Changelog 

1.1.3 

  • Fixed: the sourceSet ViewHelper passes absolute URLs (http://, https://, //), data: URIs, and URLs carrying a query string through unchanged and renders them as a plain <img> tag. Previously such paths — e.g. the tokenized eID=dumpFile URLs fal_securedownload generates for files in non-public storages — were mangled into broken /processed/... variant paths. The access control of the generating extension stays intact; see Public images only: absolute URLs are passed through for the trade-off. Port of the fix on main (2.2.4).

1.1.2 

  • Fixed: silent HTTP 400 responses now log their rejection reason via error_log() (URL-pattern mismatch and path-outside-allowed-roots branches).
  • Fixed: a transient StorageRepository failure during early TYPO3 bootstrap no longer poisons the per-process allowed-roots cache; the degraded fallback is kept only for the current request.
  • Fixed: getAllowedRoots() is memoized per request, avoiding redundant lookups and repeated log lines.
  • Fixed: a filesystem-root public path (/) no longer rejects every valid path.

1.1.1 

  • Fixed: processed image requests no longer return HTTP 400 when fileadmin (or any other Local FAL storage) is a symlink to an external location such as an NFS/EFS mount. isPathWithinAllowedRoots now accepts any realpath-resolved path that lies within the TYPO3 public root or the realpath of any configured Local storage's basePath. Symlinks placed inside a storage that escape every allowed root -- e.g. fileadmin/evil -> /etc -- continue to be rejected. Backport of the fix on main, reported in issue #70.
  • Hardened: paths containing NUL bytes are rejected outright, closing a minor realpath-bypass via the not-yet-existing-path parent-walk branch.
  • Changed (BC for subclasses and manual instantiators): Netresearch\\NrImageOptimize\\Processor gains a new required StorageRepository constructor parameter. Consumers that autowire the service (the default in TYPO3 12+) are unaffected; any code that extends the class or constructs it by hand must forward the new dependency.
  • Changed (BC): dropped PHP 8.1 support. The TYPO3_12 maintenance branch now requires PHP 8.2 or newer (TYPO3 v12 itself still supports PHP 8.1, but this extension aligns with the netresearch/typo3-ci-workflows tooling which requires PHP 8.2+).

1.1.0 

New in version 1.1.0

Comprehensive quality review: security hardening, performance improvements, backend maintenance module, responsive srcset, and expanded test coverage.

  • Added backend maintenance module with directory statistics, system requirements check, and clear processed images action.
  • Added responsive width-based srcset generation as opt-in feature.
  • Added widthVariants parameter for custom breakpoints.
  • Added sizes parameter for responsive image sizing.
  • Added fetchpriority attribute for resource hints.
  • Added path traversal hardening and XSS prevention.
  • Added DoS prevention via dimension and quality clamping.
  • Added HTTP caching headers (Cache-Control: immutable, ETag, Last-Modified).
  • Added 15 language localizations.
  • Added 33+ unit tests, fuzz tests, and functional tests.
  • Added full TYPO3 documentation structure.

1.0.3 

  • Fixed Processor::getValueFromMode() TypeError for non-matching URLs (crawler/bot srcset descriptors).

1.0.2 

  • Fixed nullable dirname access in SourceSetViewHelper.

1.0.1 

  • Added ext_emconf.php for classic installation.

1.0.0 

  • Initial stable release.
  • GitHub Actions CI workflows.

0.1.5 

  • Fixed strtolower() null argument error.
  • Fixed array offset access on boolean value.
  • Allowed numeric characters in file extensions.
  • Added extension icon.
  • Corrected crop variant examples.
  • Improved lazy loading behavior.