TYPO3 Forge: Issueshttp://forge.typo3.org/http://forge.typo3.org/themes/typo3_forge/favicon/favicon.png?17058661692024-03-27T17:07:51ZTYPO3 Forge
Redmine TYPO3 Core - Feature #103493 (Under Review): Show button to edit full record in linkvalidator (ad...http://forge.typo3.org/issues/1034932024-03-27T17:07:51ZSybille Peterssypets@gmx.de
<p>By default, a form showing only the field with the broken link is opened, if clicking the "pencil" button in the Link Validator report.</p>
<p>If checking sys_redirect.target as well, I noticed that opening the form this way is not helpful, because some context is missing: we see only the target, but not the source_path and the rest of the fields.</p>
<p>In this particular case, the default behaviour is unhelpful.</p>
<p>Originally, the behaviour was that the entire record was edited. This, however also proved as unhelpful, because sometime the broken link was a bit hidden, or it was in a different tab.</p>
<a name="Implementation-options"></a>
<h2 >Implementation options<a href="#Implementation-options" class="wiki-anchor">¶</a></h2>
<ol>
<li>(Idealistic) would be if the full record was opened, but the tab where the broken link is contained is opened by default, and if necessary there is scrolling so the field is in focus. Additionally, it might be helpful if this field (or all fields with broken links) would be marked visibly. (However, marking visibly should be different from what is currently used in case of evaluation).</li>
<li>(pragmatic) show both buttons but make it configurable, e.g.</li>
</ol> TYPO3 Core - Bug #103478 (New): Linkvalidator should check fields with type "file"http://forge.typo3.org/issues/1034782024-03-25T05:47:22ZSybille Peterssypets@gmx.de
<p>e.g. pages.media</p>
<p>see documentation: <a class="external" href="https://docs.typo3.org/c/typo3/cms-linkvalidator/main/en-us/Configuration/Index.html">https://docs.typo3.org/c/typo3/cms-linkvalidator/main/en-us/Configuration/Index.html</a></p>
<p>LinkAnalyzer.php:</p>
<pre><code class="php syntaxhl" data-language="php"><span class="k">if</span> <span class="p">((</span><span class="nv">$conf</span><span class="p">[</span><span class="s1">'type'</span><span class="p">]</span> <span class="o">??</span> <span class="s1">''</span><span class="p">)</span> <span class="o">===</span> <span class="s1">'link'</span> <span class="o">&&</span> <span class="k">empty</span><span class="p">(</span><span class="nv">$conf</span><span class="p">[</span><span class="s1">'softref'</span><span class="p">]))</span> <span class="p">{</span>
<span class="nv">$conf</span><span class="p">[</span><span class="s1">'softref'</span><span class="p">]</span> <span class="o">=</span> <span class="s1">'typolink'</span><span class="p">;</span>
<span class="p">}</span>
</code></pre> TYPO3 Core - Bug #103059 (New): Not possible to see references if no access to content where file...http://forge.typo3.org/issues/1030592024-02-06T10:22:55ZSybille Peterssypets@gmx.de
<p>In the file list you can see the number of references for files which are referenced from content which you do not have access to, and you can also click on the link, but the references will not be displayed.</p>
<p>I would expect it to be possible to see the references (read-only) and also be able to see which pages the references are on (ideally by having a "view page" button).</p>
<p>Otherwise you cannot delete files and you can't find out (as normal editor) where they are still being referenced from.</p>
<p>This means, these cases can only be resolved by admin users or by users with access to both the files and the content.</p>
<a name="Example"></a>
<h2 >Example<a href="#Example" class="wiki-anchor">¶</a></h2>
<p>user A<br />- access to pages /a/<br />- access to files fileadmin/a</p>
<p>user B<br />- access to pages /b/<br />- access to files fileadmin/b</p>
<p>Content in /a/ links to file /b/test.png. Now, user b cannot see references for test.png and cannot delete test.png.</p> TYPO3 Core - Feature #102644 (New): Make it easier to restrict uploadable file types / extensions...http://forge.typo3.org/issues/1026442023-12-09T22:07:09ZSybille Peterssypets@gmx.de
