Features in TYPO3 10 LTS

Secure Password Reset/Recovery

Introduced in version 10.4

Another notable new feature in TYPO3 v10 LTS is the “password recovery” function for backend users. Previously, administrators created backend user accounts and assigned passwords. They then had to provide the users with their access details. The same applied to cases where users forgot their passwords. From a security perspective, this is not considered state-of-the-art anymore. Administrators should not need to deal with user passwords at all.

In TYPO3 v10 LTS, administrators can trigger a password reset for users in the TYPO3 backend. Backend users are now also able to request a password-reset email in a secure way.

To ensure a high standard, we have built a number of security features into this function.

  • No information about existing users is disclosed.
  • The link in the email is only valid for a limited time.
  • There is a rate limit on how often a recovery email can be requested.

On systems that have special security requirements, the function can also be deactivated for administrator accounts. Alternatively, the function can be completely disabled for all users. This may become relevant in installations with third-party integrations such as LDAP or OAuth.

Documentation

>
>
>

Better UX for Backend User Management

Introduced in version 10.4

The mechanism for handling user permissions in TYPO3 is known as the most powerful and technically matured access control method you can get from an open-source enterprise CMS. At the same time, backend user accounts are, without question, one of the most important data sets in a TYPO3 system. Managing user accounts, user groups, and their permissions is not easy, if you don’t have a clear and well-curated overview of the data.

We’ve improved the backend user module to make it easier for integrators to manage users and user groups. The updated user detail view now shows:

  • User data such as real name, email address
  • User start/stop date
  • All groups, subgroups, permissions
  • DB and file mounts
  • Read/write access to tables
  • And more!

Documentation

>

Frontend Login Improvements

Introduced in version 10.4

The frontend login functionality provides a simple way for users to log in and access restricted areas of a website. The feature has been migrated and uses the Extbase programming framework and the Fluid templating engine in TYPO3 v10 LTS.

This solution offers developers and integrators a few advantages:

Customize the appearance: Update or completely change appearance by simply modifying the Fluid templates. This includes not only the login form and other functions visible at the frontend, but also emails that go out to end-users, for example password recovery emails.

More strict security: Another exciting effect of the switch to Extbase applies to so-called “validators” — a piece of PHP code that is used to validate if a password meets certain security requirements. Developers and integrators alike can now adjust and modify these validators and enforce strict password restrictions.

This enhanced flexibility in TYPO3 v10 LTS allows agencies to highly customize the login functionality for frontend users.

Documentation

Browser-native Lazy-loading for Images

Introduced in version 10.4

Of the resources needed to serve up a modern web page, images pack the biggest punch in terms of file size. To help, lazy-loading for images has been adopted as a standard to improve load-times, reducing the burden on both servers and users. TYPO3 is the first major content management system that offers lazy-loading out-of-the-box.

Lazy-loading defers loading images, starting with a lightweight placeholder image, and only serving up the higher resolution when it’s needed. For example, if a visitor doesn’t scroll all the way down the page, that media won’t even load. This reduces the amount of data transferred and the processing time. This helps both at the server and client side to make for a faster site and better user experience.

The “loading” attribute for image tags was accepted and published last year as a new HTML standard (see the specification for further technical details). The purpose of this attribute is to instruct browsers if they should load images that are outside the viewport. As browser vendors start adding the support for this feature, TYPO3 v10 LTS already allows integrators and developers to configure/use this functionality.

>

Dashboard

Introduced in version 10.3

This biggest and probably the most exciting new feature that has been eagerly awaited by the community made it into the TYPO3 core in time: dashboards.

The dashboard  provides backend users with a quick overview of important system information and statuses. At-a-glance information is displayed in widgets, and a wide range of types and styles are available out-of-the-box. Some standard widgets are included in the TYPO3 core, for example a “call-to-action button”, the Getting Started Tutorial, the TYPO3 news as a RSS feed, and some basic information about the current TYPO3 instance.

Flexibility and expandability were important factors during the concept phase and development of dashboards. Developers can create their own widgets and backend users can not only configure multiple dashboards (and easily switch between them), but also add, remove, and even rearrange widgets to their heart’s content.

To learn more about dashboards, read the article “An Update About the Dashboards” by Richard Haeser (Initiative Lead).

Documentation

>
>

New Translation Server

Introduced in version 10.3

TYPO3 is famous for its multilingual backend: there are not many content management systems on the market that allow users to work in the administrator area in their native language, no matter which language this is — as long as a translation exists.

