diff --git a/docs/en/changelogs/3.0.6.md b/docs/en/changelogs/3.0.6.md index daecd9acd..90d370f6a 100644 --- a/docs/en/changelogs/3.0.6.md +++ b/docs/en/changelogs/3.0.6.md @@ -1,4 +1,4 @@ -# 3.0.6 (Not yet released) +# 3.0.6 ## Overview @@ -23,6 +23,10 @@ See [announcement](http://www.silverstripe.org/ss-2013-004-privilege-escalation- See [announcement](http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/) +### Security: Information disclosure in Versioned.php (SS-2013-006) + +See [announcement](http://www.silverstripe.org/ss-2013-006-information-disclosure-in-versioned/) + ### Security: Privilege escalation through Group hierarchy setting (SS-2013-003) See [announcement](http://www.silverstripe.org/ss-2013-003-privilege-escalation-through-group-hierarchy-setting/) @@ -46,4 +50,4 @@ See [announcement](http://www.silverstripe.org/ss-2013-005-privilege-escalation- Before: `BackLink_Button.ss.Back`, after `BackLink_Button_ss.Back`. Please fix any custom language files or uses of those entities in custom code. * If using "Māori/Te Reo" (mi_NZ) as your CMS locale, please re-select it in `admin/myprofile` - to ensure correct operation (it has changed its locale identifier) \ No newline at end of file + to ensure correct operation (it has changed its locale identifier) diff --git a/docs/en/changelogs/3.0.7.md b/docs/en/changelogs/3.0.7.md new file mode 100644 index 000000000..700a1b42e --- /dev/null +++ b/docs/en/changelogs/3.0.7.md @@ -0,0 +1,17 @@ +# 3.0.7 + +## Overview + +### Security: XSS in form validation errors (SS-2013-008) + +See [announcement](http://www.silverstripe.org/ss-2013-008-xss-in-numericfield-validation/) + +### Security: XSS in CMS "Pages" section (SS-2013-009) + +See [announcement](http://www.silverstripe.org/ss-2013-009-xss-in-cms-pages-section/) + +### API: Form validation message no longer allow HTML + +Due to cross-site scripting concerns when user data is used for form messages, +it is no longer possible to use HTML in `Form->sessionMessage()`, and consequently +in the `FormField->validate()` API. \ No newline at end of file diff --git a/docs/en/changelogs/rc/3.0.7-rc1.md b/docs/en/changelogs/rc/3.0.7-rc1.md new file mode 100644 index 000000000..a426af041 --- /dev/null +++ b/docs/en/changelogs/rc/3.0.7-rc1.md @@ -0,0 +1,17 @@ +# 3.0.7-rc1 + +## Overview + +### Security: XSS in form validation errors (SS-2013-008) + +See [announcement](http://www.silverstripe.org/ss-2013-008-xss-in-numericfield-validation/) + +### Security: XSS in CMS "Pages" section (SS-2013-009) + +See [announcement](http://www.silverstripe.org/ss-2013-009-xss-in-cms-pages-section/) + +### API: Form validation message no longer allow HTML + +Due to cross-site scripting concerns when user data is used for form messages, +it is no longer possible to use HTML in `Form->sessionMessage()`, and consequently +in the `FormField->validate()` API. \ No newline at end of file diff --git a/docs/en/topics/versioning.md b/docs/en/topics/versioning.md index 351e60c9e..e5c9f7cc5 100644 --- a/docs/en/topics/versioning.md +++ b/docs/en/topics/versioning.md @@ -81,7 +81,7 @@ but also include information about when and how a record was published. :::php $record = MyRecord::get()->byID(99); // stage doesn't matter here $versions = $record->allVersions(); - echo $versions->First()->Version; // instance of Versioned_Versoin + echo $versions->First()->Version; // instance of Versioned_Version ### Writing Versions and Changing Stages diff --git a/forms/CreditCardField.php b/forms/CreditCardField.php index 7e157cc2e..cdeb61c2c 100644 --- a/forms/CreditCardField.php +++ b/forms/CreditCardField.php @@ -35,6 +35,9 @@ class CreditCardField extends TextField { * @return string */ protected