TYPO3 v10 LTS — Safe and Sound
Editor's note: This is a repost of the original article from the TYPO3 association's website. Both Benni Mack as well as Michael Schams are credited as authors of this article. Find the original post here.
We are thrilled to announce the release of TYPO3 v10.4, also called TYPO3 v10 LTS indicating this is a long-term support version. This version is our new flagship and is, without doubt, one of the most advanced PHP-based open-source content management systems on the market.
After publishing five sprint releases since July 2019, we can proudly claim that we have equipped TYPO3 with the top modern PHP libraries and that we have introduced some fantastic new enterprise features. TYPO3 raises the bar even higher, and the core of the system is more stable than ever.
This article summarizes the major changes of all 10.x sprint releases and why website owners, integrators, developers, and editors alike will embrace the new LTS version.
Before we started working on TYPO3 v10 more than 1.5 years ago, we set two important goals:
- Improve site setup and template handling.
- Innovate via initiatives—organized in small development groups.
We improved site setup and template handling to enhance the site-creation experience for TYPO3 integrators and agencies. With the “Site Management” backend module, integrators will make configurations for one or more websites at a central point in the TYPO3 system. Setting up these “sites” is now mandatory in v10 LTS and TYPO3 generates a basic configuration automatically. Now, integrators can set up a TYPO3 instance from scratch in seconds.
We’ve innovated through strategic initiatives to change the development of TYPO3 itself. TYPO3 is open-source and the core team is amazed to see so many high-quality contributions by developers around the globe. As I pointed out in an article in 2019:
“Initiatives are the place where new concepts are evaluated, discussed and developed outside of the fixed roadmap for the TYPO3 core.”
Initiatives are independent and community-driven, and a number of great initiatives made it into the core of TYPO3 v10. One of the most noticeable visual changes came out of an initiative: the new Dashboard will greet users when they log into the backend.
Let’s have a closer look at what backend users (for example editors) can expect from TYPO3 v10 LTS.
Flexible and expandable Dashboards
The new system extension “dashboard” provides backend users with a quick overview of the current system status. The dashboard can also:
- Show news from external RSS feeds.
- Display statistics.
- Display information as lists, charts, diagrams.
- Engage users with call-to-action buttons.
These are just a few examples. Backend users can not only configure multiple dashboards (and easily switch between them), but they can also add, remove, and even drag-and-drop widgets to any position in their dashboard.
Dashboards feature great flexibility and expandability. We made it super-easy for developers to create their own widgets and publish them as TYPO3 extensions. TYPO3 v10 LTS comes with a selection of widgets already.
Read more about the Dashboard in the TYPO3 documentation.
User-friendly Form Framework Wizard
Forms are an essential part of many websites and web applications. Typical use cases are contact forms, support requests, forms to capture leads on a product site, etc.
The multi-step form creation wizard is newly enhanced for backend users. Now, users navigate through steps with descriptive labels such as “Start” or “Finish” rather than the numerical indicator “Step x of y” previously used.
As only one general configuration file, “FormSetup.yaml” is required, integrators will enjoy a streamlined setup and an optimized configuration structure.
Read more about the Form Framework in the TYPO3 documentation.
Automatic updates for URL segments and redirects
Human-readable URLs were introduced as a core feature in TYPO3 v9. We were able to optimize this feature in TYPO3 v10 LTS further, to make it even simpler for backend users to work with and to update URL segments. Changing a slug automatically updates the segments of subpages now.
This is a great and logical feature, but does it mean that the old URLs become invalid? Don't worry: TYPO3 v10 LTS has you covered! The system automatically creates redirects to the new URLs, so website visitors always end up on the correct page.
But that’s not all: TYPO3 notifies backend users when it automatically executes URL updates. If they need to, users can revert the automated updates and redirects with the click of a button.
Secure password reset/recovery
Another notable new feature in TYPO3 v10 LTS is the “password recovery” function for backend users. Previously, administrators created backend user accounts and assigned passwords. They then had to provide the users with their access details. The same applied to cases where users forgot their passwords. From a security perspective, this is not considered state-of-the-art anymore. Administrators should not need to deal with user passwords at all.
In TYPO3 v10 LTS, administrators can trigger a password reset for users in the TYPO3 backend. Backend users are now also able to request a password-reset email in a secure way.
To ensure a high standard, we have built a number of security features into this function.
- No information about existing users is disclosed.
- The link in the email is only valid for a limited time.
- There is a rate limit on how often a recovery email can be requested.
On systems that have special security requirements, the function can also be deactivated for administrator accounts. Alternatively, the function can be completely disabled for all users. This may become relevant in installations with third-party integrations such as LDAP or OAuth.