After a long history with Pootle, TYPO3 now uses Crowdin to take translations to the next level. Georg Ringer, who leads the localization initiative, gave us an insight into the concept and the idea behind the initiative last year (see his article “Better Multilingual Support”). The SaaS solution Crowdin is now used as the localization/translation management platform for TYPO3 v10 by default, and you can do more than just translating the languages for the TYPO3 backend. The solution can also be used to translate labels of TYPO3 extensions, yourextensions!

As TYPO3 v9 LTS will be supported until October 2021 at least, this feature is optionally available since TYPO3 version 9.5.14 as a feature toggle.

See the documentation for further details.

Documentation

HTML-based Templated Emails

Introduced in version 10.3

Up until now, TYPO3’s system emails were  just plain text emails. But not anymore!

TYPO3 v10.3 now supports nice looking template-based HTML and plain-text emails by using the Fluid templating engine. Several emails created by the TYPO3 core use the new format: for example the notification email that can be triggered if a user logs into the backend, or the email that is sent to the appropriate users when an element changes its workspace stage.

Why don’t you trigger a test email in the Install Tool yourself to see how nice an HTML-based email can look?

But this is not all: by overwriting the default paths to the Fluid template files, developers and integrators can implement their own customized email templates. Imagine system-generated notification emails with the brand logo and colors of your agency! How amazing is this?

Documentation

>

Improved User’s Privacy with SameSite Cookies

Introduced in version 10.3

We cannot stress this enough — in fact I think we have mentioned it in almost every release announcement article over the last few years — security is one of our top priorities and maximum privacy settings are TYPO3’s defaults.

Now TYPO3 supports SameSite cookies to improve users’ privacy. Modern browsers such as Firefox, Chrome, Opera, Microsoft Edge and Safari include this new feature to “mitigate the risk of cross-origin information leakage”, with “some protection against cross-site request forgery attacks” according to the OWASP. Websites and web applications can set a flag with each cookie that declares if the cookie should be restricted to a first-party or same-site context. In other words, we can now define whether to share certain information (e. g. session cookie) with third-party sites if scripts or iframes are used on a site for example.

All cookies sent by TYPO3 now support the SameSite-flag. Frontend session cookies are set to “SameSite=Lax” and backend session cookies as well as Install Tool session and workspace cookies set the more restrictive “SameSite=Strict” flag.

Under a few rare circumstances (for example with OAuth2 or OpenID connect solutions), the default settings might be too strict. For these edge cases, the Install Tool offers a system configuration to adjust the SameSite cookies policies.

By the way, due to its importance and doubtless privacy improvement, the SameSite cookies feature has also been implemented in TYPO3 v8 and v9 earlier this month, so that you can apply enhanced privacy settings even in older versions of TYPO3.

Documentation

>

Adjusted System Requirements

Introduced in version 10.3

Back in March 2019, we announced that version 5.7 or later is required if you use the popular MySQL database server for TYPO3 v10. Although this version is fully supported and can be used without problems, you can even use a lower version. TYPO3 v10 LTS will be compatible with MySQL version 5.5 or later.

Needless to say that MySQL is not the only database engine that has been successfully tested with TYPO3. We also officially support MariaDB, PostgreSQL, and the PHP-embedded database engine SQLite.

You can find out more about the system requirements in the official documentation.

Documentation

Fluid-Based Frontend Login Form

Introduced in version 10.2

System integrators use the system extension Frontend Login (extension key “felogin”) to provide a simple way for users to log-in and access restricted areas of a website, with a password recovery function as well. However, it was cumbersome for integrators and developers to modify the templates. While all other system extensions use the modern Fluid templating engine, Frontend Login was the only extension that was still based on “Marker-based” templates.

TYPO3 v10.2 now includes an Extbase-version of that frontend login functionality. This solution has a few advantages:

  • Modify the templates more easily.
  • Send out HTML-based password recovery emails.
  • Adjust and modify validators to enforce password restrictions.

The new Extbase plugin is available out-of-the-box for new installations. To avoid losing modifications on existing TYPO3 instances, they will continue to use the old templates by default (use the feature toggle in TYPO3 v10.2 to explicitly enable the Extbase-version).

Documentation

System Extension “Form”

Introduced in version 10.2

Based on our experience and the feedback from the community over the last few months, several improvements have been made to the system extension Form. These changes affect editors, integrators as well as developers. Backend users benefit from an enhanced form creation wizard that supports navigating to previous steps and descriptive labels such as “Start” or “Finish”, rather than the numerical indicator “Step x of y”.

Integrators will embrace a streamlined setup (only one general configuration file “FormSetup.yaml” is used) and an optimized configuration structure.

