TYPO3 Forge: Issueshttp://forge.typo3.org/http://forge.typo3.org/themes/typo3_forge/favicon/favicon.png?17058661692024-03-27T17:07:51ZTYPO3 Forge
Redmine TYPO3 Core - Feature #103493 (Under Review): Show button to edit full record in linkvalidator (ad...http://forge.typo3.org/issues/1034932024-03-27T17:07:51ZSybille Peterssypets@gmx.de
<p>By default, a form showing only the field with the broken link is opened, if clicking the "pencil" button in the Link Validator report.</p>
<p>If checking sys_redirect.target as well, I noticed that opening the form this way is not helpful, because some context is missing: we see only the target, but not the source_path and the rest of the fields.</p>
<p>In this particular case, the default behaviour is unhelpful.</p>
<p>Originally, the behaviour was that the entire record was edited. This, however also proved as unhelpful, because sometime the broken link was a bit hidden, or it was in a different tab.</p>
<a name="Implementation-options"></a>
<h2 >Implementation options<a href="#Implementation-options" class="wiki-anchor">¶</a></h2>
<ol>
<li>(Idealistic) would be if the full record was opened, but the tab where the broken link is contained is opened by default, and if necessary there is scrolling so the field is in focus. Additionally, it might be helpful if this field (or all fields with broken links) would be marked visibly. (However, marking visibly should be different from what is currently used in case of evaluation).</li>
<li>(pragmatic) show both buttons but make it configurable, e.g.</li>
</ol> TYPO3 Core - Bug #103478 (New): Linkvalidator should check fields with type "file"http://forge.typo3.org/issues/1034782024-03-25T05:47:22ZSybille Peterssypets@gmx.de
<p>e.g. pages.media</p>
<p>see documentation: <a class="external" href="https://docs.typo3.org/c/typo3/cms-linkvalidator/main/en-us/Configuration/Index.html">https://docs.typo3.org/c/typo3/cms-linkvalidator/main/en-us/Configuration/Index.html</a></p>
<p>LinkAnalyzer.php:</p>
<pre><code class="php syntaxhl" data-language="php"><span class="k">if</span> <span class="p">((</span><span class="nv">$conf</span><span class="p">[</span><span class="s1">'type'</span><span class="p">]</span> <span class="o">??</span> <span class="s1">''</span><span class="p">)</span> <span class="o">===</span> <span class="s1">'link'</span> <span class="o">&&</span> <span class="k">empty</span><span class="p">(</span><span class="nv">$conf</span><span class="p">[</span><span class="s1">'softref'</span><span class="p">]))</span> <span class="p">{</span>
<span class="nv">$conf</span><span class="p">[</span><span class="s1">'softref'</span><span class="p">]</span> <span class="o">=</span> <span class="s1">'typolink'</span><span class="p">;</span>
<span class="p">}</span>
</code></pre> TYPO3 Core - Bug #103100 (Resolved): "Refresh display" or "Check links" button is entirely disabl...http://forge.typo3.org/issues/1031002024-02-11T13:18:51ZSybille Peterssypets@gmx.de
<p>By default, the buttons in "Report" and "Check links" module are disabled. They are enabled via JavaScript if a check option is enabled.</p>
<p>However, in TYPO3 v13 (and possibly below), this does not work correctly: if all options are unchecked (which is the default for new users) and then one of them is toggled (to enabled), it is still not possible to click the button at all, it remains disabled even if options are being checked. It looks like the event listener is not being called.</p>
<a name="Reproduce"></a>
<h2 >Reproduce<a href="#Reproduce" class="wiki-anchor">¶</a></h2>
<p>1. switch to a new user where the options have not been enabled yet<br />2. Either in the "Report" or "Check links" view, enable one of the checkboxes for the link types<br />3. Try to click the button</p>
<p>Result: nothing happens, the button is disabled, so it is not possible to execute the new selection.</p>
<a name="Versions"></a>
<h2 >Versions<a href="#Versions" class="wiki-anchor">¶</a></h2>
