TYPO3 11.5.20

Release Notes

Version 11.5.20

Release Notes for TYPO3 CMS 11.5.20

This document contains information about TYPO3 CMS 11.5.20 which was released on 13.12.2022.

Get TYPO3 11.5.20 now

Checksums of TYPO3 11.5.20


14bcd4012322ebf5a9da7241821e0fc40c8e91ab5f283709de96300c7940c439 typo3_src-11.5.20.tar.gz
ad11d45b7eae08f48ec23716185e946ea4f8c59cb46bd81dba63412e6547c92f typo3_src-11.5.20.zip


e68d12ea6dc1c164eb4ee3973f13a6e698acbc66 typo3_src-11.5.20.tar.gz
ca7303c900e85804e7741f7860a578e0b6bf05f1 typo3_src-11.5.20.zip


bb161a085b756740790e161778cdd4e0 typo3_src-11.5.20.tar.gz
b1bc75357026f6827e58b7141a257bb4 typo3_src-11.5.20.zip


The usual upgrading procedure applies. No database updates are necessary. It might be required to clear all caches; the "important actions" section in the TYPO3 Install Tool offers the accordant possibility to do so.


Here is a list of what was fixed since 11.5.19:

  • 2022-12-13 7dd798416c [RELEASE] Release of TYPO3 11.5.20 (thanks to Oliver Hader)
  • 2022-12-13 f34511b764 [SECURITY] Upgrade to typo3/html-sanitizer v2.1.1 (thanks to Oliver Hader)
  • 2022-12-13 e271621f62 [SECURITY] Disallow introducing Yaml placeholders in user interface (thanks to Oliver Hader)
  • 2022-12-13 fb74f1d668 [SECURITY] Prohibit TypoScript in form yaml files (thanks to waldhacker)
  • 2022-12-13 4a41c71b8c [SECURITY] Destroy user sessions on password change (thanks to Torben Hansen)
  • 2022-12-13 640a6f6285 [SECURITY] Use signed storage PID during frontend authentication (thanks to Oliver Hader)
  • 2022-12-13 1e5f44417f [SECURITY] Avoid DoS when generating Error pages (thanks to Benni Mack)
  • 2022-12-13 6c6f137e28 [TASK] Add HTTP host header injection check to reports module (thanks to Oliver Hader)
  • 2022-12-13 22d777eb51 [BUGFIX] Avoid double UTF-8 encoded PDF metadata in file indexer (thanks to Benjamin Franzke)
  • 2022-12-13 42271d9b30 [DOCS] Add example for hook modifyBlindedConfigurationOptions (thanks to Stephan Großberndt)
  • 2022-12-09 c4c07fbf11 [DOCS] Fix links of "Edit on GitHub" button (thanks to Chris Müller)
  • 2022-12-07 2aa2206cd2 [BUGFIX] Avoid exceptions / PHP 8 error with empty list_type (thanks to Benni Mack)
  • 2022-12-07 1c2e12653d [BUGFIX] Fix addService PHP 8 warning (thanks to Benni Mack)
  • 2022-12-07 5488994d9d [TASK] Introduce string fragment extraction (thanks to Oliver Hader)
  • 2022-12-06 3402b30553 [BUGFIX] Cast integer values in Fluid ViewHelpers (thanks to Achim Fritz)
  • 2022-12-06 cc19dbddcd [BUGFIX] Add figure tag to external blocks in rte parsing (thanks to Benjamin Kott)
  • 2022-12-06 96846de7f4 [BUGFIX] Allow <figure> tag outside of paragraph tags (thanks to Benni Mack)
  • 2022-12-05 e537029c0e [BUGFIX] Ensure correct page-section cache identifier calculation (thanks to Stefan Bürk)
  • 2022-12-05 4e884800da [TASK] Upgrade to typo3/html-sanitizer v2.1.0 (thanks to Oliver Hader)
  • 2022-12-05 5202467549 [TASK] Display language label keys in configuration module (thanks to Oliver Bartsch)
  • 2022-12-03 662b4b5179 [BUGFIX] Allow search terms with large special chars (thanks to Tomas Norre Mikkelsen)
  • 2022-12-02 48a379e8d1 [TASK] Update guzzle components (thanks to Benni Mack)
  • 2022-12-01 312ed402dd [BUGFIX] uft8 encode text to allow special chars in PDF metadata (thanks to Tomas Norre Mikkelsen)
  • 2022-12-01 dc0ad26929 [TASK] Extend testing range to PHP8.2 with more dbms versions (thanks to Stefan Bürk)
