TYPO3 13.4.3 and 12.4.25 security releases published
The versions 13.4.3 and 12.4.25 of the TYPO3 Enterprise Content Management System have just been released.
Can’t make it to a release party? Tune into the live stream!
Tuesday, 2 Oct 2018. 19:30 CEST
Follow the live Q&A on Twitter. #9LTSQA
Want to make some noise? Share what you love about #TYPO3LTS
https://youtu.be/MAeQdWSfDdU
TYPO3 version 9.5 is a Long Term Support (LTS) release and comes with more than 100 new features. This article provides an overview over the most important changes for both business users and technical users.
TYPO3 has always been known to be technically mature, robust, secure, and jam-packed with amazing enterprise features. The newest major release of TYPO3 comes with countless new highlights and shows once again that the well-known content management system is well-positioned at the forefront of the open source software development.
The new LTS version offers enhanced usability features in the backend (the administration interface), upgraded end-user security and privacy (e.g. to achieve GDPR compliance without headaches), top modern password hashing algorithms, best-practice SEO options out of the box, and much more.
In the past four weeks - the stabilization phase between the last intermediate version 9.4 and the new major version 9.5 (also known as “TYPO3 v9 LTS”) - final elements of features were completed but nothing new was started. This is to make sure that the LTS release is robust, stable and can power websites of all sizes and complexities, even those with thousands of pages. This article summarizes the major changes of all 9.x Sprint Releases and what you can expect from TYPO3 v9 LTS.
Native URL routing changes a URI like “index.php?id=123” to a clean, human-readable path. Typically this is based on the page title, e.g. “/team/about-us”. The TYPO3 core now supports page-based URL handling out of the box. Page records in TYPO3 have a field called “URL Segment”, which contains the website frontend path to the page. The field is shown when page records are edited in the backend and is resolved to the page UID in the frontend if a “Site Configuration” has been set up beforehand.
Languages are taken into account by TYPO3, too and speaking URLs are generated everywhere: in the frontend, in preview links in the backend, etc.
Now there’s no need anymore for third-party extensions to generate this type of URI. This is also an important feature for search engine optimization, which brings us straight to the next awesome improvement in TYPO3 v9 LTS.
Good practise SEO should not depend on third-party extensions, but should be offered by the core system, together with the option for developers to extend the standard features as required. In TYPO3 v9 LTS, meta tags set in page properties are rendered in the frontend by default and no additional configuration is required. Behind the scenes, a new Meta Tag API manages this in a modern and fast way.
A more obvious improvement for integrators and editors alike is the new “SEO” tab in the page properties in the backend. It contains the most important options to instruct search engines how to index a page and also lets backend users insert information like Open Graph data. This protocol is supported by all modern social networks such as Twitter, Facebook and LinkedIn.
But the new SEO-features in TYPO3 v9 LTS do not stop here: these were just the basics!
TYPO3 can also generate XML sitemaps out of the box now, with the possibility to render different sitemaps per site and language. Integrators can fine-tune many aspects with comprehensive configuration options and sitemaps for specific records can even be generated, e.g. news records. Canonical links to pages are automatically added if the “SEO” system extension has been activated. One advantage of this approach is that it prevents search engines from penalising sites due to duplicate content. In multilingual TYPO3 sites, “hreflang” tags are now also added automatically.
A new Page Title API allows integrators and developers to control exactly how the page title gets displayed. A multi-step fallback concept has been implemented that takes all possible configuration options into account. For example, titles set by third-party extensions, specific SEO titles provided by editors or titles without any specific configuration in the page properties, which then use the page name as the title tag in the frontend. Extension developers can build their own solution to set the page title by using the API, which only requires a few lines of PHP code.
The Site Management module provides one central place where integrators and site administrators can view and manage all aspects of their sites.
The “Sites” modules allow backend users to add and modify a global configuration for one or for multiple sites in a web instance. This includes a number of options for website languages, human-readable and SEO-friendly URLs, website entry points, and general settings
A further submodule named "Redirects" has been added to configure redirects. These can be limited to a specific domain and the HTTP response code can easily be configured. The source path can be enabled to be represented as a regular expression and a redirect to HTTPS can be enforced.
