src/js/contentscripts/dnt.js#L23</a></p>
<hr />
<p>...</p> TYPO3 Core - Bug #95725 (New): Title shown twice with pdfinfo using PDF/X fileshttp://forge.typo3.org/issues/957252021-10-21T18:44:48ZOliver Haderoliver.hader@typo3.org
<p>The following report has been sent to me via mail by Josef Sigritz, I'm just dumping it here:</p>
<hr />
<p>wir haben ein Problem mit dem FileContentParser der Indexed_Search: pdfinfo gibt bei PDF/X-Dateien zweimal den Title aus. Dadurch wird der eigentliche Title überschrieben.</p>
<p>Beispiel:<br />pdfinfo test.pdf</p>
<pre>
*Title: BAA010718_Broschüre_Chancen_bieten_V2.indd*
Creator: Adobe InDesign CC 13.0 (Macintosh)
Producer: Adobe PDF Library 15.0
CreationDate: Thu Feb 22 15:51:27 2018 CET
ModDate: Mon Mar 12 12:12:12 2018 CET
Tagged: no
UserProperties: no
Suspects: no
Form: none
JavaScript: no
Pages: 20
Encrypted: no
Page size: 595.276 x 841.89 pts (A4)
Page rot: 0
File size: 2292621 bytes
Optimized: yes
PDF version: 1.3
PDF subtype: PDF/X-3:2002
*Title: ISO 15930 - Electronic document file format for prepress digital data exchange (PDF/X)*
Abbreviation: PDF/X-3:2002
Subtitle: Part 3: Complete exchange suitable for colour-managed workflows (PDF/X-3)
Standard: ISO 15930-3
</pre>
<p>Verbesserungsvorschlag:<br />Klasse: typo3/typo3/sysext/indexed_search/Classes/FileContentParser.php, function splitPdfInfo</p>
<pre>
public function splitPdfInfo($pdfInfoArray)
{
$res = [];
if (is_array($pdfInfoArray)) {
foreach ($pdfInfoArray as $line) {
$parts = explode(':', $line, 2);
if (count($parts) > 1 && trim($parts[0])) {
if (!array_key_exists(strtolower(trim($parts[0])), $res)){
$res[strtolower(trim($parts[0]))] = trim($parts[1]);
}
$res[strtolower(trim($parts[0]))] = trim($parts[1]);
}
}
}
return $res;
}
</pre> TYPO3 Core - Task #89347 (New): Provide strong defaults for anchor noreferred/noopener attributehttp://forge.typo3.org/issues/893472019-10-04T12:02:37ZOliver Haderoliver.hader@typo3.org
<p>Issue <a class="issue tracker-2 status-5 priority-4 priority-default closed child" title="Feature: Add rel="noopener noreferrer" to links when target is set to _blank (Closed)" href="http://forge.typo3.org/issues/78488">#78488</a> introduced norefferer & noopener per default for external links, see<br /><a class="external" href="https://review.typo3.org/c/Packages/TYPO3.CMS/+/59194">https://review.typo3.org/c/Packages/TYPO3.CMS/+/59194</a></p>
<p>However there are scenarios where this has to be seen in context and scope of the website project:</p>
<a name="General"></a>
<h2 >General<a href="#General" class="wiki-anchor">¶</a></h2>
<ul>
<li><code>noopener</code> only has an effect of "opened" window contexts (e.g. <code>target="_blank"</code>)</li>
<li><code>noreferrer</code> might contradict tracking & analyzation on websites
<ul>
<li>e.g. "which site is has similar information" - good use of referrer in a scope similar to "LOD"
<ul>
<li><code>Referrer: https://typo3-website.org/resources/car-engines/abc</code> when opening <code>https://remote-vendor.com/cars/xyz</code></li>
</ul>
</li>
<li>e.g. "which site has similar problems" - bad use of referrer, when e.g. sensitive areas point public resources
<ul>
<li><code>Referrer: https://typo3-website.org/user-restricted-internal/product-abc-sucks</code> pointing to <code>https://remote-vendor.com/prodct-abc</code></li>
</ul></li>
</ul></li>
</ul>
<a name="Suggestion"></a>
<h2 >Suggestion<a href="#Suggestion" class="wiki-anchor">¶</a></h2>
<ul>
<li>make settings configurable
<ul>
<li>TypoScript <code>typolink</code></li>
<li>Site Configuration anchor behavior</li>
</ul>
</li>
<li>default settings (when not having TypoScript or Site Configuration loaded - e.g. CLI context) should be strict <code>noopener noreferrer</code> (current scenario)</li>
<li>use <code>Referrer-Policy</code> HTTP header as site-wide default instead, use HTML attr to override the default behavior
<ul>
<li>different per site (frontend)</li>
<li>common for admin UI (backend)</li>
