Breaking: #88755 - Remove POST option from typolink.addQueryString.method¶
See forge#88755
Description¶
Setting addQueryString.method
of typolink could be used like shown below in order to transform
HTTP POST parameters into according GET parameters.
typolink {
parameter = 123
addQueryString = 1
addQueryString.method = POST
}
In terms of correctly using HTTP verbs it's bad practise in general to treat GET and POST equally, besides that documentation already mentioned potential side-effects like accidentally exposing sensitive data submitted via POST to proxies or log files.
That's why values POST
, GET,POST
and POST,GET
are not allowed anymore
for typolink.addQueryString.method
. Maintaining functionality - if required at all - has to be done
using domain specific logic in according controllers or middleware implementations.
Impact¶
- using
GET,POST
,POST,GET
orPOST
will trigger anE_USER_WARNING
- using
GET,POST
orPOST,GET
will fall back toGET
- using
POST
will be ignored and an empty result
In a consequence only query parameters submitted via HTTP GET are taken into account, parameters of HTTP POST body are ignored.
Affected Installations¶
- TypoScript defining
typolink.addQueryString.method
with values mentioned in previous section - invocations of
TYPO3\CMS\Extbase\Mvc\Web\Routing\UriBuilder::setAddQueryStringMethod()
with values mentioned in previous section - as an effect Fluid view helpers forwarding this information to
TYPO3\CMS\Extbase\Mvc\Web\Routing\UriBuilder::setAddQueryStringMethod()
are affected - argumentaddQueryStringMethod
is affected in view helper of TYPO3 core like shown below +<f:form ... addQueryStringMethod="POST">
+<f:link.action addQueryStringMethod="POST">
+<f:link.page ... addQueryStringMethod="POST">
+<f:link.typolink addQueryStringMethod="POST">
+<f:uri.action ... addQueryStringMethod="POST">
+<f:uri.page ... addQueryStringMethod="POST">
+<f:uri.typolink addQueryStringMethod="POST">
+<f:widget.uri ... addQueryStringMethod="POST">
+<f:widget.link addQueryStringMethod="POST">
+<f:widget.paginate ... configuration="{addQueryStringMethod: 'POST'}">
Migration¶
- change to mentioned assignments in TypoScript, Fluid templates or PHP code to
GET
- analyse and try to understand whether
POST
is still required or could be substituted