5 February 2020
TYPO3 version 9.5.13 is now available (security release).What's New in TYPO3 9.5.13Security Avoid insecure deserialization in QueryGenerator & QueryView Prevent SQLi in ext:lowlevel QueryGenerator Avoid directory traversal on archive extraction XSS in file list through file extension Avoid XSS by correctly encoding typolink results Prevent XSS in EXT:form error message output Avoid possible insecure deserialization in Extbase Changes Re-introduce removed methods Streamline frontend user password recovery process Revert FolderCheck for clipboard actions Avoid applying parameter inflation during route resolving Ensure correct return values in Workspace middleware Add more tests for TypoLink handling in fluid Name "default language" consistently Use correct Plan name and key Simplify chunking of test-plan jobs Fix return value in command site:list Extend docs of DeleteUploads finisher Always allow dividers in TCA auth mode check Convert URLs with ampersands in Linkvalidator Remove incorrect slash in extension paths Remove "Adding Your Own Content Elements" Adjust name for PageTitle API in documentation Add VendorName to Fluid Ajax WidgetContext Mix test jobs in stages Remove unused imports Mark guzzlehttp/guzzle >= 6.5.0 as conflict Apply thumbscrews to sqlserver Fix typo in cHash option description Use existing API instead of ContentObjectRenderer Raise platform settings for tarball distributions Remove leading slash from backendLogo path Add check if update of all language packs is possible Use RequestFactory for downloading mirrors and check response properly Revert "[BUGFIX] Set tasks backend:lock & backend:unlock as not schedulable" Restructure nightly plans in stages a 50 jobs Remove jumpToUrl function in LinkBrowser Check if header variable is set before using it Do not apply default node settings when invoking command Fix broken Fluid templates Provide PHP 7.4 test run configuration Fix failing tests in 9.5 branch Streamline test names Filter empty values from language list Use mssql-2017-cu17 Provide necessary info for NewContentElementWizardHook again Do not send default data for page tree items Update doctrine/annotations dependency Open a new tab if window name in backend is newTYPO3frontendWindow RTE: Link with anchor and params not working Use correct testing container for JS related tests -again No longer include punctuation in CKEditor autolinks Improve pre-merge test run configs Fix translated shortcut target in menus Update codemirror to v5.49.2 Restructure nighly test plan spec Allow to switch clipboard mode to copy without items Add example for saving uploaded files in SaveToDatabase finisher Future-proof Fluid template namespace imports Render FlashMessages at ClearCache Use correct filename in documentation of fluid styled content Update friendsofphp/php-cs-fixer to 2.16.1 Fix double encoding of current page link in link wizard Fix explanation of content element TypoScript example Use current site language in indexed search by default Refer to classes in typo3fluid in Changelog Use correct ViewHelper namespace in PHPDoc of SubmitViewHelper Fix mistakes regarding RTE-configuration via TsConfig Write "PropertyGridEditor" default values as integer number Respect user mount points within FormPersistenceManager Fix some minor typos in Changelog Document date element in EXT:form Document unsetting array property items in form variants Show form definitions with same filename from different storages StaticRouteResolver returns 404 on invalid static route Respect unique form identifier for validators Disable browser autofill feature for the honeypot field Unconfigured typeNums should result in 404 instead of 500 response Add additional tests for Route VariableProcessor Only process arrays in BackendUserConfigurationUpdate Make PHP code of TYPO3 Core PHP 7.4 compliant Cast id to integer in class BackendUserConfigurationUpdate Fix PHP error in SoftReferenceParserHook for missing form definitions Document variables assigned to mail templates Remove assignment to unused property in PageRenderer Do not use constants in low-level classes Synchronize TCA enable columns from workspace version Do not add entries to cache_treelist when logged into BE Update doctrine/dbal to 2.10.0 Ensures configuration for resolveAnchorLink is an array Respect config.intTarget and extTarget in default ParseFunc Add Maori locale and flag Add examples to ext:backend ViewHelpers Add missing semicolon in rst file Fix minor typos in form documentation Update dependency CmsComposerInstaller Trigger nightly test builds with more time in between Fix exception in IpAnonymizationTask after upgrade from TYPO3 8 Consider all elements in typo3temp/assets/ when clearing Add fallback identifier to IRRE fields Remove htmlspecialchars from path_Workspace IRRE: Create a correct original value identifier Respect language restrictions for direct page title editing Make EXT:backend independent of EXT:install Deactivate link element's explanation toggle after change Allow usage of uid in slug generation via Ajax Set default controller name in ExtbasePluginEnhancer Log invalid hash generation in FAL Indexer Add clarification and tests to SiteBasedRedirectResolver Decode tag attributes during HTML parsing RTE: Support anchors without href Reenable input field for page ID when setting a link via RTE Use correct icon for menu separator if hidden in menu Add additional workspaces tests covering enable fields Fix RTE preset example Respect cacheHash excludedParameters in TSFE::reqCHash() Pluralize term dynamically Prevent indexing of XML sitemaps by search engines Extend TCA shadowColumns instead of overriding them Don't escape decimal character group Remove references to "alternativeTempPath" Streamline SoftReferenceIndex references Fix tests in ConditionMatcher regarding applicationContext Revert "[TASK] Speed up DB query for tables with versions" Enable php 7.4 for runTests.sh script Update Guzzle to latest version (6.4.1) Improve accessibility of backend login SysLanguageViewHelper fetches proper DB connection Use prepared statements for pdo_mysql per default Do not fall back to routes on invalid “id” Have backend layouts in DB respect workspace versions Check parsed url for query part in BE Shortcuts Remove 2nd double quotes from exception messages SoftReferenceIndex parses new TypoLink format correct Fix stdWrap.replacement boolean properties handling Don't process ifEmpty/ifBlank stdWrap if content is available Fix parameter descriptions of bulkInsert