  • 2022-11-28 6f7b297844 [BUGFIX] Cover invalid type db input in ContentObjectRenderer->getData (thanks to Nikita Hovratov)
  • 2022-11-27 2d7ad4cd51 [BUGFIX] Avoid undefined array key warning in LanguageService (thanks to Stefan Bürk)
  • 2022-11-25 fee58b6403 [TASK] AdminPanel: Group sql queries made by PageRepository (thanks to Christoph Lehmann)
  • 2022-11-25 e5bc0eabe6 [BUGFIX] Close shortcut menu when opening an entry (thanks to Andreas Fernandez)
  • 2022-11-23 2474d169db [BUGFIX] Avoid undefined array key access in LanguageMenuProcessor (thanks to J. Peter M. Schuler)
  • 2022-11-23 6ce2949466 [BUGFIX] Avoid undefined array keys in Indexer (thanks to Chris Müller)
  • 2022-11-23 fa7b0589dc [BUGFIX] Avoid undefined array key in AbstractPlugin::pi_exec_query (thanks to J. Peter M. Schuler)
  • 2022-11-23 e389a171a2 [BUGFIX] Avoid undefined array key in ContentObjectRenderer::parseFuncInternal (thanks to J. Peter M. Schuler)
  • 2022-11-22 9d27452950 [BUGFIX] Avoid undefined array key in ContentObjectRenderer:noTrimWrap (thanks to J. Peter M. Schuler)
  • 2022-11-22 f640747470 [BUGFIX] Use correct ordering of nl2br & htmlspecialchars (thanks to Georg Ringer)
  • 2022-11-22 550c250fb3 [BUGFIX] Recover felogin password recovery functionality (thanks to Markus Klein)
  • 2022-11-21 8b3eb1ac9a [BUGFIX] Prevent PHP 8.1 runtime deprecation notice in IconRegistry (thanks to Nikita Hovratov)
  • 2022-11-20 4853855619 [TASK] Remove a useless WorkspaceService test (thanks to Christian Kuhn)
  • 2022-11-20 2796a33502 [BUGFIX] Fix variable assignment of default duplication behaviour action (thanks to Oliver Bartsch)
  • 2022-11-19 3250cf9f07 [BUGFIX] Make file processing configuration serializable (thanks to Roman Büchler)
  • 2022-11-19 0674795a54 [TASK] Improve type annotations in Extbase\Annotation classes (thanks to Oliver Klee)
  • 2022-11-19 256ddbf345 [TASK] Improve type annotations for GU::locationHeaderUrl (thanks to Oliver Klee)
  • 2022-11-19 df4b99a1dc [BUGFIX] Avoid undefined array key in ContentObjectRenderer::stdWrap (thanks to J. Peter M. Schuler)
  • 2022-11-19 5a538b8e49 [BUGFIX] Avoid undef array key in ContentObjectRenderer (thanks to Christian Kuhn)
  • 2022-11-18 82780ade8c [BUGFIX] Do not mark the FAL-related Extbase models as internal anymore (thanks to Oliver Klee)
  • 2022-11-17 894928ddfd [BUGFIX] Avoid accessing null-row (thanks to Ingo Fabbri)
  • 2022-11-17 0ca57511ca [TASK] Make action name in ActionController::redirect/forward nullable (thanks to Oliver Klee)
  • 2022-11-17 a871015a7b [BUGFIX] Avoid undefined array key "title" in BackendUtility (thanks to Matthias Vogel)
  • 2022-11-17 399da67456 [TASK] Annotate ActionController methods that never return (thanks to Oliver Klee)
  • 2022-11-16 8eb18654af [BUGFIX] Avoid undefined array key "pointer." in AbstractPlugin (thanks to J. Peter M. Schuler)
  • 2022-11-16 9004231dba [BUGFIX] Avoid undefined array key in AbstractPlugin pi_isOnlyFields (thanks to J. Peter M. Schuler)
  • 2022-11-15 e11b2cce25 [TASK] Streamline TYPO3\CMS\Core\Utility\ArrayUtility::filterRecursive (thanks to Oliver Hader)
  • 2022-11-15 7ab385466e [BUGFIX] Avoid undefined array key "parent." in AbstractPlugin (thanks to Chris Müller)
  • 2022-11-15 9f4b0554c9 [BUGFIX] Localize plugin names in EXT:indexed_search and EXT:form (thanks to Chris Müller)
  • 2022-11-15 b281a4be73 [TASK] Set TYPO3 version to 11.5.20-dev (thanks to Benni Mack)