Breaking: #88755 - Remove POST option from typolink.addQueryString.method¶
See forge#88755
Description¶
Setting addQueryString.method
of typolink could be used like shown below in order to transform
HTTP POST parameters into according GET parameters.
typolink {
parameter = 123
addQueryString = 1
addQueryString.method = POST
}
In terms of correctly using HTTP verbs it's bad practise in general to treat GET and POST equally, besides that documentation already mentioned potential side-effects like accidentally exposing sensitive data submitted via POST to proxies or log files.
That's why values POST
, GET,POST
and POST,GET
are not allowed anymore
for typolink.addQueryString.method
. Maintaining functionality - if required at all - has to be done
using domain specific logic in according controllers or middleware implementations.
Impact¶
using
GET,POST
,POST,GET
orPOST
will trigger anE_USER_WARNING
using
GET,POST
orPOST,GET
will fall back toGET
using
POST
will be ignored and an empty result
In a consequence only query parameters submitted via HTTP GET are taken into account, parameters of HTTP POST body are ignored.
Affected Installations¶
TypoScript defining
typolink.addQueryString.method
with values mentioned in previous sectioninvocations of
TYPO3\CMS\Extbase\Mvc\Web\Routing\UriBuilder::setAddQueryStringMethod()
with values mentioned in previous sectionas an effect Fluid view helpers forwarding this information to
TYPO3\CMS\Extbase\Mvc\Web\Routing\UriBuilder::setAddQueryStringMethod()
are affected - argumentaddQueryStringMethod
is affected in view helper of TYPO3 core like shown below +<f:form ... addQueryStringMethod="POST">
+<f:link.action addQueryStringMethod="POST">
+<f:link.page ... addQueryStringMethod="POST">
+<f:link.typolink addQueryStringMethod="POST">
+<f:uri.action ... addQueryStringMethod="POST">
+<f:uri.page ... addQueryStringMethod="POST">
+<f:uri.typolink addQueryStringMethod="POST">
+<f:widget.uri ... addQueryStringMethod="POST">
+<f:widget.link addQueryStringMethod="POST">
+<f:widget.paginate ... configuration="{addQueryStringMethod: 'POST'}">
Migration¶
change to mentioned assignments in TypoScript, Fluid templates or PHP code to
GET
analyse and try to understand whether
POST
is still required or could be substituted