Documentation

>

Developer Joy with More PSR-14 Events

Introduced in version 10.2

Hooks and the Signal/Slot concept is one of TYPO3’s superpowers. This allows extending the core functionality by emitting a signal and to notify other components about a specific event. Extension developers love this technology and we took it to the next level by introducing PSR-14 events to the TYPO3 core in version 10.0.

Today we are more than happy to announce that all existing Signal/Slots of the TYPO3 core have been migrated to PSR-14 events in TYPO3 v10.2. Existing slots of custom extensions will continue to work but we highly recommend that extension developers should migrate slots to PSR-14 event listeners even now.

To learn how simple it is to migrate to PSR-14 events, developers can review the code change of the FileMetadataOverlayAspect for example.

Documentation

>
>

Improved User’s Privacy

Introduced in version 10.2

Widget ViewHelpers set a session cookie in the frontend under certain circumstances, for example when the Autocomplete-ViewHelper is used. To improve user’s privacy and comply with European’s General Data Protection Regulation (EU GDPR), a boolean argument storeSession can be set to enable/disable the cookie.

Documentation

No More Broken Links with the Link Validator

Introduced in version 10.2

Configured as a Scheduler task, TYPO3’s Link Validator aims to detect broken links throughout the system. This indispensable feature has been extended further and now supports pages, files and even external links. External links can also be validated on-the-fly now.

Documentation

Pagination API for Listing Items

Introduced in version 10.2

Comfortably browsing through lists of items is a common use-case for websites and web applications alike. The TYPO3 core makes it easy for developers to implement such a solution that is also highly flexible and customizable. The new Pagination API lets users browse any kind of data — from database records to arrays and QueryResults. Everything that is “iterable” can be paginated and the TYPO3 core will make use of this useful API even more in the near future.

Documentation

PHP 7.4 and Symfony 5.0 Support

Introduced in version 10.2

This release paves the way for a cutting-edge environment. TYPO3 v10.2 not only supports Symfony version 5.0, but is also the first TYPO3 release that supports PHP version 7.4. This should come as no surprise that our latest sprint release should work with the new version of PHP. However, we are also working on making TYPO3 v9 compatible with PHP 7.4 (without breaking lower versions of course).

Documentation

Detect conflicting redirects

Introduced in version 10.1

The Redirects backend module was introduced with TYPO3 v9 and lets site administrators add and configure redirects. The source path can be an arbitrary name or it can be represented as a regular expression. This provides great functionality but what if a redirect has the same name as a page URL? Configuration mistakes like this happen and TYPO3 now offers a simple solution to detect conflicting redirects: a CLI command that shows a list of clashes (if any exist). This command can also be configured as a scheduler task, and the results are shown in the backend under “SYSTEM ➜ Reports”.

Documentation

>

Slug updates and redirects

Introduced in version 10.1

Supporting backend users in their daily work and making TYPO3 as robust and user-friendly as possible has always been very high on our list. Sometimes it is necessary to change the URL path of a page (the so-called “slug”) and backend users can easily do that in TYPO3 if they have the appropriate access permissions. However, such an action usually results in a “page not found” error if a visitor to the site tries to access a page using the old slug. TYPO3 version 10.1 now features an intelligent solution: It automatically updates the relevant slugs for all sub-pages and can create redirects from the old to the new URL. Backend users are informed about these actions and can easily roll back the changes with a click of a button.

Documentation

>
>
>

Cache presets

Introduced in version 10.1

As an enterprise content management system, TYPO3 is well-known and popular for powering very large websites and applications without problems. But also small to medium-sized web projects running on shared hosting environments use TYPO3 for various reasons. Two of these are performance and the option to fine-tune almost every aspect of an installation.

TYPO3’s caching framework uses the database as the storage for caching by default. However, various tests show that this is under certain circumstances, not the perfect and most performant configuration. Depending on the environment and hosting setup, a cache stored in the file system is faster. Integrators and administrators can now configure the storage type for caches.

Documentation

>

Define File upload default action

Introduced in version 10.1

Integrators will embrace this new feature and backend users will love it for sure: the default action when backend users upload files is now configurable! In previous TYPO3 versions, the default is “Skip this file” if backend users try to upload a file that already exists. This is, of course, the safest option, but TYPO3 v10.1 allows you to re-configure it, making the file upload functionality more flexible and user-friendly. Available options are “replace”, “rename”, and “cancel”.

Documentation

>

Custom file processors

Introduced in version 10.1

Developers will be ecstatic about another new feature regarding file uploads. You can now register your own file processors. If you don’t have a clue what purpose this could have, think about any operation you could apply on a file that is uploaded by a backend user! Here are some use cases: add watermarks to images, compress uploaded files to a ZIP archive, store a copy of a cropped image, transfer uploaded files to a second storage location, etc.

