mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
MINOR Added documentation about the new File.ShowInSearch property
This commit is contained in:
parent
880a9acec4
commit
719bb18db8
@ -10,6 +10,29 @@
|
|||||||
|
|
||||||
## Upgrading Notes ##
|
## Upgrading Notes ##
|
||||||
|
|
||||||
|
### Security: User-uploaded files searchable when using FulltextSearchable ###
|
||||||
|
|
||||||
|
The FulltextSearchable default configuration includes all file names in the `assets/` folder.
|
||||||
|
While this is desired in most cases, it can lead to unexpected public visibility of data,
|
||||||
|
e.g. when uploaded through users. For example, CVs uploaded to a recruiting site most likely shouldn't be searchable.
|
||||||
|
|
||||||
|
Option 1: Disable file search completely (through `mysite/_config.php`):
|
||||||
|
|
||||||
|
FulltextSearchable::enable(array('SiteTree'));
|
||||||
|
|
||||||
|
Option 2: Exclude file search from individual files by setting the `File.ShowInSearch` database property to `0`.
|
||||||
|
This property has been added in the 2.4.6 release. You can apply this retroactively to all files with this SQL statement:
|
||||||
|
|
||||||
|
UPDATE `File` SET `ShowInSearch` = 0;
|
||||||
|
|
||||||
|
Please note that all these files are still exposed through the webserver if the path is known,
|
||||||
|
regardless of the `ShowInSearch` setting. To fully secure uploaded files,
|
||||||
|
you can apply protection on a webserver level (e.g. `.htaccess`/`web.config` configuration).
|
||||||
|
Alternatively, you can proxy these files through your own permission control system
|
||||||
|
rather than exposing them directly through the webserver (e.g. with the ["securefiles" module](http://www.silverstripe.org/secure-files/)).
|
||||||
|
|
||||||
|
One common way to allow user-uploaded files is the ["userforms" module](http://www.silverstripe.org/user-forms-module/). This module has been altered to mark all uploaded files with `ShowInSearch`=0 by default.
|
||||||
|
|
||||||
### Security: Cross-site scripting (XSS) on anchor links
|
### Security: Cross-site scripting (XSS) on anchor links
|
||||||
|
|
||||||
Anchor links (`<a href="#">`) are automatically rewritten by the SilverStripe
|
Anchor links (`<a href="#">`) are automatically rewritten by the SilverStripe
|
||||||
|
@ -16,17 +16,13 @@ results page.
|
|||||||
|
|
||||||
## Creating the search form
|
## Creating the search form
|
||||||
|
|
||||||
The Search Form functionality has been altered over time. Please use the section which applies to your SilverStripe
|
To enable the search engine you need to include the following code in your `mysite/_config.php` file.
|
||||||
version.
|
This will enable fulltext search on page content as well as names of all files in the `/assets` folder.
|
||||||
|
|
||||||
SilverStripe does not come bundled with the search engine enabled. To enable the search engine you need to include
|
|
||||||
the following code in your mysite/_config.php file
|
|
||||||
|
|
||||||
:::php
|
:::php
|
||||||
FulltextSearchable::enable();
|
FulltextSearchable::enable();
|
||||||
|
|
||||||
After including that in your _config.php you will need to rebuild the database by visiting http://yoursite.com/dev/build
|
After including that in your `_config.php` you will need to rebuild the database by visiting `http://yoursite.com/dev/build` in your web browser. This will add the fulltext search columns.
|
||||||
in your web browser. This will add the fulltext search columns.
|
|
||||||
|
|
||||||
The actual search form code is already provided in FulltextSearchable so when you add the enable line above to your
|
The actual search form code is already provided in FulltextSearchable so when you add the enable line above to your
|
||||||
`_config.php` you can add your form as `$SearchForm`.
|
`_config.php` you can add your form as `$SearchForm`.
|
||||||
|
@ -6,6 +6,9 @@
|
|||||||
* (if the 'cms' module is available as well).
|
* (if the 'cms' module is available as well).
|
||||||
* (this means you can use $SearchForm in your template without changing your own implementation).
|
* (this means you can use $SearchForm in your template without changing your own implementation).
|
||||||
*
|
*
|
||||||
|
* CAUTION: Will make all files in your /assets folder searchable by file name
|
||||||
|
* unless "File" is excluded from FulltextSearchable::enable().
|
||||||
|
*
|
||||||
* @see http://doc.silverstripe.org/tutorial:4-site-search
|
* @see http://doc.silverstripe.org/tutorial:4-site-search
|
||||||
*
|
*
|
||||||
* @package sapphire
|
* @package sapphire
|
||||||
|
Loading…
Reference in New Issue
Block a user