<p>I want to prevent <strong>additional</strong> unwanted files from being uploaded, such as .exe, .zip, .iso etc. (this should be configurable). Right now, I can only do it AFAIK by changing the regex in fileDenyPattern.</p>
<a name="My-feature-reqeust"></a>
<h2 >My feature reqeust<a href="#My-feature-reqeust" class="wiki-anchor">¶</a></h2>
<ul>
<li>add a "safe" configuration, so you can add <strong>additional</strong> file extensions, without having to change fileDenyPattern. This does not even have to be a regex or be added to fileDenyPattern, it could be a comma separated list of file extensions, which is used in FileNameValidator</li>
<li>make it possible to use "explicit allow" instead of "explicit deny" here. This should probably not be the default yet, but could be in the future.</li>
</ul>
<a name="Background"></a>
<h2 >Background<a href="#Background" class="wiki-anchor">¶</a></h2>
<p>Currently, there is a setting which is a bit hidden: $GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'], is used in FileNameValidator.</p>
<p>It is hidden, because it is not in the Default configuration and not visible when editing "Global configuration" in the BE.</p>
<p>I assume, that is for security reasons, that you don't accidentally mess up the regular expression, making the system less secure. In particular, it should not be possible to upload .php files, .htaccess files etc.</p>
<p>But, this also makes it difficult, in case you want to be <em>more restrictive</em> (!). You have to first find the hidden option and then edit the regex, hoping you don't break anything.</p> TYPO3 Core - Bug #102595 (New): Not possible to override richtextConfiguration via TSconfig if in...http://forge.typo3.org/issues/1025952023-12-04T05:11:41ZSybille Peterssypets@gmx.de
<p>Normally, overriding settings in Flexform via TSconfig is possibly, for example like this:</p>
<pre>
# TCEFORM.[tableName].[fieldName].[dataStructureKey].[flexSheet].[flexFieldName with escaped dots].[propertyName]
<pre>
TCEFORM.tt_content.pi_flexform.sfregister_create.sDEF.settings\.fields\.selected.addItems.ZZZ = ZZZ
</pre>
</pre><br />see <a class="external" href="https://docs.typo3.org/m/typo3/reference-tsconfig/main/en-us/PageTsconfig/TceForm.html">https://docs.typo3.org/m/typo3/reference-tsconfig/main/en-us/PageTsconfig/TceForm.html</a>
<p>But this does not seem to work with the richtextConfiguration if in a Flexform which would then be overridden with RTE, for example like this:</p>
<pre>
RTE.config.tx_news_domain_model_news.bodytext.preset = otherpreset
</pre>
<p>For a Flexform field, it should look for example like this:</p>
<pre>
RTE.config.tt_content.pi_flexform.powermail_pi1.thx.settings\.flexform\.thx\.body.preset = otherpreset
</pre>
<p>but this does not work</p> TYPO3 Core - Feature #102447 (New): Prevent information disclosure from Only Office by copy-paste...http://forge.typo3.org/issues/1024472023-11-22T12:21:55ZSybille Peterssypets@gmx.de
<p>This seems to be already fixed in ckeditor: <a class="external" href="https://github.com/ckeditor/ckeditor5/issues/14947">https://github.com/ckeditor/ckeditor5/issues/14947</a></p>
<blockquote>
<p>We have found blobs in the class attributes of HTML elements on some pages. These blobs seem to contain metadata from the document from which the content was copied. If you take the blob and decode it with base64 and encode the result as 'utf-16' you can read some text fragments. These fragments can contain chat, comments or parts of the onlyoffice document, which would result in a leak of data.</p>
</blockquote>
<p>However I am not sure which version and which versions of ckeditor and TYPO3 will have this fix.</p>
<p>Perhaps it is also possible to remove these when the CE is saved by default (RTE post-processing) to also remove already existing ones.</p>
<p>This is a problem because:</p>
<ul>
<li>sensitive information might get accidentally disclosed (unfortunately often editors are not even aware what they are copy-pasting into the RTE).</li>
<li>it bloats up the DB tables which is unnecessary and might have a performance / storage usage impact (in extreme cases)</li>