<p>Could be reproduced in TYPO3 v13 (main).</p>
<p>Could NOT be reproduce din TYPO3 v12.</p>
<a name="Screenshot"></a>
<h2 >Screenshot<a href="#Screenshot" class="wiki-anchor">¶</a></h2>
<p><img src="http://forge.typo3.org/attachments/download/38255/linkvalidator_checkboxes.png" alt="" loading="lazy" /></p> TYPO3 Core - Bug #103059 (New): Not possible to see references if no access to content where file...http://forge.typo3.org/issues/1030592024-02-06T10:22:55ZSybille Peterssypets@gmx.de
<p>In the file list you can see the number of references for files which are referenced from content which you do not have access to, and you can also click on the link, but the references will not be displayed.</p>
<p>I would expect it to be possible to see the references (read-only) and also be able to see which pages the references are on (ideally by having a "view page" button).</p>
<p>Otherwise you cannot delete files and you can't find out (as normal editor) where they are still being referenced from.</p>
<p>This means, these cases can only be resolved by admin users or by users with access to both the files and the content.</p>
<a name="Example"></a>
<h2 >Example<a href="#Example" class="wiki-anchor">¶</a></h2>
<p>user A<br />- access to pages /a/<br />- access to files fileadmin/a</p>
<p>user B<br />- access to pages /b/<br />- access to files fileadmin/b</p>
<p>Content in /a/ links to file /b/test.png. Now, user b cannot see references for test.png and cannot delete test.png.</p> TYPO3 Core - Feature #102644 (New): Make it easier to restrict uploadable file types / extensions...http://forge.typo3.org/issues/1026442023-12-09T22:07:09ZSybille Peterssypets@gmx.de
<p>I want to prevent <strong>additional</strong> unwanted files from being uploaded, such as .exe, .zip, .iso etc. (this should be configurable). Right now, I can only do it AFAIK by changing the regex in fileDenyPattern.</p>
<a name="My-feature-reqeust"></a>
<h2 >My feature reqeust<a href="#My-feature-reqeust" class="wiki-anchor">¶</a></h2>
<ul>
<li>add a "safe" configuration, so you can add <strong>additional</strong> file extensions, without having to change fileDenyPattern. This does not even have to be a regex or be added to fileDenyPattern, it could be a comma separated list of file extensions, which is used in FileNameValidator</li>
<li>make it possible to use "explicit allow" instead of "explicit deny" here. This should probably not be the default yet, but could be in the future.</li>
</ul>
<a name="Background"></a>
<h2 >Background<a href="#Background" class="wiki-anchor">¶</a></h2>
<p>Currently, there is a setting which is a bit hidden: $GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'], is used in FileNameValidator.</p>
<p>It is hidden, because it is not in the Default configuration and not visible when editing "Global configuration" in the BE.</p>
<p>I assume, that is for security reasons, that you don't accidentally mess up the regular expression, making the system less secure. In particular, it should not be possible to upload .php files, .htaccess files etc.</p>
<p>But, this also makes it difficult, in case you want to be <em>more restrictive</em> (!). You have to first find the hidden option and then edit the regex, hoping you don't break anything.</p> TYPO3 Core - Bug #102595 (New): Not possible to override richtextConfiguration via TSconfig if in...http://forge.typo3.org/issues/1025952023-12-04T05:11:41ZSybille Peterssypets@gmx.de
<p>Normally, overriding settings in Flexform via TSconfig is possibly, for example like this:</p>
<pre>
# TCEFORM.[tableName].[fieldName].[dataStructureKey].[flexSheet].[flexFieldName with escaped dots].[propertyName]
<pre>
TCEFORM.tt_content.pi_flexform.sfregister_create.sDEF.settings\.fields\.selected.addItems.ZZZ = ZZZ
</pre>
</pre><br />see <a class="external" href="https://docs.typo3.org/m/typo3/reference-tsconfig/main/en-us/PageTsconfig/TceForm.html">https://docs.typo3.org/m/typo3/reference-tsconfig/main/en-us/PageTsconfig/TceForm.html</a>
