TYPO3 11.5.23
8 February 2023
TYPO3 version 11.5.23 is now available (security release).
Upgrading to TYPO3 11.5.23
TYPO3 11.5.23 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply TYPO3 updates as new versions are released, or use Installatron's Clone feature to duplicate an existing TYPO3 install to test the 11.5.23 upgrade prior to applying it live. Get started managing your TYPO3 installations with Installatron
What's New in TYPO3 11.5.23
11.5.23
This release is a combined bug fix and security release.
Security
- TYPO3-CORE-SA-2023-001 - Persisted Cross-Site Scripting in Frontend Rendering - Prevent XSS due to wrong PATH_INFO evaluation (thanks to Benjamin Franzke)
Bug Fixes and Changes
- [TASK] Improve comments and readability in PageArgumentValidator (thanks to Benjamin Franzke)
- [BUGFIX] Avoid disabling page caches when having cHash validation enforced (thanks to Oliver Hader)
- [BUGFIX] Enforce validation when no cHash is given (thanks to Benni Mack)
- [TASK] Update PHP dependencies (thanks to Benni Mack)
- [TASK] Migrate deprecated PHPUnit 9 methods (thanks to Nikita Hovratov)
- [BUGFIX] Fix PHP 8 warning in ExtendedTemplateService (thanks to Thomas Hohn)
- [BUGFIX] Avoid re-paints and re-layouts in page tree on drag&drop (thanks to Andreas Fernandez)
- [BUGFIX] Fix PHP 8 warning in RootlineUtility (thanks to Thomas Hohn)
- [BUGFIX] Fix PHP 8 warning in ContentObjectRenderer (thanks to Thomas Hohn)
- [TASK] Cleanup of type for sameBeginEnd in ContentObjectRenderer (thanks to Thomas Hohn)
- [DOCS] Fix typo in argument numbers in migration section (thanks to Česlav Przywara)
- [BUGFIX] Prevent possible null pointer exception in data processors (thanks to Oliver Bartsch)
- [TASK] Replace localization methods in PageLayoutController (thanks to Andreas Fernandez)
- [BUGFIX] Respect titleLen setting for page title in page module (thanks to Oliver Bartsch)
- [BUGFIX] Fix PHP 8 warning in BackendUtility (thanks to Thomas Hohn)
- [BUGFIX] Use correct language constraint in PageLayoutController (thanks to Oliver Bartsch)
- [BUGFIX] Use correct object to build "copy" payload (thanks to Andreas Fernandez)
- [BUGFIX] Set proper groups in AdminPanel (thanks to Achim Fritz)
- [BUGFIX] Fix PHP 8 warning in AbstractPlugin (thanks to Benni Mack)
- [BUGFIX] Restore record date fields for all users (thanks to Oliver Bartsch)
- [BUGFIX] Fix PHP 8 warning in ContentObjectRenderer (thanks to Thomas Hohn)
- [BUGFIX] Fix PHP 8 warning in TMENU (thanks to Benni Mack)
- [BUGFIX] Fix undefined key warning in indexed_search (thanks to Benni Mack)
- [BUGFIX] Fix PHP warning in Recycler (thanks to Benni Mack)
- [BUGFIX] Fix PHP 8 warning in TreeDataProvider (thanks to Benni Mack)
- [BUGFIX] Fix PHP 8 warning in ContentObjectRenderer (thanks to Benni Mack)
- [BUGFIX] Enforce processing images stored in typo3temp (thanks to Oliver Hader)
- [BUGFIX] Handle disabled default language in PageContentErrorHandler (thanks to Oliver Bartsch)
- [BUGFIX] Prevent duplicate ckeditor instances when moving inline fields (thanks to Nikita Hovratov)
- [BUGFIX] Fix notice in FrontendConfigurationManager (thanks to Georg Ringer)
- [BUGFIX] Make http_makelinks more fault tolerant (thanks to Thomas Hohn)
- [BUGFIX] Make SITE: placeholder work in foreign_selector (thanks to David Blatter)
- [BUGFIX] Do not trigger setUpdateSignal in CLI (thanks to Benni Mack)
- [DOCS] Add hint about relative targets in redirects (thanks to Josef Glatz)
- [BUGFIX] Prevent PHP fatal error in scheduler (thanks to linawolf)