<li>it clutters up the visible history (sys_history view in BE)</li>
</ul>
<p>I have seen this in our site which uses latest TYPO3 v11.</p> TYPO3 Core - Task #101711 (New): document classesAnchor for rte_ckeditorhttp://forge.typo3.org/issues/1017112023-08-18T14:58:45ZSybille Peterssypets@gmx.de
<p>This is the only documentation for classesAnchor I could find so far, but this is for rtehtmlarea:</p>
<p><a class="external" href="https://docs.typo3.org/p/friendsoftypo3/rtehtmlarea/main/en-us//Configuration/PageTsconfig/classesAnchor/Index.html">https://docs.typo3.org/p/friendsoftypo3/rtehtmlarea/main/en-us//Configuration/PageTsconfig/classesAnchor/Index.html</a></p>
<p>classesAnchor is not documented in the rte_ckeditor documentation: <a class="external" href="https://docs.typo3.org/c/typo3/cms-rte-ckeditor/main/en-us/Index.html">https://docs.typo3.org/c/typo3/cms-rte-ckeditor/main/en-us/Index.html</a></p>
<p>classesAnchor can be used in rte_ckeditor as well, see example in bootstrap_package:</p>
<pre>
classesAnchor:
page:
class: 'link-page'
type: 'page'
folder:
class: 'link-folder'
type: 'folder'
file:
class: 'link-file'
type: 'file'
external:
class: 'link-external'
type: 'url'
mail:
class: 'link-mail'
type: 'mail'
</pre>
<p><a class="external" href="https://github.com/benjaminkott/bootstrap_package/blob/master/Configuration/RTE/Default.yaml">https://github.com/benjaminkott/bootstrap_package/blob/master/Configuration/RTE/Default.yaml</a></p>
<a name="Search-for-classesAnchor"></a>
<h3 >Search for "classesAnchor"<a href="#Search-for-classesAnchor" class="wiki-anchor">¶</a></h3>
<ul>
<li>in "TYPO3 Explained": no result</li>
<li>in rte_ckeditor Documentation: no result</li>
</ul>
<a name="Related"></a>
<h3 >Related<a href="#Related" class="wiki-anchor">¶</a></h3>
<ul>
<li>changelog: <a href="https://docs.typo3.org/c/typo3/cms-core/main/en-us/Changelog/12.0/Breaking-98275-RemovedPreDefinedLinkTitleAttributesInRTELinkBrowser.html" class="external">Breaking: #98275 - Removed pre-defined link title attributes in RTE link browser</a></li>
</ul> TYPO3 Core - Bug #101670 (New): Linkvalidator reports some external URLs as "false positives"http://forge.typo3.org/issues/1016702023-08-13T06:39:37ZSybille Peterssypets@gmx.de
<p>Links are reported as broken which are not broken.</p>
<p>Known cases:</p>
<p>1. sites without complete certificate chain ( <strong>intermediate</strong> (not root) certs missing), Qualys SSLLabs reports this when checking, but browsers resolve this by fetching (and storing) the intermediate certificates, so the URL seems to work fine in the browser<br />2. sites protected by Cloadflare (returns status code 503)</p>
<p>Some other sites also cause problems for unknown reasons:</p>
<ul>
<li>twitter</li>
<li>linkedin</li>
<li>etc.</li>
</ul> TYPO3 Core - Bug #101417 (Closed): It is not possible to remove the target via the link browserhttp://forge.typo3.org/issues/1014172023-07-23T05:43:05ZSybille Peterssypets@gmx.de
<p>Reproducible with latest v13, possibly also v12. May have to use patch <a class="external" href="https://review.typo3.org/c/Packages/TYPO3.CMS/+/80034">https://review.typo3.org/c/Packages/TYPO3.CMS/+/80034</a> to reproduce, otherwise target is not always saved to DB.</p>
<a name="Reproduce"></a>
<h2 >Reproduce<a href="#Reproduce" class="wiki-anchor">¶</a></h2>
<ol>
<li>Add a target to a link</li>
<li>In the link brower, remove the target, klick update</li>
<li>Save the CE (or switch to source mode)</li>
</ol>
<p>The target is still there, e.g.</p>
<pre>
<p><a href="t3://page?uid=1" title="hallo" target="_blank">link1</a></p>
</pre> TYPO3 Core - Bug #101414 (Resolved): Alert dialog does not show information about references inli...http://forge.typo3.org/issues/1014142023-07-22T13:09:23ZSybille Peterssypets@gmx.de
<p>This issue handles only one specific case which was already patched in v12 and v13.</p>
<p>More information is in <a class="issue tracker-1 status-1 priority-4 priority-default" title="Bug: Message that there are references which point to this record is not always displayed when trying ... (New)" href="http://forge.typo3.org/issues/101411">#101411</a></p>
