Administrator / test_1

Blame view

framework/docs/en/04_Changelogs/2.4.7.md 2.22 KB
Edit Raw Normal View History
0084d336   Administrator   Importers CRUD 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
 
  # 2.4.7 (2012-02-01)
  
  ## Overview
  
   * Security: Cross-site scripting (XSS) on text transformations in templates
   * Security: Cross-site scripting (XSS) related to page titles in the CMS
   
  ## Upgrading Notes ##
  
  ### Security: Cross-site scripting (XSS) on text transformations in templates
  
  The default casting for `Text` and `Varchar` database field classes usually auto-escapes
  field values when they are inserted into a template. For some text transformations
  on those fields, this wasn't correctly applied. The following methods are affected:
  
   * `AbsoluteLinks()`,
   * `BigSummary()`,
   * `ContextSummary()`,
   * `EscapeXML()`,
   * `FirstParagraph()`,
   * `FirstSentence()`,
   * `Initial()`,
   * `LimitCharacters()`,
   * `LimitSentences()`,
   * `LimitWordCount()`,
   * `LimitWordCountXML()`,
   * `Lower()`
   * `LowerCase()`
   * `NoHTML()`,
   * `Summary()`,
   * `Upper()`
   * `UpperCase()`
   * `URL()`
  
   If you have used any of these transformations with untrusted values
   (e.g. from a user-submitted form), please consider updating.
   More info about SilverStripe's casting logic is available in the "[security](../topics/security)" documentation.
  
  ### Security: Cross-site scripting (XSS) related to page titles in the CMS
  
  The page title data wasn't escaped correctly in the `SilverStripeNavigator`
  as well as the updated page title in the CMS tree after saving.
  
  ## Changelog ##
  
  ### Bugfixes
  
   * 2012-01-31 [0085876](https://github.com/silverstripe/sapphire/commit/0085876) Casting return values on text helper methods in StringField, Text, Varchar (Ingo Schommer)
  
  ### Other
  
   * 2012-01-31 [252e187](https://github.com/silverstripe/sapphire/commit/252e187) SECURITY Escape links for SilverStripeNavigatorItem (Ingo Schommer)
   * 2012-01-31 [5fe7091](https://github.com/silverstripe/sapphire/commit/5fe7091) SECURITY Sanitize messages passed to generated JS calls in FormResponse::status_message(), e.g. to avoid XSS on 'Successfully published <page title>' messages (Ingo Schommer)
   * 2011-09-24 [d0af084](https://github.com/silverstripe/sapphire/commit/d0af084) Fixes tag syntax (should end with %>, not >%) (simonwelsh)
   * 2011-06-09 [aa74811](https://github.com/silverstripe/silverstripe-cms/commit/aa74811) CZ translation for tinymce_ssbuttons plugin (Ladislav Kubes)