<p>But this does not seem to work with the richtextConfiguration if in a Flexform which would then be overridden with RTE, for example like this:</p>
<pre>
RTE.config.tx_news_domain_model_news.bodytext.preset = otherpreset
</pre>
<p>For a Flexform field, it should look for example like this:</p>
<pre>
RTE.config.tt_content.pi_flexform.powermail_pi1.thx.settings\.flexform\.thx\.body.preset = otherpreset
</pre>
<p>but this does not work</p> TYPO3 Core - Feature #102447 (New): Prevent information disclosure from Only Office by copy-paste...http://forge.typo3.org/issues/1024472023-11-22T12:21:55ZSybille Peterssypets@gmx.de
<p>This seems to be already fixed in ckeditor: <a class="external" href="https://github.com/ckeditor/ckeditor5/issues/14947">https://github.com/ckeditor/ckeditor5/issues/14947</a></p>
<blockquote>
<p>We have found blobs in the class attributes of HTML elements on some pages. These blobs seem to contain metadata from the document from which the content was copied. If you take the blob and decode it with base64 and encode the result as 'utf-16' you can read some text fragments. These fragments can contain chat, comments or parts of the onlyoffice document, which would result in a leak of data.</p>
</blockquote>
<p>However I am not sure which version and which versions of ckeditor and TYPO3 will have this fix.</p>
<p>Perhaps it is also possible to remove these when the CE is saved by default (RTE post-processing) to also remove already existing ones.</p>
<p>This is a problem because:</p>
<ul>
<li>sensitive information might get accidentally disclosed (unfortunately often editors are not even aware what they are copy-pasting into the RTE).</li>
<li>it bloats up the DB tables which is unnecessary and might have a performance / storage usage impact (in extreme cases)</li>
<li>it clutters up the visible history (sys_history view in BE)</li>
</ul>
<p>I have seen this in our site which uses latest TYPO3 v11.</p> TYPO3 Core - Task #101711 (New): document classesAnchor for rte_ckeditorhttp://forge.typo3.org/issues/1017112023-08-18T14:58:45ZSybille Peterssypets@gmx.de
<p>This is the only documentation for classesAnchor I could find so far, but this is for rtehtmlarea:</p>
<p><a class="external" href="https://docs.typo3.org/p/friendsoftypo3/rtehtmlarea/main/en-us//Configuration/PageTsconfig/classesAnchor/Index.html">https://docs.typo3.org/p/friendsoftypo3/rtehtmlarea/main/en-us//Configuration/PageTsconfig/classesAnchor/Index.html</a></p>
<p>classesAnchor is not documented in the rte_ckeditor documentation: <a class="external" href="https://docs.typo3.org/c/typo3/cms-rte-ckeditor/main/en-us/Index.html">https://docs.typo3.org/c/typo3/cms-rte-ckeditor/main/en-us/Index.html</a></p>
<p>classesAnchor can be used in rte_ckeditor as well, see example in bootstrap_package:</p>
<pre>
classesAnchor:
page:
class: 'link-page'
type: 'page'
folder:
class: 'link-folder'
type: 'folder'
file:
class: 'link-file'
type: 'file'
external:
class: 'link-external'
type: 'url'
mail:
class: 'link-mail'
type: 'mail'
</pre>
<p><a class="external" href="https://github.com/benjaminkott/bootstrap_package/blob/master/Configuration/RTE/Default.yaml">https://github.com/benjaminkott/bootstrap_package/blob/master/Configuration/RTE/Default.yaml</a></p>
<a name="Search-for-classesAnchor"></a>
<h3 >Search for "classesAnchor"<a href="#Search-for-classesAnchor" class="wiki-anchor">¶</a></h3>
<ul>
<li>in "TYPO3 Explained": no result</li>
<li>in rte_ckeditor Documentation: no result</li>
</ul>
<a name="Related"></a>
<h3 >Related<a href="#Related" class="wiki-anchor">¶</a></h3>
<ul>
<li>changelog: <a href="https://docs.typo3.org/c/typo3/cms-core/main/en-us/Changelog/12.0/Breaking-98275-RemovedPreDefinedLinkTitleAttributesInRTELinkBrowser.html" class="external">Breaking: #98275 - Removed pre-defined link title attributes in RTE link browser</a></li>