<p>Hopefully part of the improvements in <a class="external" href="https://review.typo3.org/c/Packages/TYPO3.CMS/+/72001">https://review.typo3.org/c/Packages/TYPO3.CMS/+/72001</a> can be backported to v11.</p>
<a name="Reproduce"></a>
<h2 >Reproduce<a href="#Reproduce" class="wiki-anchor">¶</a></h2>
<p>1. Create a record [1] (e.g. texmedia), create a shortcut ce [2] which references this<br />2. In page module try to delete the record [1] (using the inline delete button).</p>
<p>We see a generic delete msg. We expect delete msg which warns about references.</p>
<a name="Screenshot"></a>
<h2 >Screenshot<a href="#Screenshot" class="wiki-anchor">¶</a></h2>
<p><img src="http://forge.typo3.org/attachments/download/37847/delete_record_with_references_generic_message.png" alt="" loading="lazy" /></p> TYPO3 Core - Bug #101411 (New): Message that there are references which point to this record is n...http://forge.typo3.org/issues/1014112023-07-22T12:42:30ZSybille Peterssypets@gmx.de
<p>Usually, we get an alert, sometime like this:</p>
<blockquote>
<p>Are you sure you want to delete the record 'textmedia1 [tt_content:54]'? There are 1 reference(s) to this record!</p>
</blockquote>
<p>or</p>
<blockquote>
<p>Are you sure you want to delete 'textmedia with shortcuts to this ce'? (There are 1 reference(s) to this record!)</p>
</blockquote>
<p>when trying to delete a record (e.g. [textmedia]) which has references pointing to it (e.g. "Insert Records" [shortcut]").</p>
<p>But sometimes we get a generic message which does not point out there are references, such as:</p>
<blockquote>
<p>Are you sure you want to delete this record?</p>
</blockquote>
<p>It looks like the behaviour improved between v11 => v13 but is not fully resolved.</p>
<p>(language label: labels.referencesToRecord)</p>
<a name="Problems-Inconsistencies"></a>
<h2 >Problems / Inconsistencies<a href="#Problems-Inconsistencies" class="wiki-anchor">¶</a></h2>
<p>in <strong>v13</strong></p>
<ul>
<li>list module: if using checkboxes to select several records then deleting, we get:</li>
</ul>
<blockquote>
<p>Delete marked<br />Are you sure you want to delete all marked records from the table 'Page Content'?<br />Close Delete</p>
</blockquote>
<p>(no hint that there are references)</p>
<ul>
<li>(minor): in FormEngine the "Delete record" button does not have an "(!)", in the other cases it does</li>
</ul>
<p>in <strong>v11</strong> , sames as v13, but also</p>
<ul>
<li>in page layout: using inline delete button, we get generic message (not warning about references):</li>
</ul>
<blockquote>
<p>Delete this record?<br />Delete this record?<br />Cancel | OK</p>
</blockquote>
<ul>
<li>some more minor inconsistencies in how the delete button is named etc.</li>
</ul>
<a name="Screenshots"></a>
<h2 >Screenshots<a href="#Screenshots" class="wiki-anchor">¶</a></h2>
<p><img src="http://forge.typo3.org/attachments/download/37844/delete_record_with_references_generic_message.png" title="generic delete message" alt="generic delete message" loading="lazy" /></p>
<p><img src="http://forge.typo3.org/attachments/download/37845/delete_record_with_references_message_points_out_references.png" title="delete message which mentions references" alt="delete message which mentions references" loading="lazy" /></p>
<p>v13</p>
<p><img src="http://forge.typo3.org/attachments/download/37846/v13_delete_record_with_references_in_list_module_bulk_removal_no_mention_of_references.png" title="v13 bulk removal in list module (references not mentioned)" alt="v13 bulk removal in list module (references not mentioned)" loading="lazy" /></p>
<a name="Full-report"></a>
<h2 >Full report<a href="#Full-report" class="wiki-anchor">¶</a></h2>
<p>see delete_record_with_references.txt</p> TYPO3 Core - Bug #101408 (Accepted): Fluid debug output is displayed on page even if adminpanel n...http://forge.typo3.org/issues/1014082023-07-21T14:45:59ZSybille Peterssypets@gmx.de
<p>This probably was reported before, but was then fixed and has now reappeared: <a class="external" href="https://forge.typo3.org/issues/85087">https://forge.typo3.org/issues/85087</a></p>