</ul></li>
</ul>
<a name="Side-note"></a>
<h2 >Side-note<a href="#Side-note" class="wiki-anchor">¶</a></h2>
There is a difference between TYPO3 backend and frontend as well. Basically
<ul>
<li>strict default for backend should be <code>noopener noreferrer</code></li>
<li>individual behavior for frontend as outlined in previous sections</li>
</ul> TYPO3 Core - Bug #88613 (New): Replace ObjectStorage & LazyObjectStorage with symfony/collectionhttp://forge.typo3.org/issues/886132019-06-21T21:37:23ZOliver Haderoliver.hader@typo3.org
<p>For regular ObjectStorage deserialization most probably would work - however there are inconsitencies concerning object integrity due to ObjectStorage using spl_object_hash() internally. In a result it would not be possible to detach an object retrieved from repository from some deserialized ObjectStorage - basically uid should be used as identifier here which would turn ObjectStorage into EntityStorage. So, we could live with serialization of ObjectStorage.</p>
<p>For LazyObjectStorage things are getting more difficult since serialization of it would mean to serialize backreferences to parent object as well as DataMapper state, ObjectManager state and in the end class Reflection state - that turns out to be a massive collection of serialized data.</p>
<p>Thus, we experience most pain with LazyObjectStorage and its current implementation.</p> TYPO3 Core - Feature #87300 (New): Limit amount of concurrent user sessions for same userhttp://forge.typo3.org/issues/873002018-12-27T13:53:30ZOliver Haderoliver.hader@typo3.org
<p>TYPO3 allows to use multiple sessions per user which is a feature on the one hand, but could also be a security risk on the other. In order to enhance the scenario it should be possible to limit the amount of concurrent user sessions per user (or disable concurrent logins at all).</p>
<p>Behavior either can be configured for the whole system or (optionally) per user.</p> TYPO3 Core - Epic #84920 (New): Provide generic context based data retrieval APIhttp://forge.typo3.org/issues/849202018-05-03T14:50:35ZOliver Haderoliver.hader@typo3.org
<p>In order to avoid the requirement of specific knowledge of TYPO3 persistence behavior, such as localization or workspaces, a generic API to retrieve data shall be provided.</p>
The functional relies on these base parameters:
<ul>
<li>context (language, workspace)</li>
<li>permissions (pages, tables, fields, ..., context permissions)</li>
<li>optional behavior (language fallback, individual handling)</li>
</ul>
Basic functionality:
<ul>
<li>retrieve specific entities for the given base parameters (e.g. languages & workspaces resolved automatically)</li>
<li>retrieve any relational entities (children) for the given base parameters (not caring whether 1:n inline or m:n group/db has been defined)</li>
</ul>
Extended functionality:
<ul>
<li>retrieve data based on individual/custom query (fields, constraints, sorting)</li>
<li>retrieve data based on GraphQL query</li>
</ul> TYPO3 Core - Epic #84918 (New): Streamline Permission Layerhttp://forge.typo3.org/issues/849182018-05-03T14:41:43ZOliver Haderoliver.hader@typo3.org
<p>Concerning data handling and persistence, basically only the backend context is considered (in DataHandler, PageLayoutView et al). General permission handling in Extbase and other frontend related implementation is only implemented on the visibility of pages and frontend user groups.</p>
<p>In order to overcome these differences. Permission handling has to be generalized and used in affected components.<br />For instance as an impact, DataHandler does not rely on a BackendUserAuthentication (BE_USER) instance anymore, but on a generic Permission definition that can be used in backend and frontend context.</p> TYPO3 Core - Story #84917 (New): Make use of schema definition & relationship layerhttp://forge.typo3.org/issues/849172018-05-03T14:36:29ZOliver Haderoliver.hader@typo3.org
<ul>
<li>DataHandler, RelationHandler, DataMapProcessor</li>
