3.1.3-rc1 changelog

2024-10-22 14:05:37 +02:00 · 2014-02-19 15:23:42 +13:00 · 2014-02-19 15:23:42 +13:00 · 4af711613f
commit 4af711613f
parent 705c75baa5
2 changed files with 16 additions and 22 deletions
--- a/docs/en/changelogs/3.1.3.md
+++ b/docs/en/changelogs/3.1.3.md
@ -1,16 +0,0 @@
-# 3.1.3
-
-## Overview
-
- * Better loading performance when using multiple `UploadField` instances
- * Option for `force_js_to_bottom` on `Requirements` class (ignoring inline `<script>` tags)
- * Added `ListDecorator->filterByCallback()` for more sophisticated filtering
- * New `DataList` filters: `LessThanOrEqualFilter` and `GreaterThanOrEqualFilter`
- * "Cancel" button on "Add Page" form
- * Better code hinting on magic properties (for IDE autocompletion)
- * Increased Behat test coverage (editing HTML content, managing page permissions)
- * Support for PHPUnit 3.8
-
-## Upgrading
-
-## Changelog
--- a/docs/en/changelogs/rc/3.1.3-rc1.md
+++ b/docs/en/changelogs/rc/3.1.3-rc1.md
@ -1,13 +1,23 @@
-# 3.1.3-rc1
+# 3.1.3

 ## Overview

- * ExtraMeta fields can now only contain `meta` and `link` elements
+ * Security: Require ADMIN for ?flush=1&isDev=1 ([SS-2014-001](http://www.silverstripe.org/ss-2014-001-require-admin-for-flush1-and-isdev1))
+ * Security: XSS in third party library (SWFUpload) ([SS-2014-002](http://www.silverstripe.org/ss-2014-002-xss-in-third-party-library-swfupload/))
+ * Security: SiteTree.ExtraMeta allows JavaScript for malicious CMS authors ([SS-2014-003](http://www.silverstripe.org/ss-2014-003-extrameta-allows-javascript-for-malicious-cms-authors-/))
+ * Better loading performance when using multiple `UploadField` instances
+ * Option for `force_js_to_bottom` on `Requirements` class (ignoring inline `<script>` tags)
+ * Added `ListDecorator->filterByCallback()` for more sophisticated filtering
+ * New `DataList` filters: `LessThanOrEqualFilter` and `GreaterThanOrEqualFilter`
+ * "Cancel" button on "Add Page" form
+ * Better code hinting on magic properties (for IDE autocompletion)
+ * Increased Behat test coverage (editing HTML content, managing page permissions)
+ * Support for PHPUnit 3.8

 ## Upgrading

-### ExtraMeta fields can now only contain `meta` and `link` elements
+### SiteTree.ExtraMeta allows JavaScript for malicious CMS authors

-Previously ExtraMeta fields could contain any HTML elements. From 3.1.3-rc1 the contents are filtered
-on write to only allow `meta` and `link` elements. The first time after upgrading that you save a page
-that has other elements in ExtraMeta they will be deleted.
+If you have previously used the `SiteTree.ExtraMeta` field for `<head>` markup
+other than its intended use case (`<meta>` and `<link>`), please consult
+[SS-2014-003](http://www.silverstripe.org/ss-2014-003-extrameta-allows-javascript-for-malicious-cms-authors-/).