<p>I usually don't use Fluid debug output in adminpanel and usually don't enable it on production but I did that recently by accident.</p>
<p>Several days later I loaded a page, the debug output was displayed, the admin panel was not even activated.</p>
<p>What made matters worse, the debug output was also displayed if not logged in the BE (using different browser).</p>
<a name="versions"></a>
<h2 >versions<a href="#versions" class="wiki-anchor">¶</a></h2>
<ul>
<li>reproduced in v11, did not check newer versions yet.</li>
</ul>
<a name="Reproduce"></a>
<h2 >Reproduce<a href="#Reproduce" class="wiki-anchor">¶</a></h2>
<p>1. Flush all cache (including system cache)<br />2. Enable admin panel <br />3. Activate checkbox "Fluid debug output" <br />4. Load page: debug output is displayed) (ok)<br />5. deactivate adminpanel (via the toggle)<br />6. load page again: debug output is displayed (unexpected)<br />7. load page in different browser (not logged in): debug output is displayed (bad)<br />8. Deactivate the checkbox "Fluid debug output" <br />9. refresh page CTRL-SHIFT-r (or flush cache in adminpanel): debug output still displayed</p>
<p>finally, flush cache</p>
<pre>
vendor/bin/typo3 cache:flush
</pre>
<p>Is now ok</p>
<a name="Suggestion"></a>
<h2 >Suggestion<a href="#Suggestion" class="wiki-anchor">¶</a></h2>
<p>I think this should be changed (at least in production context)</p>
<ul>
<li>the debug output should not be saved</li>
<li>or better: not possible to enable "Fluid debug" checkbox in production context</li>
</ul>
<a name="Screenshot"></a>
<h2 >Screenshot<a href="#Screenshot" class="wiki-anchor">¶</a></h2>
<p><img src="http://forge.typo3.org/attachments/download/37842/adminpanel_fluid.png" alt="" loading="lazy" /></p> TYPO3 Core - Task #90848 (Accepted): No longer possible to enter several pids in linkvalidator sc...http://forge.typo3.org/issues/908482020-03-27T07:07:13ZSybille Peterssypets@gmx.de
<p>TYPO3 10,9,8 ...</p>
<p>I am not sure when this was changed:</p>
<p>In the scheduler task for linkvalidator it is no longer possible to enter several page ids in "Start page (uid)"</p>
<p>This used to be possible which was very helpful if you had several sites. In that case, you would get an aggregated report in the mail with information per site.</p>
<p>Also, you could exclude inactive sites this way. Now you can only enter startpage of one site or 0. (Of course, you can always enter several scheduler tasks).</p>
<p>In some cases, sites that are being updated will most likely have problems and need to change this. (Not sure if the old behaviour will still work with several pids).</p>
<p><img src="http://forge.typo3.org/attachments/download/35011/linkvalidator_scheduler.png" alt="" loading="lazy" /></p>
<p>Anyhow, it is no longer possible to enter several pids, separated by comma, which used to be possible.</p>
<p>(I would actually prefer an option to determine this automatically, based on sites configuration)</p> TYPO3 Core - Feature #76895 (Rejected): Add [FE][lockSSL] option in TYPO3_CONF_VARS (as in [BE][l...http://forge.typo3.org/issues/768952016-06-30T17:12:06ZSybille Peterssypets@gmx.de
<p>Proposal to add an option to enforce HTTPS if currently logged in as FE user. Could be implemented as in already existing [BE][lockSSL] option.</p>
<p>This would make Extensions like https_enforcer more or less redundant, because TYPO3 core would handle this functionality:</p>
<p>1) already existing in core: Force HTTPS for specific page (pages.url_scheme)<br />2) already existing in core: Force HTTPS if logged in as BE-User: [BE][lockSSL]<br />2) not exisiting? : Force HTTPS if logged in as FE-User</p> TYPO3 Core - Bug #51360 (Closed): Linkvalidator: specifying TSconfig in scheduler has no effecthttp://forge.typo3.org/issues/513602013-08-26T17:22:37ZSybille Peterssypets@gmx.de
<p>It is possible to set for example subject and content type via page TSconfig. This works fine. However, setting TSconfig in linkvalidator task in scheduler has no effect.</p>
<p>Using version TYPO3 4.5.29</p>