Link Validator enhancements
Configured as a Scheduler task, TYPO3’s Link Validator aims to detect broken links throughout the system. This indispensable feature has been extended further and now supports inaccessible pages, files, and even external links. Now, external links can also be validated on-the-fly.
A special treat for developers: you can now extend the core functionality and develop custom checks to determine what might be a broken link.
Read more about the Link Validator in the TYPO3 documentation.
Integrators set up, configure, and maintain TYPO3 instances. In every TYPO3 release, it is a high priority for us to support them in their day-to-day work and to make sure that working with such a powerful and flexible system like TYPO3 is, and remains, straightforward and enjoyable.
Better UX for backend user management
The mechanism for handling user permissions in TYPO3 is known as the most powerful and technically matured access control method you can get from an open-source enterprise CMS. At the same time, backend user accounts are, without question, one of the most important data sets in a TYPO3 system. Managing user accounts, user groups, and their permissions is not easy, if you don’t have a clear and well-curated overview of the data.
We’ve improved the backend user module to make it easier for integrators to manage users and user groups. The updated user detail view now shows:
- User data such as real name, email address
- User start/stop date
- All groups, subgroups, permissions
- DB and file mounts
- Read/write access to tables
- And more!
Integrators also have the option to compare user accounts and user groups, including their permissions and other important data, in a clear and well arranged way.
Attractive HTML-based system mails
The customization options of the TYPO3 backend are exceptional. Extension developers can choose from a vast range of predefined input and control elements when building modules. Integrators can modify, remove, and relabel almost all aspects to meet a client’s specific requirement.
Before, it wasn’t possible to customize system-generated emails that it would send to users, at least not out-of-the-box. Now these emails use the Fluid templating engine to send template-based HTML emails. This feature is especially interesting for agencies as it is now possible to customize the design of these emails or even replace them completely. You can, for example, place a company logo or adjust the colors to make them more attractive with just a few simple steps.
Several TYPO3 system emails use this new format with customizable HTML-based Fluid templates, for example:
- Email notifications that a user has logged into the backend.
- Email notifications when an element changes its workspace stage.
- The password-reset email.
- The test email that can be triggered in the Install Tool (see screenshot above).
Frontend login improvements
The frontend login functionality provides a simple way for users to log in and access restricted areas of a website. The feature has been migrated and uses the Extbase programming framework and the Fluid templating engine in TYPO3 v10 LTS.
This solution offers developers and integrators a few advantages:
Customize the appearance: Update or completely change appearance by simply modifying the Fluid templates. This includes not only the login form and other functions visible at the frontend, but also emails that go out to end-users, for example password recovery emails.
More strict security: Another exciting effect of the switch to Extbase applies to so-called “validators” — a piece of PHP code that is used to validate if a password meets certain security requirements. Developers and integrators alike can now adjust and modify these validators and enforce strict password restrictions.
This enhanced flexibility in TYPO3 v10 LTS allows agencies to highly customize the login functionality for frontend users.
Read more about the Frontend login in the TYPO3 documentation.
Automatically detect conflicting redirects
We mentioned URL segments and redirects above. The backend module “Redirects” was introduced with TYPO3 v9 and lets site administrators add and configure redirects. The source path can be an arbitrary name or it can be represented as a regular expression. This provides great functionality but what if a redirect has the same name as an existing page URL?
Configuration mistakes like this can happen and TYPO3 now offers a simple solution to detect conflicting redirects: a CLI command that shows a list of clashes (if any exist). This command can also be configured as a scheduler task and the results are shown in the “Reports” backend module.
This command can also be configured as a scheduler task and the results are shown in the “Reports” backend module.
Translations with Crowdin
TYPO3 is famous for its multi language capabilities. This not only applies to content that is visible in the frontend, but also to labels used in the backend user interface. There are not many content management systems on the market that allow users to work in the administrator area in their native language, no matter which language this is — as long as a translation exists.
TYPO3 now uses Crowdin to take translations of backend labels to the next level. The modern SaaS solution is used as the localization/translation management platform for TYPO3 v10 LTS by default and comes as the successor to Pootle, which was used by the TYPO3 community for many years.
In addition to translating the backend, you can also use Crowdin to translate user interface text in custom developed TYPO3 extensions.
Read more about the localization initiative in Georg Ringer’s article “Better Multilingual Support”.
Browser-native lazy-loading for images
Of the resources needed to serve up a modern web page, images pack the biggest punch in terms of file size. To help, lazy-loading for images has been adopted as a standard to improve load-times, reducing the burden on both servers and users. TYPO3 is the first major content management system that offers lazy-loading out-of-the-box.