For those of you who have worked with previous versions of TYPO3, you’ll see a few changes straight away when you log into the backend of TYPO3 v9 LTS.
Performance optimization and the leverage of modern web technologies has always been on our agenda. An incredibly easy-to-use page tree, which is now based on SVGs and has superfast rendering times, lets users create, rename, move, and delete pages in a breeze. All ExtJS code has been removed completely and the TYPO3 backend is now powered by state-of-the-art, mobile friendly web technologies such as TypeScript, Bootstrap and jQuery.
Nowadays, modal popups are the first choice for modern user interfaces. TYPO3 now uses this design pattern consistently in the backend to provide a smooth and non-interruptive interaction with the system when a user interaction is required. This child window requires users to interact with it before they can return to operating the parent application. In TYPO3 it now appears e.g. when users need to confirm unsaved changes or when they select a content element to be added to a page or to a similar dialog.
Images are now rotated automatically when uploaded, based on their orientation stored in the EXIF metadata of the image. A new “Duplicate” button has been added, which can be enabled and allows backend users to clone a content element with just one click. “Toggle switches” have been introduced, which not only look nice, but are also a useful tool to allow users to switch between two states easily. Thumbnail images are now loaded asynchronously (e.g. in the filelist), which makes working in the backend faster and smoother. In debug mode, the field name of every FormEngine field is shown to admin users in the backend. This makes the process of configuring access rights much easier, because the same field names appear when backend users or user groups are configured.
To describe all changes and improvements of the TYPO3 backend would go beyond the scope of this article. Work with the backend, and you will not want to work with anything else anymore - that’s for sure! Curious? At the end of this article you‘ll find the paragraph “Further Details about TYPO3 v9 LTS”, which includes links to more in-depth resources.
The Install Tool is an important TYPO3 component and provides options to configure the system, to run system and environment checks, to test the setup, and even to update the instance to a new core version with a single click. Therefore, the terminology “Install Tool” was not accurate anymore and the module has been given a new name: System Maintenance Area.
Besides an improved look and feel, which integrates the tool smoothly into the backend of TYPO3, it has also been split into four modules: “Maintenance”, “Settings”, “Upgrade” and “Environment”. By using these categories, a clear, logical and distinct separation of the functions behind the modules has been achieved and users can find the functions they need more easily. The configuration of extensions has been moved from the Extension Manager to this module, too.
Despite the tight integration into the backend of TYPO3 (users will hardly notice that the functions are implemented in a tool “outside” of the backend), the System Maintenance Area is still accessible as a standalone application.
More and more websites use the “form” extension (also known as the “form framework”), which has been included as part of the TYPO3 core since version 8.5 (December 2016). This system extension has now received another magnificent new feature: conditional variants.
Variants can have conditions and allow changing properties of a form element. This way you can manipulate form element values, validator and finisher options, etc. based on conditions. Some typical use cases are:
The comprehensive documentation shows many more details and examples.
The “TYPO3 Admin Panel” provides a deeper insight into the internal processes of TYPO3 at run-time. Once it has been activated, backend users can access performance and cache statistics, settings of a specific page, etc. while accessing the frontend of the website.
The Admin Panel has been overhauled with regards to its design as well as the underlying code and architecture. The visual appearance has been modernized to make it more convenient to access system details by separating them into logical modules and submodules. The most important details of the system are shown at a quick glance with the option to display extended information as required. On top of all this, extension authors can write their own modules or add submodules to existing modules to their heart’s content.
The result is undeniably the best debugging and profiling functionality we have ever had in TYPO3, combined with a fresh, modern, mobile-friendly visual appearance of the Admin Panel.
GDPR came into effect in May 2018 and aims to give users more power over protection, transparency and control of their personal data, whilst imposing strict rules on hosting and data processing. As a leading enterprise content management system, TYPO3 v9 LTS supports administrators and integrators to achieve a full GDPR compliance.