function getTabIndexHTML($increment = 0) { + // we can't add a tabindex if there hasn't been one set yet. + if($this->getAttribute('tabindex') === null) return false; + $tabIndex = (int)$this->getAttribute('tabindex') + (int)$increment; return (is_numeric($tabIndex)) ? ' tabindex = "' . $tabIndex . '"' : ''; } diff --git a/forms/Form.php b/forms/Form.php index 72fc7d869..2047a1160 100644 --- a/forms/Form.php +++ b/forms/Form.php @@ -1481,7 +1481,7 @@ class Form extends RequestHandler { public function addExtraClass($class) { //split at white space $classes = preg_split('/\s+/', $class); - foreach ($classes as $class) { + foreach($classes as $class) { //add classes one by one $this->extraClasses[$class] = $class; } diff --git a/forms/FormField.php b/forms/FormField.php index c2c0ca35f..c029fa037 100644 --- a/forms/FormField.php +++ b/forms/FormField.php @@ -180,7 +180,7 @@ class FormField extends RequestHandler { return $this->name; } - /** + /** * Returns the field message, used by form validation. * Use {@link setError()} to set this property. * @@ -306,7 +306,7 @@ class FormField extends RequestHandler { $classes = preg_split('/\s+/', $class); foreach ($classes as $class) { //add each class one by one - $this->extraClasses[$class] = $class; + $this->extraClasses[$class] = $class; } return $this; } @@ -371,7 +371,7 @@ class FormField extends RequestHandler { 'id' => $this->ID(), 'disabled' => $this->isDisabled(), ); - + if ($this->Required()) { $attrs['required'] = 'required'; $attrs['aria-required'] = 'true'; @@ -751,8 +751,8 @@ class FormField extends RequestHandler { $clone->setDisabled(true); } - return $clone; - } + return $clone; + } public function transform(FormTransformation $trans) { return $trans->transform($this); @@ -782,7 +782,7 @@ class FormField extends RequestHandler { public function createTag($tag, $attributes, $content = null) { Deprecation::notice('3.2', 'Use FormField::create_tag()'); return self::create_tag($tag, $attributes, $content); - } + } /** * Abstract method each {@link FormField} subclass must implement, @@ -853,7 +853,7 @@ class FormField extends RequestHandler { if(is_object($this->containerFieldList)) return $this->containerFieldList->rootFieldList(); else user_error("rootFieldList() called on $this->class object without a containerFieldList", E_USER_ERROR); } - + /** * Returns another instance of this field, but "cast" to a different class. * The logic tries to retain all of the instance properties, @@ -886,7 +886,7 @@ class FormField extends RequestHandler { // of the field, e.g. its "type" attribute. foreach($this->attributes as $k => $v) { $field->setAttribute($k, $v); - } +} $field->dontEscape = $this->dontEscape; return $field; diff --git a/forms/TreeDropdownField.php b/forms/TreeDropdownField.php index 28562a594..d9a57c954 100644 --- a/forms/TreeDropdownField.php +++ b/forms/TreeDropdownField.php @@ -93,7 +93,7 @@ class TreeDropdownField extends FormField { $this->keyField = $keyField; $this->labelField = $labelField; $this->showSearch = $showSearch; - + parent::__construct($name, $title); } @@ -184,8 +184,8 @@ class TreeDropdownField extends FormField { if($this->showSearch){ $title = _t('DropdownField.CHOOSESEARCH', '(Choose or Search)', 'start value of a dropdown'); }else{ - $title = _t('DropdownField.CHOOSE', '(Choose)', 'start value of a dropdown'); - } + $title = _t('DropdownField.CHOOSE', '(Choose)', 'start value of a dropdown'); + } } // TODO Implement for TreeMultiSelectField @@ -418,7 +418,7 @@ class TreeDropdownField extends FormField { $wheres[] = "\"Name\" LIKE '%$this->search%'"; } } - + if(!$wheres) { throw new InvalidArgumentException(sprintf( 'Cannot query by %s.%s, not a valid database column',