- [DOCS] Add hint to HtmlViewHelper about avoiding usage in backend context (thanks to Chris Müller)
- [BUGFIX] Avoid logging of invalid locales in site configuration (thanks to Benni Mack)
- [BUGFIX] Allow CSP inline styles in directly requested SVG files (thanks to Oliver Hader)
- [BUGFIX] Handle absolute web paths in FormEngineUtility::getIconHtml (thanks to Nikita Hovratov)
- [BUGFIX] Avoid undef array key in TcaRecordTitle (thanks to Christian Kuhn)
- [BUGFIX] Mute autoplayed videos (thanks to Georg Ringer)
- [TASK] Update to PHPStan 1.9.12 (thanks to Oliver Klee)
- [BUGFIX] Avoid undef array key in SearchController (thanks to Christian Kuhn)
- [BUGFIX] Avoid undef array key in QueryGenerator (thanks to Christian Kuhn)
- [BUGFIX] Respect HTTP_REFERER for felogin redirect mode 'referer' (thanks to Torben Hansen)
- [BUGFIX] Deduplicate slugs with language -1 (thanks to Sybille Peters)
- [TASK] Show explain selection in DB check only for Mysql (thanks to Georg Ringer)
- [DOCS] Move adminpanel TypoScript into manual (thanks to linawolf)
- [BUGFIX] Harden type annotations around user authentication handling (thanks to Elias Häußler)
- [BUGFIX] Save+preview respects local PageTS (thanks to Philipp Kitzberger)
- [BUGFIX] Avoid double hsc() in NoneElement (thanks to Christian Kuhn)
- [BUGFIX] Ensure that formatValue for dates/times returns a string (thanks to Markus Klein)
- [BUGFIX] Fix notices in QueryGenerator (thanks to Georg Ringer)
- [BUGFIX] Avoid undef array key in ContentObjectRenderer (thanks to Christian Kuhn)
- [BUGFIX] Avoid uninitialized string offset in ContentObjectRenderer (thanks to Christian Kuhn)
11.5.22
This version is a bugfix and maintenance release.
Bug Fixes and Changes
- [TASK] Reduce sql queries for page link generation (thanks to Christoph Lehmann)
- [DOCS] Use tabs for running commands in Composer/legacy installation in EXT:redirects (thanks to Chris Müller)
- [BUGFIX] Accessing unavailable site config triggers notice instead of warning (thanks to Helmut Hummel)
- [BUGFIX] Fix array access warning in SystemStatusUpdateTask (thanks to Helmut Hummel)
- [TASK] Update copyright year in README.md and INSTALL.md (thanks to Torben Hansen)
- [BUGFIX] Fix exception with PHP 8.1 in ItemProcessingService (thanks to Sybille Peters)
- [BUGFIX] Send correct content type for cached Extbase actions (thanks to Helmut Hummel)
- [BUGFIX] Avoid undefined array key in ObjectStorage::offsetGet() (thanks to Daniel Siepmann)
- [BUGFIX] Always display search box in file browser (thanks to Oliver Bartsch)
- [BUGFIX] Prevent undefined array offset warnings in ElementInformationController (thanks to Oliver Bartsch)
- [BUGFIX] Properly localize placeholder (thanks to alexander.vogt)
- [TASK] Update to PHPStan 1.9.5 (thanks to Christian Kuhn)
- [TASK] Task allow mariadb up to v10.10 and pg 15 (thanks to Jochen Roth)
- [BUGFIX] Remove unneeded quote (thanks to Georg Ringer)
- [TASK] Add missing unique link to recently added rst file (thanks to Nikita Hovratov)
- [BUGFIX] Align variable name with flexform, template and docs (thanks to André Buchmann)
- [DOCS] Update TypoScript documentation of Indexed Search (thanks to Eric Bode)
- [TASK] Update to PHPStan 1.9.4 (thanks to Oliver Klee)
- [BUGFIX] Prevent undefined array key warning in DatabaseRecordList (thanks to Oliver Bartsch)
- [TASK] Disable extension repository status check in composer mode (thanks to Oliver Bartsch)
- [BUGFIX] Use locallang in history button in EditDocumentController (thanks to Andreas Fernandez)