Breaking: #88755 - Remove POST option from typolink.addQueryString.method 

See forge#88755

Description 

Setting addQueryString.method of typolink could be used like shown below in order to transform HTTP POST parameters into according GET parameters.

typolink {
  parameter = 123
  addQueryString = 1
  addQueryString.method = POST
}
Copied!

In terms of correctly using HTTP verbs it's bad practise in general to treat GET and POST equally, besides that documentation already mentioned potential side-effects like accidentally exposing sensitive data submitted via POST to proxies or log files.

That's why values POST, GET,POST and POST,GET are not allowed anymore for typolink.addQueryString.method. Maintaining functionality - if required at all - has to be done using domain specific logic in according controllers or middleware implementations.

Impact 

  • using GET,POST, POST,GET or POST will trigger an E_USER_WARNING
  • using GET,POST or POST,GET will fall back to GET
  • using POST will be ignored and an empty result

In a consequence only query parameters submitted via HTTP GET are taken into account, parameters of HTTP POST body are ignored.

Affected Installations 

  • TypoScript defining typolink.addQueryString.method with values mentioned in previous section
  • invocations of TYPO3\CMS\Extbase\Mvc\Web\Routing\UriBuilder::setAddQueryStringMethod() with values mentioned in previous section
  • as an effect Fluid view helpers forwarding this information to TYPO3\CMS\Extbase\Mvc\Web\Routing\UriBuilder::setAddQueryStringMethod() are affected - argument addQueryStringMethod is affected in view helper of TYPO3 core like shown below + <f:form ... addQueryStringMethod="POST"> + <f:link.action addQueryStringMethod="POST"> + <f:link.page ... addQueryStringMethod="POST"> + <f:link.typolink addQueryStringMethod="POST"> + <f:uri.action ... addQueryStringMethod="POST"> + <f:uri.page ... addQueryStringMethod="POST"> + <f:uri.typolink addQueryStringMethod="POST"> + <f:widget.uri ... addQueryStringMethod="POST"> + <f:widget.link addQueryStringMethod="POST"> + <f:widget.paginate ... configuration="{addQueryStringMethod: 'POST'}">

Migration 

  • change to mentioned assignments in TypoScript, Fluid templates or PHP code to GET
  • analyse and try to understand whether POST is still required or could be substituted