mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
Merge remote branch 'origin/master' into translation-staging
This commit is contained in:
commit
1cfe1818ef
@ -26,8 +26,12 @@ script:
|
||||
|
||||
branches:
|
||||
except:
|
||||
- translation-staging
|
||||
- 2.1
|
||||
- 2.2
|
||||
- 2.3
|
||||
- 2.4
|
||||
- post-2.4
|
||||
- translation-staging
|
||||
|
||||
notifications:
|
||||
irc:
|
||||
|
42
docs/en/changelogs/rc/2.4.8-rc1.md
Normal file
42
docs/en/changelogs/rc/2.4.8-rc1.md
Normal file
@ -0,0 +1,42 @@
|
||||
# 2.4.8-rc1 #
|
||||
|
||||
## Overview ##
|
||||
|
||||
* Security (Moderate Severity): More solid relative/site URL checks (related to "BackURL" redirection).
|
||||
* Security (Moderate Severity): Ensure javascript content type is sent in form responses. If content type is html, and the javascript contains script tags within the content, this content will be executed.
|
||||
* Security (Low Severity): Fixed remote code execution vuln in install.php due to inserting unescaped user data into mysite/_config.php. Not critical because install.php is required to be removed on a SilverStripe installation anyway
|
||||
|
||||
## Details
|
||||
|
||||
### API Changes
|
||||
|
||||
* 2012-02-01 [bf4476a](https://github.com/silverstripe/sapphire/commit/bf4476a) silverstripe_version file now contains the plain version number, rather than an SVN path (Ingo Schommer)
|
||||
* 2012-02-01 [4abe136](https://github.com/silverstripe/silverstripe-cms/commit/4abe136) silverstripe_version file now contains the plain version number, rather than an SVN path (Ingo Schommer)
|
||||
|
||||
### Features and Enhancements
|
||||
|
||||
* 2012-02-03 [921bf9a](https://github.com/silverstripe/sapphire/commit/921bf9a) Ensure that forceSSL and protocol detection respects the X-Forwarded-Protocol header. (Sam Minnee)
|
||||
|
||||
### Bugfixes
|
||||
|
||||
* 2012-09-14 [8ec6312](https://github.com/silverstripe/sapphire/commit/8ec6312) to prevent unintended results from getComponentsQuery(...) (stozze)
|
||||
* 2012-07-09 [838ac97](https://github.com/silverstripe/silverstripe-cms/commit/838ac97) fixing an edge-case bug where a 404-page would get statically published and overwrite the homepage of the site (this would sometimes happen when a RedirectorPage was set to an external URL and still referenced an internal page ID) (Julian Seidenberg)
|
||||
* 2012-05-04 [392543b](https://github.com/silverstripe/sapphire/commit/392543b) Don't' set 'Referer' header in FunctionalTest->get()/post() if its explicitly passed to the method (Ingo Schommer)
|
||||
|
||||
### Minor changes
|
||||
|
||||
* 2012-08-15 [7669871](https://github.com/silverstripe/sapphire/commit/7669871) fixed array to string conversion to avoid PHP 5.4 warnings (Adam Skrzypulec)
|
||||
* 2012-05-29 [039a372](https://github.com/silverstripe/silverstripe-installer/commit/039a372) Fixed phpunit bootstrap relative path (Ingo Schommer)
|
||||
* 2012-05-14 [b211c38](https://github.com/silverstripe/sapphire/commit/b211c38) Manually testing exceptions in SSViewerCacheBlockTest to avoid PHPUnit 3.6 warnings (Ingo Schommer)
|
||||
* 2012-03-30 [c1d2cd1](https://github.com/silverstripe/sapphire/commit/c1d2cd1) Corrected Geoip entries for ex-Yugoslavia ... better late than never (Ingo Schommer)
|
||||
* 2012-03-14 [44b9d05](https://github.com/silverstripe/sapphire/commit/44b9d05) Backported bootstrap.php changes from master and cstom TeamCity configuration (required to run tests through phpunit binary) (Ingo Schommer)
