tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 12:05:37 +00:00
Code Issues Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/3.0' into 3.1

Browse Source 
Conflicts:
	docs/en/changelogs/3.0.6.md
	forms/Form.php
	forms/FormField.php
	forms/TreeDropdownField.php
This commit is contained in:
Ingo Schommer 2013-09-27 18:50:47 +02:00
commit 2e3511bc5f
8 changed files with 57 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
docs/en/changelogs/3.0.6.md
View File

@ -1,4 +1,4 @@
# 3.0.6 (Not yet released) # 3.0.6
## Overview ## Overview
@ -23,6 +23,10 @@ See [announcement](http://www.silverstripe.org/ss-2013-004-privilege-escalation-
See [announcement](http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/) See [announcement](http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/)
### Security: Information disclosure in Versioned.php (SS-2013-006)
See [announcement](http://www.silverstripe.org/ss-2013-006-information-disclosure-in-versioned/)
### Security: Privilege escalation through Group hierarchy setting (SS-2013-003) ### Security: Privilege escalation through Group hierarchy setting (SS-2013-003)
See [announcement](http://www.silverstripe.org/ss-2013-003-privilege-escalation-through-group-hierarchy-setting/) See [announcement](http://www.silverstripe.org/ss-2013-003-privilege-escalation-through-group-hierarchy-setting/)
@ -46,4 +50,4 @@ See [announcement](http://www.silverstripe.org/ss-2013-005-privilege-escalation-
Before: `BackLink_Button.ss.Back`, after `BackLink_Button_ss.Back`. Please fix any custom language Before: `BackLink_Button.ss.Back`, after `BackLink_Button_ss.Back`. Please fix any custom language
files or uses of those entities in custom code. files or uses of those entities in custom code.
* If using "Māori/Te Reo" (mi_NZ) as your CMS locale, please re-select it in `admin/myprofile` * If using "Māori/Te Reo" (mi_NZ) as your CMS locale, please re-select it in `admin/myprofile`
to ensure correct operation (it has changed its locale identifier) to ensure correct operation (it has changed its locale identifier)

17
docs/en/changelogs/3.0.7.md Normal file
View File

@ -0,0 +1,17 @@
# 3.0.7
## Overview
### Security: XSS in form validation errors (SS-2013-008)
See [announcement](http://www.silverstripe.org/ss-2013-008-xss-in-numericfield-validation/)
### Security: XSS in CMS "Pages" section (SS-2013-009)
See [announcement](http://www.silverstripe.org/ss-2013-009-xss-in-cms-pages-section/)
### API: Form validation message no longer allow HTML
Due to cross-site scripting concerns when user data is used for form messages,
it is no longer possible to use HTML in `Form->sessionMessage()`, and consequently
in the `FormField->validate()` API.

17
docs/en/changelogs/rc/3.0.7-rc1.md Normal file
View File

@ -0,0 +1,17 @@
# 3.0.7-rc1
## Overview
### Security: XSS in form validation errors (SS-2013-008)
See [announcement](http://www.silverstripe.org/ss-2013-008-xss-in-numericfield-validation/)
### Security: XSS in CMS "Pages" section (SS-2013-009)
See [announcement](http://www.silverstripe.org/ss-2013-009-xss-in-cms-pages-section/)
### API: Form validation message no longer allow HTML
Due to cross-site scripting concerns when user data is used for form messages,
it is no longer possible to use HTML in `Form->sessionMessage()`, and consequently
in the `FormField->validate()` API.

2
docs/en/topics/versioning.md
View File

@ -81,7 +81,7 @@ but also include information about when and how a record was published.
:::php :::php
$record = MyRecord::get()->byID(99); // stage doesn't matter here $record = MyRecord::get()->byID(99); // stage doesn't matter here
$versions = $record->allVersions(); $versions = $record->allVersions();
echo $versions->First()->Version; // instance of Versioned_Versoin echo $versions->First()->Version; // instance of Versioned_Version
### Writing Versions and Changing Stages ### Writing Versions and Changing Stages

3
forms/CreditCardField.php
View File

@ -35,6 +35,9 @@ class CreditCardField extends TextField {
* @return string * @return string
*/ */
protected function getTabIndexHTML($increment = 0) { protected function getTabIndexHTML($increment = 0) {
// we can't add a tabindex if there hasn't been one set yet.
if($this->getAttribute('tabindex') === null) return false;
$tabIndex = (int)$this->getAttribute('tabindex') + (int)$increment; $tabIndex = (int)$this->getAttribute('tabindex') + (int)$increment;
return (is_numeric($tabIndex)) ? ' tabindex = "' . $tabIndex . '"' : ''; return (is_numeric($tabIndex)) ? ' tabindex = "' . $tabIndex . '"' : '';
} }

