Update 3.1.0 upgrading notes for casting changes

This commit is contained in:
Hamish Friedlander 2013-03-12 13:13:17 +13:00 committed by Sam Minnee
parent 743a186c32
commit a2845735b0

View File

@ -15,6 +15,8 @@
### Framework ### Framework
* Shortcodes are no longer supported in template files. They continue to work in DB fields and other
HTMLText-cast fields.
* `DataList` and `ArrayList` are now immutable, they'll return cloned instances on modification * `DataList` and `ArrayList` are now immutable, they'll return cloned instances on modification
* Behaviour testing support through [Behat](http://behat.org), with CMS test coverage * Behaviour testing support through [Behat](http://behat.org), with CMS test coverage
(see the [SilverStripe Behat Extension]() for details) (see the [SilverStripe Behat Extension]() for details)
@ -47,6 +49,38 @@ Please change all run-time manipulation of configuration to use `Config::inst()-
`$this->config()->update()`. For more information about how to use the config system, see the `$this->config()->update()`. For more information about how to use the config system, see the
["Configuration" topic](/topic/configuration). ["Configuration" topic](/topic/configuration).
### default_cast is now Text
In order to reduce the chance of accidentally allowing XSS attacks, the value of default_cast
has been changed in 3.1 from HTMLText to Text. This means that any values used in a template
that haven't been explicitly cast as safe will be escaped (`<` replaced with `&lt;` etc).
When upgrading, if methods return HTML fragments they need to explicitly cast them
as such. This can either be done by returning an HTMLText object, like:
:::php
return DBField::create_field('HTMLText', '<div></div>');
or by defining the casting of the accessor method, like:
:::php
class Page extends SiteTree {
static $casting = array(
'MyDiv' => 'HTMLText'
)
function MyDiv() {
return '<div></div>';
}
}
SSViewer#process (and as a result ViewableData#renderWith) have been changed to already return
explicitly cast HTMLText instances, so functions that return the result of these methods won't
have to do any additional casting.
Note that this change means that if code was testing the result via is_string, that is no longer
reliable.
### Deny URL access if `Controller::$allowed_actions` is undefined or empty array ### Deny URL access if `Controller::$allowed_actions` is undefined or empty array
In order to make controller access checks more consistent and easier to In order to make controller access checks more consistent and easier to