</ul> TYPO3 Core - Bug #101670 (New): Linkvalidator reports some external URLs as "false positives"http://forge.typo3.org/issues/1016702023-08-13T06:39:37ZSybille Peterssypets@gmx.de
<p>Links are reported as broken which are not broken.</p>
<p>Known cases:</p>
<p>1. sites without complete certificate chain ( <strong>intermediate</strong> (not root) certs missing), Qualys SSLLabs reports this when checking, but browsers resolve this by fetching (and storing) the intermediate certificates, so the URL seems to work fine in the browser<br />2. sites protected by Cloadflare (returns status code 503)</p>
<p>Some other sites also cause problems for unknown reasons:</p>
<ul>
<li>twitter</li>
<li>linkedin</li>
<li>etc.</li>
</ul> TYPO3 Core - Bug #101417 (Closed): It is not possible to remove the target via the link browserhttp://forge.typo3.org/issues/1014172023-07-23T05:43:05ZSybille Peterssypets@gmx.de
<p>Reproducible with latest v13, possibly also v12. May have to use patch <a class="external" href="https://review.typo3.org/c/Packages/TYPO3.CMS/+/80034">https://review.typo3.org/c/Packages/TYPO3.CMS/+/80034</a> to reproduce, otherwise target is not always saved to DB.</p>
<a name="Reproduce"></a>
<h2 >Reproduce<a href="#Reproduce" class="wiki-anchor">¶</a></h2>
<ol>
<li>Add a target to a link</li>
<li>In the link brower, remove the target, klick update</li>
<li>Save the CE (or switch to source mode)</li>
</ol>
<p>The target is still there, e.g.</p>
<pre>
<p><a href="t3://page?uid=1" title="hallo" target="_blank">link1</a></p>
</pre> TYPO3 Core - Bug #101414 (Resolved): Alert dialog does not show information about references inli...http://forge.typo3.org/issues/1014142023-07-22T13:09:23ZSybille Peterssypets@gmx.de
<p>This issue handles only one specific case which was already patched in v12 and v13.</p>
<p>More information is in <a class="issue tracker-1 status-1 priority-4 priority-default" title="Bug: Message that there are references which point to this record is not always displayed when trying ... (New)" href="http://forge.typo3.org/issues/101411">#101411</a></p>
<p>Hopefully part of the improvements in <a class="external" href="https://review.typo3.org/c/Packages/TYPO3.CMS/+/72001">https://review.typo3.org/c/Packages/TYPO3.CMS/+/72001</a> can be backported to v11.</p>
<a name="Reproduce"></a>
<h2 >Reproduce<a href="#Reproduce" class="wiki-anchor">¶</a></h2>
<p>1. Create a record [1] (e.g. texmedia), create a shortcut ce [2] which references this<br />2. In page module try to delete the record [1] (using the inline delete button).</p>
<p>We see a generic delete msg. We expect delete msg which warns about references.</p>
<a name="Screenshot"></a>
<h2 >Screenshot<a href="#Screenshot" class="wiki-anchor">¶</a></h2>
<p><img src="http://forge.typo3.org/attachments/download/37847/delete_record_with_references_generic_message.png" alt="" loading="lazy" /></p> TYPO3 Core - Bug #101411 (New): Message that there are references which point to this record is n...http://forge.typo3.org/issues/1014112023-07-22T12:42:30ZSybille Peterssypets@gmx.de
<p>Usually, we get an alert, sometime like this:</p>
<blockquote>
<p>Are you sure you want to delete the record 'textmedia1 [tt_content:54]'? There are 1 reference(s) to this record!</p>
</blockquote>
<p>or</p>
<blockquote>
<p>Are you sure you want to delete 'textmedia with shortcuts to this ce'? (There are 1 reference(s) to this record!)</p>
</blockquote>
<p>when trying to delete a record (e.g. [textmedia]) which has references pointing to it (e.g. "Insert Records" [shortcut]").</p>
<p>But sometimes we get a generic message which does not point out there are references, such as:</p>
<blockquote>
<p>Are you sure you want to delete this record?</p>
</blockquote>
<p>It looks like the behaviour improved between v11 => v13 but is not fully resolved.</p>
<p>(language label: labels.referencesToRecord)</p>
<a name="Problems-Inconsistencies"></a>