2
forms/Form.php
View File

@ -1481,7 +1481,7 @@ class Form extends RequestHandler {
public function addExtraClass($class) { public function addExtraClass($class) {
//split at white space //split at white space
$classes = preg_split('/\s+/', $class); $classes = preg_split('/\s+/', $class);
foreach ($classes as $class) { foreach($classes as $class) {
//add classes one by one //add classes one by one
$this->extraClasses[$class] = $class; $this->extraClasses[$class] = $class;
} }

16
forms/FormField.php
View File

@ -180,7 +180,7 @@ class FormField extends RequestHandler {
return $this->name; return $this->name;
} }
/** /**
* Returns the field message, used by form validation. * Returns the field message, used by form validation.
* Use {@link setError()} to set this property. * Use {@link setError()} to set this property.
* *
@ -306,7 +306,7 @@ class FormField extends RequestHandler {
$classes = preg_split('/\s+/', $class); $classes = preg_split('/\s+/', $class);
foreach ($classes as $class) { foreach ($classes as $class) {
//add each class one by one //add each class one by one
$this->extraClasses[$class] = $class; $this->extraClasses[$class] = $class;
} }
return $this; return $this;
} }
@ -371,7 +371,7 @@ class FormField extends RequestHandler {
'id' => $this->ID(), 'id' => $this->ID(),
'disabled' => $this->isDisabled(), 'disabled' => $this->isDisabled(),
); );
if ($this->Required()) { if ($this->Required()) {
$attrs['required'] = 'required'; $attrs['required'] = 'required';
$attrs['aria-required'] = 'true'; $attrs['aria-required'] = 'true';
@ -751,8 +751,8 @@ class FormField extends RequestHandler {
$clone->setDisabled(true); $clone->setDisabled(true);
} }
return $clone; return $clone;
} }
public function transform(FormTransformation $trans) { public function transform(FormTransformation $trans) {
return $trans->transform($this); return $trans->transform($this);
@ -782,7 +782,7 @@ class FormField extends RequestHandler {
public function createTag($tag, $attributes, $content = null) { public function createTag($tag, $attributes, $content = null) {
Deprecation::notice('3.2', 'Use FormField::create_tag()'); Deprecation::notice('3.2', 'Use FormField::create_tag()');
return self::create_tag($tag, $attributes, $content); return self::create_tag($tag, $attributes, $content);
} }
/** /**
* Abstract method each {@link FormField} subclass must implement, * Abstract method each {@link FormField} subclass must implement,
@ -853,7 +853,7 @@ class FormField extends RequestHandler {
if(is_object($this->containerFieldList)) return $this->containerFieldList->rootFieldList(); if(is_object($this->containerFieldList)) return $this->containerFieldList->rootFieldList();
else user_error("rootFieldList() called on $this->class object without a containerFieldList", E_USER_ERROR); else user_error("rootFieldList() called on $this->class object without a containerFieldList", E_USER_ERROR);
} }
/** /**
* Returns another instance of this field, but "cast" to a different class. * Returns another instance of this field, but "cast" to a different class.
* The logic tries to retain all of the instance properties, * The logic tries to retain all of the instance properties,
@ -886,7 +886,7 @@ class FormField extends RequestHandler {
// of the field, e.g. its "type" attribute. // of the field, e.g. its "type" attribute.
foreach($this->attributes as $k => $v) { foreach($this->attributes as $k => $v) {
$field->setAttribute($k, $v); $field->setAttribute($k, $v);
} }
$field->dontEscape = $this->dontEscape; $field->dontEscape = $this->dontEscape;
return $field; return $field;

8
forms/TreeDropdownField.php
View File

@ -93,7 +93,7 @@ class TreeDropdownField extends FormField {
$this->keyField = $keyField; $this->keyField = $keyField;
$this->labelField = $labelField; $this->labelField = $labelField;
$this->showSearch = $showSearch; $this->showSearch = $showSearch;
parent::__construct($name, $title); parent::__construct($name, $title);
} }
@ -184,8 +184,8 @@ class TreeDropdownField extends FormField {
if($this->showSearch){ if($this->showSearch){
$title = _t('DropdownField.CHOOSESEARCH', '(Choose or Search)', 'start value of a dropdown'); $title = _t('DropdownField.CHOOSESEARCH', '(Choose or Search)', 'start value of a dropdown');
}else{ }else{
$title = _t('DropdownField.CHOOSE', '(Choose)', 'start value of a dropdown'); $title = _t('DropdownField.CHOOSE', '(Choose)', 'start value of a dropdown');
} }
} }
// TODO Implement for TreeMultiSelectField // TODO Implement for TreeMultiSelectField
@ -418,7 +418,7 @@ class TreeDropdownField extends FormField {
$wheres[] = "\"Name\" LIKE '%$this->search%'"; $wheres[] = "\"Name\" LIKE '%$this->search%'";
} }
} }
if(!$wheres) { if(!$wheres) {
throw new InvalidArgumentException(sprintf( throw new InvalidArgumentException(sprintf(
'Cannot query by %s.%s, not a valid database column', 'Cannot query by %s.%s, not a valid database column',