A number of settings can be configured that control if and what kind of data should be classified “sensitive” and for how long it gets stored (data retention time). IP addresses stored in the system can be anonymized and YouTube videos can be referenced using a cookie-free link. In addition, inactive frontend and backend users can be automatically and irreversibly removed from the system straight out of the box. This is in light of the principle of data minimisation: data (including user profiles), which does not exist, cannot be compromised in case of a security breach.
Security has always been one of our top priorities and as we know, hardening the security of an application is always an ongoing process. Therefore, it comes as no surprise that the new LTS version of TYPO3 raises the security standards even higher.
TYPO3 now stores files like Install Tool session files, caching framework files, files related to locking, or logging, etc. in the “var/” directory. It is obvious that these non-public files should be located outside of the web root. As part of the ongoing effort to enhance the security of TYPO3 even further, the path to the “var/” directory can now be configured as an environment variable TYPO3_PATH_APP.
The support of clear text passwords for backend users was dropped in TYPO3 more than four years ago. Since then, salted passwords have been the standard in TYPO3. With TYPO3 v9 LTs, the support of plain text passwords now draws to an end - even for frontend users. TYPO3 now uses the PHP Password Hashing API, which features industry-strength algorithms, such as Argon2i and PBKDF2. Given that MD5 is deemed highly insecure to protect passwords today even the support of standard MD5 hashes has been dropped. There isn’t much that TYPO3 integrators need to do to make the passwords of their users secure. As soon as users log in, their password hashes are automatically updated as required.
Unlike many other competitive systems in the CMS landscape, TYPO3 has an unarguable reputation of being very flexible and open in regards to customization. The internal architecture, several public APIs and hooks/signals allow PHP developers to build solutions that perfectly meet their clients’ needs. At the same time, LTS releases often introduce new state-of-the-art technologies, which make working with the CMS an enjoyable journey for developers. TYPO3 v9 LTS offers similar advantages and the following paragraphs describe highlights for integrators and developers.
Developers can now omit many of the default database attributes in the “ext_tables.sql” file of their extension. The database schema analyzer has been made smarter for TYPO3 v9 LTS and now creates most of the management fields automatically, e.g. “uid”, “pid”, “sorting”, start and stop date/time, the hidden and deleted flags, etc. Therefore, developers can focus more on the business logic and let TYPO3 take care of the creation of system-internal fields and fields which are required for the language management and workspaces.
In previous versions of TYPO3 a lot of data from various parts of the system was scattered about. TYPO3 v9 LTS introduces a new Context API that aims to replace these globally available objects (e.g. TSFE, sys_page, BE_USER). Instead of exposing a full object, “aspects” of the API only contain properties, which are relevant and required. The main goal of this concept is to centralize global variables in a common, structured and logical way.
The PHP Standard Recommendation (PSR) is a specification published by the PHP Framework Interop Group. By following this specification, software applications ensure high quality coding standards, a best-practice system design and interoperability with independent libraries.
Earlier this year, TYPO3 introduced PSR-15 middlewares both in the frontend as well as in the backend, This makes TYPO3 one of the first enterprise content management systems on the market to take this step. All web requests in the TYPO3 core return a response that complies with PSR-7, the standard for HTTP message interfaces.
Developers know how important logging is and that a common interface can be crucial to track errors, record important events and debug problems. The PSR-3 standard describes a logging interface for PHP applications, which is now used by all logging procedures throughout the TYPO3 system.
The aforementioned System Maintenance Area in the backend of TYPO3 contains a function named “Feature Toggles”, which allows TYPO3 integrators to enable and disable core features as required. In combination with a new API class “Features”, TYPO3 v9 provides an easy way for developers to build new features next to their legacy version and for integrators to control if and when to switch to the new feature.
Conditions in TypoScript have a long history and are widely used. As another major step forward, we have now introduced the Symfony ExpressionLanguage component to TYPO3 v9 LTS. The ExpressionLanguage component uses a specific syntax and adds a number of powerful features to TypoScript conditions for the frontend, as well as for the backend. A set of useful variables and functions are already shipped with the TYPO3 core, and developers can extend further as required.