<h2 >Problems / Inconsistencies<a href="#Problems-Inconsistencies" class="wiki-anchor">¶</a></h2>
<p>in <strong>v13</strong></p>
<ul>
<li>list module: if using checkboxes to select several records then deleting, we get:</li>
</ul>
<blockquote>
<p>Delete marked<br />Are you sure you want to delete all marked records from the table 'Page Content'?<br />Close Delete</p>
</blockquote>
<p>(no hint that there are references)</p>
<ul>
<li>(minor): in FormEngine the "Delete record" button does not have an "(!)", in the other cases it does</li>
</ul>
<p>in <strong>v11</strong> , sames as v13, but also</p>
<ul>
<li>in page layout: using inline delete button, we get generic message (not warning about references):</li>
</ul>
<blockquote>
<p>Delete this record?<br />Delete this record?<br />Cancel | OK</p>
</blockquote>
<ul>
<li>some more minor inconsistencies in how the delete button is named etc.</li>
</ul>
<a name="Screenshots"></a>
<h2 >Screenshots<a href="#Screenshots" class="wiki-anchor">¶</a></h2>
<p><img src="http://forge.typo3.org/attachments/download/37844/delete_record_with_references_generic_message.png" title="generic delete message" alt="generic delete message" loading="lazy" /></p>
<p><img src="http://forge.typo3.org/attachments/download/37845/delete_record_with_references_message_points_out_references.png" title="delete message which mentions references" alt="delete message which mentions references" loading="lazy" /></p>
<p>v13</p>
<p><img src="http://forge.typo3.org/attachments/download/37846/v13_delete_record_with_references_in_list_module_bulk_removal_no_mention_of_references.png" title="v13 bulk removal in list module (references not mentioned)" alt="v13 bulk removal in list module (references not mentioned)" loading="lazy" /></p>
<a name="Full-report"></a>
<h2 >Full report<a href="#Full-report" class="wiki-anchor">¶</a></h2>
<p>see delete_record_with_references.txt</p> TYPO3 Core - Bug #101408 (Accepted): Fluid debug output is displayed on page even if adminpanel n...http://forge.typo3.org/issues/1014082023-07-21T14:45:59ZSybille Peterssypets@gmx.de
<p>This probably was reported before, but was then fixed and has now reappeared: <a class="external" href="https://forge.typo3.org/issues/85087">https://forge.typo3.org/issues/85087</a></p>
<p>I usually don't use Fluid debug output in adminpanel and usually don't enable it on production but I did that recently by accident.</p>
<p>Several days later I loaded a page, the debug output was displayed, the admin panel was not even activated.</p>
<p>What made matters worse, the debug output was also displayed if not logged in the BE (using different browser).</p>
<a name="versions"></a>
<h2 >versions<a href="#versions" class="wiki-anchor">¶</a></h2>
<ul>
<li>reproduced in v11, did not check newer versions yet.</li>
</ul>
<a name="Reproduce"></a>
<h2 >Reproduce<a href="#Reproduce" class="wiki-anchor">¶</a></h2>
<p>1. Flush all cache (including system cache)<br />2. Enable admin panel <br />3. Activate checkbox "Fluid debug output" <br />4. Load page: debug output is displayed) (ok)<br />5. deactivate adminpanel (via the toggle)<br />6. load page again: debug output is displayed (unexpected)<br />7. load page in different browser (not logged in): debug output is displayed (bad)<br />8. Deactivate the checkbox "Fluid debug output" <br />9. refresh page CTRL-SHIFT-r (or flush cache in adminpanel): debug output still displayed</p>
<p>finally, flush cache</p>
<pre>
vendor/bin/typo3 cache:flush
</pre>
<p>Is now ok</p>
<a name="Suggestion"></a>
<h2 >Suggestion<a href="#Suggestion" class="wiki-anchor">¶</a></h2>
<p>I think this should be changed (at least in production context)</p>
<ul>
<li>the debug output should not be saved</li>
<li>or better: not possible to enable "Fluid debug" checkbox in production context</li>
</ul>
<a name="Screenshot"></a>
<h2 >Screenshot<a href="#Screenshot" class="wiki-anchor">¶</a></h2>