|
||||
* 2011-12-17 [af22d07](https://github.com/silverstripe/sapphire/commit/af22d07) On PHPUnit 3.6, show the output of tests. (Sam Minnee)
|
||||
* 2011-11-08 [5956ad8](https://github.com/silverstripe/sapphire/commit/5956ad8) Amended PHPUnit execution to work with PHPUnit 3.6 (Sam Minnee)
|
||||
|
||||
### Other
|
||||
|
||||
* 2012-10-05 [1c7b7d0](https://github.com/silverstripe/sapphire/commit/1c7b7d0) Fixed grammatical error for Form.FIELDISREQUIRED (Will Morgan)
|
||||
* 2012-08-08 [f6c69d5](https://github.com/silverstripe/sapphire/commit/f6c69d5) Update widget documentation (fixes #706) (Will Rossiter)
|
||||
* 2012-05-16 [b7c8737](https://github.com/silverstripe/silverstripe-installer/commit/b7c8737) SECURITY Fixed remote code execution vuln in install.php due to inserting unescaped user data into mysite/_config.php. Not critical because install.php is required to be removed on a SilverStripe installation anyway (fixes #7205) (Ingo Schommer)
|
||||
* 2012-05-04 [46064f8](https://github.com/silverstripe/sapphire/commit/46064f8) SECURITY More solid relative/site URL checks (related to "BackURL" redirection) (Ingo Schommer)
|
||||
* 2012-05-03 [9bf3ae9](https://github.com/silverstripe/sapphire/commit/9bf3ae9) SECURITY: Ensure javascript content type is sent in form responses. If content type is html, and the javascript contains script tags within the content, this content will be executed. (Andrew O'Neil)
|
@ -65,14 +65,14 @@ class DB {
|
||||
* Set it to null to revert to the main database.
|
||||
*/
|
||||
public static function set_alternative_database_name($dbname) {
|
||||
$_SESSION["alternativeDatabaseName"] = $dbname;
|
||||
Session::set("alternativeDatabaseName", $dbname);
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the name of the database in use
|
||||
*/
|
||||
public static function get_alternative_database_name() {
|
||||
return $_SESSION["alternativeDatabaseName"];
|
||||
return Session::get("alternativeDatabaseName");
|
||||
}
|
||||
|
||||
/**
|
||||
@ -84,8 +84,8 @@ class DB {
|
||||
*/
|
||||
public static function connect($databaseConfig) {
|
||||
// This is used by TestRunner::startsession() to test up a test session using an alt
|
||||
if(isset($_SESSION) && !empty($_SESSION['alternativeDatabaseName'])) {
|
||||
$databaseConfig['database'] = $_SESSION['alternativeDatabaseName'];
|
||||
if($name = Session::get('alternativeDatabaseName')) {
|
||||
$databaseConfig['database'] = $name;
|
||||
}
|
||||
|
||||
if(!isset($databaseConfig['type']) || empty($databaseConfig['type'])) {
|
||||
|
@ -17,14 +17,30 @@ class SS_HTMLValue extends ViewableData {
|
||||
* @param string $content
|
||||
*/
|
||||
public function __construct($content = null) {
|
||||
$this->document = new DOMDocument('1.0', 'UTF-8');
|
||||
$this->document->scrictErrorChecking = false;
|
||||
|
||||
$this->setDocument(new DOMDocument('1.0', 'UTF-8'));
|
||||
$this->setScrictErrorChecking(false);
|
||||
$this->setOutputFormatting(false);
|
||||
$this->setContent($content);
|
||||
|
||||
|
||||
parent::__construct();
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Should strict error checking be used?
|
||||
* @param boolean $bool
|
||||
*/
|
||||
public function setScrictErrorChecking($bool) {
|
||||
$this->getDocument()->scrictErrorChecking = $bool;
|
||||
}
|
||||
|
||||
/**
|
||||
* Should the output be formatted?
