TYPO3 Core

When you set config.ftu = 1 in your root-TS, you get a session tracking variable rendered into all urls generated by typo3 for users, that don't accept cookies. This is all fine, except for the fact, that there is a hardcoded unescaped ampersand in the core in t3lib/class.t3lib_userauth.php on line 241, which makes xhtml validation fail on all pages with typo3-generated links on them:

...
if ($mode=='get' && $this->getFallBack && $this->get_name) {
$this->get_URL_ID = '&'.$this->get_name.'='.$id;
}
...

Try out validation of http://shop.dello.biz/ with http://validator.w3.org.

In the root template has been set amongst other options:

config.ftu = 1
config.doctype = xhtml_trans
config.xhtml_cleaning = all

Maybe this is resolved when config.xhtml_cleaning is fully implemented, but I thought to let you guys know anyway
(issue imported from #M7043)