<p><img src="http://forge.typo3.org/attachments/download/37842/adminpanel_fluid.png" alt="" loading="lazy" /></p> TYPO3 Core - Bug #101367 (New): page link to not hidden child of hidden page with extendToSubpage...http://forge.typo3.org/issues/1013672023-07-17T15:58:03ZSybille Peterssypets@gmx.de
<p>In linkvalidator, page links to hidden pages are considered broken.</p>
<p>But extendToSubpages is not considered, the rootline is not traversed.</p>
<pre>
page [3] (hidden, extendToSubpages)
└── page [4] (not hidden)
</pre>
<ul>
<li>link to => 3 (hidden) : marked as broken</li>
<li>link to => 4 (child of hidden/extendToSubapges: not marked as broken, wrong.</li>
</ul> TYPO3 Core - Bug #101336 (New): Pages are shown in page tree even if (non-admin) BE user has no D...http://forge.typo3.org/issues/1013362023-07-12T10:56:48ZSybille Peterssypets@gmx.de
<p>This could also be a privacy problem because user sees pages in page tree which he has no business seeing (which might be access protected).</p>
<p>He can also sees<br />- which user is currently editing the page (see first screenshot)</p>
<p>I could reproduce it in a way where the user sees all pages in entire installation (even though they are not even in the DB mount in the group).</p>
<p>Is only reproducable</p>
<p>- if the user does not have any DB mounts at all<br />- OR has a DB mount but no permission for the pages.</p>
<p>This could happen by wrong page permissions or misconfiguration of BE user.</p>
<a name="Reproduce"></a>
<h2 >Reproduce<a href="#Reproduce" class="wiki-anchor">¶</a></h2>
<ol>
<li>create user with no DB mount and set "Mount from groups" | "DB mounts" to off, assign this user to a group</li>
<li>add a DB mount in the group</li>
<li>switch to user</li>
<li>switch to page module (or list module)</li>
</ol>
<a name="Result"></a>
<h2 >Result<a href="#Result" class="wiki-anchor">¶</a></h2>
<p>The pages which are available for the group will now be displayed in the pagetree but the user has no access to them. If he clicks on a page, exception is thrown: "You don't have access to this page".</p>
<p>Also: context menu | "Info" is displayed, but this results in error message: "Sorry, you didn't have proper permissions to perform this change."</p>
<a name="Expected-behaviour"></a>
<h2 >Expected behaviour<a href="#Expected-behaviour" class="wiki-anchor">¶</a></h2>
<p>- If the user does not have access to the pages, they should <strong>not</strong> be displayed in the page tree and if he has access to no pages, no pages should be displayed in page tree<br />- in one case, an exception is thrown, in the other (Context "Info") a modal dialog is displayed with error. I would always expect the error message, not the exception</p>
<a name="Setup"></a>
<h2 >Setup<a href="#Setup" class="wiki-anchor">¶</a></h2>
user1:
<ul>
<li>has mostly default permissions, no DB mounts or any modifications of permissions, except:</li>
<li>has group group1</li>
<li>"Mounts and Workspaces" | ""Mount from groups" | "DB Mounts" is off</li>
</ul>
group1
<ul>
<li>has DB mount (page id 1)</li>
<li>has access to all modules: "Access Lists" | "Modules" : all selected</li>
<li>has (read) access to all tables: "Access Lists" | "Tables (listing)" : all selected</li>
</ul>
page tree (page id 1):
<ul>
<li>"everybody" has all permisions (set in "Access" module)</li>
</ul>
<a name="Versions"></a>
<h2 >Versions<a href="#Versions" class="wiki-anchor">¶</a></h2>
<p>Reproduced with</p>
<ul>
<li>v11 ... latest main</li>
</ul>
<a name="Screenshot"></a>
<h2 >Screenshot<a href="#Screenshot" class="wiki-anchor">¶</a></h2>
<p><img src="http://forge.typo3.org/attachments/download/37818/be_user_mount_from_groups_off_editing.png" alt="" loading="lazy" /></p>
<p><img src="http://forge.typo3.org/attachments/download/37817/mount_from_groups.png" alt="" loading="lazy" /></p>
<p><img src="http://forge.typo3.org/attachments/download/37815/be_user_mount_from_groups_off.png" alt="" loading="lazy" /></p>