In TYPO3 v9 LTS, you can now leverage SwiftMailer’s queue functionality - also known as “spool transport”. In most cases, developers want to send out emails immediately, but under certain circumstances, queuing emails and processing them later is beneficial, e.g. for performance reasons. This is now possible: mails can be queued in memory or in files. If the latter, sending of spooled emails can be triggered by a command line call or by a scheduler task.
We understand how important an upgrade from one major version to the next is. This process should be as simple as possible with a minimum of effort (in particular from one LTS to the latest LTS release), but often depends on installed third-party extensions. We have paved the way by introducing the Extension Scanner to TYPO3 v9 LTS. This tool provides an interactive interface to scan extension code for the usage of TYPO3 core APIs which have been removed or marked deprecated. The result is a detailed overview of what needs to be done to accomplish a successful migration to the next version of TYPO3. If extensions use deprecated API calls, the Extension Scanner even suggests the appropriate documentation on how to migrate this specific piece of code.
After reading through all the amazing new features and improvements, we understand that you can hardly wait to check out the new version now. Let’s take a look at the system requirements for TYPO3 v9 LTS - an enterprise system build with a keen eye to future development.
TYPO3 v9 LTS requires a modern technology stack with PHP version 7.2 and a database server such as MySQL, MariaDB, PostgreSQL or Microsoft SQL Server. All commonly used web servers are supported (e.g. Apache, nginx, Microsoft IIS, etc.). At least 256M bytes of memory should be allocated to PHP. The Installation and Upgrade Guide provides further details about the system requirements and recommended settings.
TYPO3 v9 LTS also supports “SQLite”, a popular lightweight and file-based database solution natively available in PHP. Using SQLite means, TYPO3 web instances can run natively in PHP, which makes perfect sense for relatively small TYPO3 sites or e.g. for test and development instances.
There are various ways to install TYPO3. The traditional way is to download the source package at get.typo3.org. Of course you also can use the modern approach and set up a project using composer. Detailed installation instructions are available at get.typo3.org/version/9 and in the Installation and Upgrade Guide.
As a LTS release, TYPO3 version 9.5 marks the last version of the 9.x series and will receive maintenance and bug fixes for 1.5 years, and security updates for at least three years until October 2021. The TYPO3 GmbH offers extended support for TYPO3 v9 LTS until 2024.
To learn more about the new features, changes and improvements of TYPO3 v9 LTS, have a look at the TYPO3 What’s New Slides and the detailed release notes of the Sprint Releases v9.0 to v9.5.
The TYPO3 Core Team would like to thank all contributors for making this milestone become true. Everyone involved had an important part in this project and without your time and enthusiasm, we would not be where we are today. Many thanks for all your development work, for reporting bugs, reviewing changes, testing fixes and new features, maintaining the infrastructure, harding the security, for writing, editing and copyediting documentation and articles, for organising and sponsoring events, participating in code sprints, sharing your knowledge and supporting others and spreading the word about TYPO3.
The TYPO3 community also thanks all the sponsors who contributed to, or financially supported any strategic initiatives and TYPO3 events and Inge Bateman for her valuable input in creating this article.
The versions 13.4.3 and 12.4.25 of the TYPO3 Enterprise Content Management System have just been released.
TYPO3 v13 LTS brings exciting updates to the Content Blocks ecosystem, including its first stable release and significant improvements in usability…
Happy New Year to the entire TYPO3 community! As we welcome 2025, let’s take a look back at the key developments in December 2024. This edition covers…
At the beginning of February 2025, TYPO3 Core developer Oliver Bartsch will return to FOSDEM, an enormous open-source event in Brussels. I had the…
With Markdown, contributors can create and edit documentation using a format that's both simpler and more intuitive. This helps to break down the…
Web Camp Venlo will celebrate its tenth anniversary from 13 to 15 February 2025. This milestone event will bring together professionals and…