silverstripe-framework/docs/en/04_Changelogs/2.4.7.md

# 2.4.7 (2012-02-01)

## Overview

 * Security: Cross-site scripting (XSS) on text transformations in templates
 * Security: Cross-site scripting (XSS) related to page titles in the CMS
 
## Upgrading Notes ##

### Security: Cross-site scripting (XSS) on text transformations in templates

The default casting for `Text` and `Varchar` database field classes usually auto-escapes
field values when they are inserted into a template. For some text transformations
on those fields, this wasn't correctly applied. The following methods are affected:

 * `AbsoluteLinks()`,
 * `BigSummary()`,
 * `ContextSummary()`,
 * `EscapeXML()`,
 * `FirstParagraph()`,
 * `FirstSentence()`,
 * `Initial()`,
 * `LimitCharacters()`,
 * `LimitSentences()`,
 * `LimitWordCount()`,
 * `LimitWordCountXML()`,
 * `Lower()`
 * `LowerCase()`
 * `NoHTML()`,
 * `Summary()`,
 * `Upper()`
 * `UpperCase()`
 * `URL()`

 If you have used any of these transformations with untrusted values
 (e.g. from a user-submitted form), please consider updating.
 More info about SilverStripe's casting logic is available in the "[security](/developer_guides/security)" documentation.

### Security: Cross-site scripting (XSS) related to page titles in the CMS

The page title data wasn't escaped correctly in the `SilverStripeNavigator`
as well as the updated page title in the CMS tree after saving.

## Changelog ##

### Bugfixes

 * 2012-01-31 [0085876](https://github.com/silverstripe/sapphire/commit/0085876) Casting return values on text helper methods in StringField, Text, Varchar (Ingo Schommer)

### Other

 * 2012-01-31 [252e187](https://github.com/silverstripe/sapphire/commit/252e187) SECURITY Escape links for SilverStripeNavigatorItem (Ingo Schommer)
 * 2012-01-31 [5fe7091](https://github.com/silverstripe/sapphire/commit/5fe7091) SECURITY Sanitize messages passed to generated JS calls in FormResponse::status_message(), e.g. to avoid XSS on 'Successfully published &lt;page title&gt;' messages (Ingo Schommer)
 * 2011-09-24 [d0af084](https://github.com/silverstripe/sapphire/commit/d0af084) Fixes tag syntax (should end with %&gt;, not &gt;%) (simonwelsh)
 * 2011-06-09 [aa74811](https://github.com/silverstripe/silverstripe-cms/commit/aa74811) CZ translation for tinymce_ssbuttons plugin (Ladislav Kubes)
MINOR Updated changelog 2012-01-31 17:04:59 +01:00			`# 2.4.7 (2012-02-01)`

			`## Overview`

			`* Security: Cross-site scripting (XSS) on text transformations in templates`
			`* Security: Cross-site scripting (XSS) related to page titles in the CMS`

			`## Upgrading Notes ##`

			`### Security: Cross-site scripting (XSS) on text transformations in templates`

			The default casting for `Text` and `Varchar` database field classes usually auto-escapes
			`field values when they are inserted into a template. For some text transformations`
			`on those fields, this wasn't correctly applied. The following methods are affected:`

			* `AbsoluteLinks()`,
			* `BigSummary()`,
			* `ContextSummary()`,
			* `EscapeXML()`,
			* `FirstParagraph()`,
			* `FirstSentence()`,
			* `Initial()`,
			* `LimitCharacters()`,
			* `LimitSentences()`,
			* `LimitWordCount()`,
			* `LimitWordCountXML()`,
			* `Lower()`
			* `LowerCase()`
			* `NoHTML()`,
			* `Summary()`,
			* `Upper()`
			* `UpperCase()`
			* `URL()`

			`If you have used any of these transformations with untrusted values`
			`(e.g. from a user-submitted form), please consider updating.`
DOCS 3.1 - fixes broken internal links 2016-01-14 11:59:53 +01:00			`More info about SilverStripe's casting logic is available in the "[security](/developer_guides/security)" documentation.`
MINOR Updated changelog 2012-01-31 17:04:59 +01:00
			`### Security: Cross-site scripting (XSS) related to page titles in the CMS`

			The page title data wasn't escaped correctly in the `SilverStripeNavigator`
			`as well as the updated page title in the CMS tree after saving.`

			`## Changelog ##`

			`### Bugfixes`

			`* 2012-01-31 [0085876](https://github.com/silverstripe/sapphire/commit/0085876) Casting return values on text helper methods in StringField, Text, Varchar (Ingo Schommer)`

			`### Other`

			`* 2012-01-31 [252e187](https://github.com/silverstripe/sapphire/commit/252e187) SECURITY Escape links for SilverStripeNavigatorItem (Ingo Schommer)`
			`* 2012-01-31 [5fe7091](https://github.com/silverstripe/sapphire/commit/5fe7091) SECURITY Sanitize messages passed to generated JS calls in FormResponse::status_message(), e.g. to avoid XSS on 'Successfully published <page title>' messages (Ingo Schommer)`
			`* 2011-09-24 [d0af084](https://github.com/silverstripe/sapphire/commit/d0af084) Fixes tag syntax (should end with %>, not >%) (simonwelsh)`
DOCS 3.1 - fixes broken internal links 2016-01-14 11:59:53 +01:00			`* 2011-06-09 [aa74811](https://github.com/silverstripe/silverstripe-cms/commit/aa74811) CZ translation for tinymce_ssbuttons plugin (Ladislav Kubes)`