<li>Extbase DataMapFactory, Storage Backend</li>
<li>FormEngine DataProviders, Containers</li>
<li>RootlineUtility</li>
</ul>
<p>... and more ...</p> TYPO3 Core - Story #84916 (New): Provide generic entity relationship modelhttp://forge.typo3.org/issues/849162018-05-03T14:30:00ZOliver Haderoliver.hader@typo3.org
<p>Expected goal</p>
<pre>
$contentSchemaDefinition = (new SomeService)->getSchemaDefinition('tt_content');
$fileReferenceSchemaDefinition = (new SomeService)->getSchemaDefinition('sys_file_reference');
var_dump($contentSchemaDefinition->getProperty('media')->getRelations());
var_dump($fileReferenceSchemaDefinition->getProperty('uid_foreign')->getRelations());
</pre>
<p>might output something like</p>
<pre>
# relations for tt_content.media
+ ActiveRelation: schemaName "sys_file_reference"
</pre>
<pre>
# relations for sys_file_reference.uid_foreign
+ PassiveRelation: schemaName "tt_content", propertyName: "image"
+ PassiveRelation: schemaName "tt_content", propertyName: "media"
+ PassiveRelation: schemaName "tt_content", propertyName: "assets"
</pre>
<p>Currently the "opposite usage" for relations is not explicitly known. In order to enhance look ups this information should be cached along with the plain schema definition (e.g. TCA).</p> TYPO3 Core - Story #84915 (New): Provide generic entity schema definitionhttp://forge.typo3.org/issues/849152018-05-03T14:19:06ZOliver Haderoliver.hader@typo3.org
<p>Expected goal</p>
<pre>
$factory = new TcaSchemaDefinitionFactory($GLOBALS['TCA']);
$schemaDefinition = $factory->buildForTable('tt_content');
$service = new SchemaDefinitionService();
$mediaProperty = $schemaDefinition->getProperty('media');
$service->isRelational(mediaProperty);
if ($service->getRelationType($mediaProperty) === Relation::TYPE_ONE_TO_MANY_COMPOSITION)) { ... }
</pre>
<p>The API above can still change. Besides that Extbase <code>DataMapFactory</code> could be considered as foundation as well.</p> TYPO3 Core - Epic #84914 (New): Streamline entity configuration layerhttp://forge.typo3.org/issues/849142018-05-03T14:08:35ZOliver Haderoliver.hader@typo3.org
<p>Entity configuration in TYPO3 is done by using TCA (table configuration array). Currently the interpretation of e.g. "what is a 1:n composition (IRRE)" is spread over multiple locations - most importantly to mention are DataHandler, Extbase and FormEngine - but there are much more.</p>
<p>In order to avoid individual (and possible) different interpretation of entity definitions and features and generic configuration shall be introduce to provide access to the the semantics of TCA and FlexForm data structures.</p> TYPO3 Core - Feature #79105 (New): Extend workspace notification channelshttp://forge.typo3.org/issues/791052016-12-29T13:15:10ZOliver Haderoliver.hader@typo3.org
<p>Currently workspaces only supports sending out notifications via mail, however it would be great if this can be enhanced to push notifications to any other service, like e.g. Slack, IRC. This feature is about providing to possibility to have a custom API for attaching new notification services.</p> TYPO3 Core - Bug #78849 (New): Show logged records of DatabaseWriter in ext:beloghttp://forge.typo3.org/issues/788492016-12-01T12:33:34ZOliver Haderoliver.hader@typo3.org
<p>Log entries that have been persisted using the logging-framework are not visualized in ext:belog.<br />The reason is, that the logging-framework uses different field names for the sys_log table that are not considered.</p> TYPO3 Core - Task #69966 (New): Integrate localization and fallback resolving in PlainDataResolverhttp://forge.typo3.org/issues/699662015-09-19T10:53:29ZOliver Haderoliver.hader@typo3.org
<p>PlainDataResolver is targeted to resolve relations based on a given context (workspaces, localization). The currently implementation is used only for workspaces in the TYPO3 backend. However, the resolving pipe should consider localization and localization fallbacks as well.</p>