We can't wait to see the first extensions that implement a custom file processor and make use of this feature!

Documentation

Backend notifications

Introduced in version 10.1

“Notifications” are an essential element of the user interface. These are small boxes that sometimes pop up in the top right corner of the TYPO3 backend and inform the user about certain events. This could be a notification about a process that successfully finished, a warning that something occurred unexpectedly, or a fatal error to inform the user that he/she is really in trouble now.

Wouldn’t it be awesome if these notifications would feature buttons the user can click? Good news: as a matter of fact, developers can now implement actions to execute JavaScript functions.

However, keep in mind that notifications usually disappear automatically after a few seconds, so think carefully how users may interact with these components before you implement buttons in backend notifications.

Documentation

>

Cache dependency injection

Introduced in version 10.1

Caching has been an important success factor and that’s why we are not getting tired improving this component in TYPO3 whenever, wherever we can. Symfony’s Service Container was introduced in TYPO3 version 10.0 and this allows us now to inject cache objects directly rather than using the CacheManager.

In other words: the TYPO3 core now provides all core caches as dependency injection services and extension developers are encouraged to leverage this pattern from now on. To do this, add your cache service to the file “Configuration/Services.yaml” and dependency injection takes care of passing the cache to your class constructor. Since TYPO3 version 10.1 developers don’t need to use the “CacheManager” anymore.

Does this sound complicated? In fact, it is not: have a look at the documentation which also shows some code examples.

Documentation

Improved site handling

Introduced in version 10.0

Native site handling was introduced in TYPO3 v9 LTS — the foundation for deterministic URL handling as well as multi-site and multi-language functionality. TYPO3 v9 still allows integrators to use sys_domain records (the old method of a multi-domain setup). This compatibility has been removed and setting up a site is now mandatory in v10.0. TYPO3 integrators benefit from the numerous advantages of a consistent and standardised site handling and faster ramp-up times for new sites.

Documentation

New dependency injection

Introduced in version 10.0

The aforementioned goal to use robust and established standards and PHP packages throughout the TYPO3 core is also evident in another area of paramount importance: “dependency injection” (DI). This technique comes into play when one object supplies the dependencies of another object. PHP objects that do not contain state are called services and are logically encapsulated in service containers.

By applying Symfony’s Service Containers architecture we take dependency management and dependency injection for PHP classes to a new level. This approach aims to replace the Extbase dependency injection container and object manager which means we can do without both GeneralUtility::makeInstance() to retrieve singletons and static methods like getInstance() in the future.

Developers are encouraged to read the Symfony documentation and to keep an eye on the PSR-11 Initiative and its sub-tasks.

Documentation

Event dispatcher

Introduced in version 10.0

We told you: TYPO3 version 10.0 is the perfect release to introduce new, modern technologies to excite every TYPO3 developer. In fact, we have actively contributed to the PSR-14 standard over the last year, and added this to the TYPO3 universe.

Hooks and the Signal/Slot concept is one of TYPO3’s superpowers. The latter allows to extend the core functionality by emitting a signal and to notify other components about a specific event. TYPO3 extension developers can leverage this technology and build upon the core feature.

We've now added an Event Dispatcher to the TYPO3 core (clearly specified in PSR-14), that has the same API as the Zend Framework or Symfony's EventDispatcher Component. “Events” will be added over the course of the next TYPO3 sprint releases and this technology aims to replace hooks and Signal/Slots in the mid term.

As an extension developer you don’t need to worry: hooks and registered slots remain as they stand now and will work the same way as before for the time being.

Documentation

PHP class/property analysis

Introduced in version 10.0

Extbase (the powerful MVC framework used in TYPO3) enables core and extension developers to write awesome functions for TYPO3 in a clean and consistent way (“convention over configuration”). The analysis of custom PHP classes and their properties is a key function of Extbase. This crucial task is now handled by Symfony's PropertyInfo Component. By using a PHP package that follows industry standards, is well-known, and maintained by a huge community, we ensure that this component of Extbase remains state-of-the-art for years to come. At the same time we reduce our maintenance efforts and open the doors for new functionality for extension authors.

Documentation

mailer API

Introduced in version 10.0

TYPO3 has used the feature-rich SwiftMailer library to generate and send out emails. However, active development has stagnated and we decided to use another great Symfony solution with a modern API:  the “Mime” package for composing emails and “Mailer” package for processing and sending them.

Both components are state-of-the-art and enable us to generate HTML-based emails in various places of the core, where currently simple text-only emails are implemented.

Documentation