Update 3.1.0 upgrading notes for casting changes

docs/en/changelogs/3.1.0.md

@@ -15,6 +15,8 @@
 
 ### Framework
 
+ * Shortcodes are no longer supported in template files. They continue to work in DB fields and other
+   HTMLText-cast fields.
  * `DataList` and `ArrayList` are now immutable, they'll return cloned instances on modification
  * Behaviour testing support through [Behat](http://behat.org), with CMS test coverage 
    (see the [SilverStripe Behat Extension]() for details)
@@ -47,6 +49,38 @@ Please change all run-time manipulation of configuration to use `Config::inst()-
 `$this->config()->update()`.  For more information about how to use the config system, see the 
 ["Configuration" topic](/topic/configuration).
 
+### default_cast is now Text
+
+In order to reduce the chance of accidentally allowing XSS attacks, the value of default_cast
+has been changed in 3.1 from HTMLText to Text. This means that any values used in a template
+that haven't been explicitly cast as safe will be escaped (`<` replaced with `&lt;` etc).
+
+When upgrading, if methods return HTML fragments they need to explicitly cast them
+as such. This can either be done by returning an HTMLText object, like:
+
+	:::php
+	return DBField::create_field('HTMLText', '<div></div>');
+
+or by defining the casting of the accessor method, like:
+
+	:::php
+	class Page extends SiteTree {
+		static $casting = array(
+			'MyDiv' => 'HTMLText'
+		)
+
+		function MyDiv() {
+			return '<div></div>';
+		}
+	}
+
+SSViewer#process (and as a result ViewableData#renderWith) have been changed to already return
+explicitly cast HTMLText instances, so functions that return the result of these methods won't
+have to do any additional casting.
+
+Note that this change means that if code was testing the result via is_string, that is no longer
+reliable.
+
 ### Deny URL access if `Controller::$allowed_actions` is undefined or empty array
 
 In order to make controller access checks more consistent and easier to