Lazy-loading defers loading images, starting with a lightweight placeholder image, and only serving up the higher resolution when it’s needed. For example, if a visitor doesn’t scroll all the way down the page, that media won’t even load. This reduces the amount of data transferred and the processing time. This helps both at the server and client side to make for a faster site and better user experience.
The “loading” attribute for image tags was accepted and published last year as a new HTML standard (see the specification for further technical details). The purpose of this attribute is to instruct browsers if they should load images that are outside the viewport. As browser vendors start adding the support for this feature, TYPO3 v10 LTS already allows integrators and developers to configure/use this functionality.
Let’s dive deeper into the technical aspects of the system and point out a few new features in TYPO3 v10 LTS especially for our amazing community of developers.
Onboarding new developers to TYPO3 is easier. By using coding standards, architectural recommendations, and well-known libraries, it is possible for PHP developers to quickly learn the system, even if they don’t have much experience with TYPO3. This is one of the reasons TYPO3 v10 will make delivering projects smoother. Since it’s easier to use and onboarding is faster, agencies and software development companies can build large web projects to a high quality within budget.
TYPO3 is not fully based on the Symfony framework, but uses some carefully selected libraries from this project. These components are modern, stable, and kept up-to-date by an active open-source community under the free MIT license. Here are a few Symfony components that are now available in TYPO3 v10 LTS:
TYPO3 supports dependency injection (“DI”) based on the PSR-11 standard and incorporates Symfony’s industry-proven DI concepts. Previous versions of TYPO3 used a custom DI solution from the Extbase framework. With the switch to Symfony’s DI, we can leverage more features and can offer DI system-wide throughout the entire code base.
Extension developers will likely more often come into contact with the terms containers and services now. Have a look at Symfony’s documentation of the “DependencyInjection” component to learn more about the concept and how to apply it to your extensions.
Read more about Dependency Injection in the TYPO3 documentation.
The hooks and the signal/slot concepts are two of TYPO3’s superpowers. Signals and Slots enable TYPO3 extension developers to build custom solutions that extend the core functionality.
With PSR-14, a new standard has been accepted and published last year. PSR-14 is a unified way to extend a PHP framework and is the de-facto standard nowadays. We implemented an interchangeable EventDispatcher that follows the PSR-14 standard and is compatible with Symfony’s component with the same name. The EventDispatcher in the TYPO3 core aims to replace hooks and signals/slots in the mid term. All Extbase-specific signals have been replaced with “events” in TYPO3 v10 LTS and more hooks will be migrated to PSR-14 in future versions.
Extension developers don’t need to worry: hooks and registered slots remain as they stand now and will continue to work to retain backwards compatibility. However, you should start updating your TYPO3 extensions and make use of the new standard to make your code extensible and future-proof.
Read more about Events, Signals/Slots, and Hooks in the TYPO3 documentation.
Symfony’s Mailer API
TYPO3 used the SwiftMailer library since version 4.5. However, the active development of this library has stagnated and we decided to switch to a modern API. The “Mime” package is used for composing emails and the “Mailer” package for processing and sending them. Both components originate from the Symfony project.
TYPO3 extensions that currently use the official TYPO3 API for generating emails don’t need to be updated. The switch from SwiftMailer to the Symfony Mailer API is fully transparent and happens in the background.
Read more about the Mail API in the TYPO3 documentation.
As an LTS release (long-term support), TYPO3 version 10.4 will receive maintenance and bug fixes for 1.5 years, and security updates for at least three years until April 2023. The TYPO3 GmbH offers extended support for TYPO3 for up to three additional years. For TYPO3 v10, that will mean the ELTS version will be supported to April 2026!
TYPO3 v10 LTS requires a modern technology stack with PHP version 7.2 and a database server such as MySQL (minimum version 5.5), MariaDB, PostgreSQL, or Microsoft SQL Server. TYPO3 also supports the PHP-embedded database engine SQLite.
All commonly used web servers are supported (e.g. Apache, nginx, Microsoft IIS, etc.). At least 256M bytes of memory should be allocated to PHP. The TYPO3 backend supports all modern browsers. The Installation and Upgrade Guide provides further details about the system requirements and recommended settings.
To learn more about the new features, changes and improvements of TYPO3 v10 LTS, have a look at the TYPO3 What’s New Slides and the detailed release notes of the sprint releases v10.0 to v10.4. If you’d like to share the news about TYPO3 v10 LTS with others:
As always, thank you to the many contributors, testers, and reviewers who have made this the best release of TYPO3 yet. Thank you also to the members of the TYPO3 Association for supporting this work, to Heather McNamee for her valuable input in creating this article, and to Benjamin Kott for the screenshots.