|
||||
* @param boolean $bool
|
||||
*/
|
||||
public function setOutputFormatting($bool) {
|
||||
$this->getDocument()->formatOutput = $bool;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return string
|
||||
*/
|
||||
@ -35,16 +51,15 @@ class SS_HTMLValue extends ViewableData {
|
||||
return trim(
|
||||
preg_replace(
|
||||
array(
|
||||
'/^<!DOCTYPE.+?>/i',
|
||||
'/(.*)<body>/i',
|
||||
'/<\/body>(.*)/i',
|
||||
'/(.*)<body>/is',
|
||||
'/<\/body>(.*)/is',
|
||||
),
|
||||
'',
|
||||
urldecode($this->getDocument()->saveHTML())
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* @param string $content
|
||||
* @return bool
|
||||
@ -59,14 +74,21 @@ class SS_HTMLValue extends ViewableData {
|
||||
"<body>$content</body></html>"
|
||||
);
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* @return DOMDocument
|
||||
*/
|
||||
public function getDocument() {
|
||||
return $this->document;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* @param DOMDocument $document
|
||||
*/
|
||||
public function setDocument($document) {
|
||||
$this->document = $document;
|
||||
}
|
||||
|
||||
/**
|
||||
* A simple convenience wrapper around DOMDocument::getElementsByTagName().
|
||||
*
|
||||
|
@ -6,9 +6,10 @@
|
||||
class SS_HTMLValueTest extends SapphireTest {
|
||||
|
||||
public function testInvalidHTMLSaving() {
|
||||
$value = new SS_HTMLValue();
|
||||
$value = new SS_HTMLValue();
|
||||
$invalid = array (
|
||||
'<p>Enclosed Value</p></p>' => '<p>Enclosed Value</p>',
|
||||
'<meta content="text/html"></meta>' => '<meta content="text/html">',
|
||||
'<p><div class="example"></div></p>' => '<p></p><div class="example"></div>',
|
||||
'<html><html><body><falsetag "attribute=""attribute""">' => '<falsetag></falsetag>',
|
||||
'<body<body<body>/bodu>/body>' => '/bodu>/body>'
|
||||
@ -19,9 +20,22 @@ class SS_HTMLValueTest extends SapphireTest {
|
||||
$this->assertEquals($expected, $value->getContent(), 'Invalid HTML can be saved');
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
public function testUtf8Saving() {
|
||||
$value = new SS_HTMLValue();
|
||||
$value->setContent('<p>ö ß ā い 家</p>');
|
||||
$this->assertEquals('<p>ö ß ā い 家</p>', $value->getContent());
|
||||
}
|
||||
|
||||
public function testOutputFormatting() {
|
||||
$value = new SS_HTMLValue();
|
||||
$value->setOutputFormatting(true);
|
||||
$value->setContent('<meta content="text/html">');
|
||||
$this->assertEquals('<meta content="text/html">', $value->getContent(), 'Formatted output works');
|
||||
}
|
||||
|
||||
public function testInvalidHTMLTagNames() {
|
||||
$value = new SS_HTMLValue();
|
||||
$value = new SS_HTMLValue();
|
||||
$invalid = array(
|
||||
'<p><div><a href="test-link"></p></div>',
|
||||
'<html><div><a href="test-link"></a></a></html_>',
|
||||
@ -30,7 +44,7 @@ class SS_HTMLValueTest extends SapphireTest {
|
||||
|
||||
foreach($invalid as $input) {
|
||||
$value->setContent($input);
|
||||
$this->assertEquals (
|
||||
$this->assertEquals(
|
||||
'test-link',
|
||||
$value->getElementsByTagName('a')->item(0)->getAttribute('href'),
|
||||
'Link data can be extraced from malformed HTML'
|
||||
@ -47,5 +61,5 @@ class SS_HTMLValueTest extends SapphireTest {
|
||||
'Newlines get converted'
|
||||
);
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user