From a1c3cf1cf4fd0cf8b2855bf53b668a4ffcf83833 Mon Sep 17 00:00:00 2001
From: Sam Minnee <sam@silverstripe.com>
Date: Fri, 14 Feb 2014 15:37:16 +1300
Subject: [PATCH 01/39] Removed use of assertCount() from this test as it
 causes infinite loops on Travis.

---
 tests/model/SQLQueryTest.php | 49 +++++++++++++++++++++++-------------
 1 file changed, 32 insertions(+), 17 deletions(-)

diff --git a/tests/model/SQLQueryTest.php b/tests/model/SQLQueryTest.php
index 7572f8f86..bcf1e341a 100755
--- a/tests/model/SQLQueryTest.php
+++ b/tests/model/SQLQueryTest.php
@@ -293,7 +293,6 @@ class SQLQueryTest extends SapphireTest {
 		);
 	}
 	
-
 	public function testSetWhereAny() {
 		$query = new SQLQuery();
 		$query->setFrom('MyTable');
@@ -303,17 +302,18 @@ class SQLQueryTest extends SapphireTest {
 	}
 	
 	public function testSelectFirst() {
-		
 		// Test first from sequence
 		$query = new SQLQuery();
 		$query->setFrom('"SQLQueryTest_DO"');
 		$query->setOrderBy('"Name"');
 		$result = $query->firstRow()->execute();
 		
-		$this->assertCount(1, $result);
+		$count = 0;
 		foreach($result as $row) {
 			$this->assertEquals('Object 1', $row['Name']);
+			$count++;
 		}
+		$this->assertEquals(1, $count);
 		
 		// Test first from empty sequence
 		$query = new SQLQuery();
@@ -321,51 +321,66 @@ class SQLQueryTest extends SapphireTest {
 		$query->setOrderBy('"Name"');
 		$query->setWhere(array("\"Name\" = 'Nonexistent Object'"));
 		$result = $query->firstRow()->execute();
-		$this->assertCount(0, $result);
-		
+
+		$count = 0;
+		foreach($query->lastRow()->execute() as $row) {
+			$count++;
+		}
+		$this->assertEquals(0, $count);
+
 		// Test that given the last item, the 'first' in this list matches the last
 		$query = new SQLQuery();
 		$query->setFrom('"SQLQueryTest_DO"');
 		$query->setOrderBy('"Name"');
 		$query->setLimit(1, 1);
 		$result = $query->firstRow()->execute();
-		$this->assertCount(1, $result);
+
+		$count = 0;
 		foreach($result as $row) {
 			$this->assertEquals('Object 2', $row['Name']);
+			$count++;
 		}
+		$this->assertEquals(1, $count);
 	}
 	
 	public function testSelectLast() {
-		
 		// Test last in sequence
 		$query = new SQLQuery();
 		$query->setFrom('"SQLQueryTest_DO"');
 		$query->setOrderBy('"Name"');
-		$result = $query->lastRow()->execute();
-		
-		$this->assertCount(1, $result);
-		foreach($result as $row) {
+
+		$count = 0;
+		foreach($query->lastRow()->execute() as $row) {
 			$this->assertEquals('Object 2', $row['Name']);
+			$count++;
 		}
-		
+		$this->assertEquals(1, $count);
+
 		// Test last from empty sequence
 		$query = new SQLQuery();
 		$query->setFrom('"SQLQueryTest_DO"');
 		$query->setOrderBy('"Name"');
 		$query->setWhere(array("\"Name\" = 'Nonexistent Object'"));
-		$result = $query->lastRow()->execute();
-		$this->assertCount(0, $result);
+
+		$count = 0;
+		foreach($query->lastRow()->execute() as $row) {
+			$count++;
+		}
+		$this->assertEquals(0, $count);
+
 		
 		// Test that given the first item, the 'last' in this list matches the first
 		$query = new SQLQuery();
 		$query->setFrom('"SQLQueryTest_DO"');
 		$query->setOrderBy('"Name"');
 		$query->setLimit(1);
-		$result = $query->lastRow()->execute();
-		$this->assertCount(1, $result);
-		foreach($result as $row) {
+
+		$count = 0;
+		foreach($query->lastRow()->execute() as $row) {
 			$this->assertEquals('Object 1', $row['Name']);
+			$count++;
 		}
+		$this->assertEquals(1, $count);
 	}
 
 	/**

From d91c7d14b84d8b3caed948b0bbab94d254ea2b96 Mon Sep 17 00:00:00 2001
From: Loz Calver <lozcalver@bigfork.co.uk>
Date: Sun, 16 Feb 2014 19:36:51 +0000
Subject: [PATCH 02/39] FIX: Rewrite Member getCMSFields to ensure
 updateCMSFields is only run once (fixes #2827)

Fix usage of  inside closure

Can't use self:: in closure either

Basic unit tests to check extensions are applied correctly
---
 security/Member.php           | 221 +++++++++++++++++-----------------
 tests/security/MemberTest.php |  28 +++++
 2 files changed, 138 insertions(+), 111 deletions(-)

diff --git a/security/Member.php b/security/Member.php
index 0f5b0f0d5..6fe8278e8 100644
--- a/security/Member.php
+++ b/security/Member.php
@@ -1202,125 +1202,124 @@ class Member extends DataObject implements TemplateGlobalProvider {
 	 *                   editing this member.
 	 */
 	public function getCMSFields() {
-		require_once('Zend/Date.php');
-		
-		$fields = parent::getCMSFields();
+		require_once 'Zend/Date.php';
 
-		$mainFields = $fields->fieldByName("Root")->fieldByName("Main")->Children;
+		$self = $this;
+		$this->beforeUpdateCMSFields(function($fields) use ($self) {
+			$mainFields = $fields->fieldByName("Root")->fieldByName("Main")->Children;
 
-		$password = new ConfirmedPasswordField(
-			'Password', 
-			null, 
-			null, 
-			null, 
-			true // showOnClick
-		);
-		$password->setCanBeEmpty(true);
-		if(!$this->ID) $password->showOnClick = false;
-		$mainFields->replaceField('Password', $password);
-
-		$mainFields->replaceField('Locale', new DropdownField(
-			"Locale", 
-			_t('Member.INTERFACELANG', "Interface Language", 'Language of the CMS'), 
-			i18n::get_existing_translations()
-		));
-
-		$mainFields->removeByName('RememberLoginToken');
-		$mainFields->removeByName('AutoLoginHash');
-		$mainFields->removeByName('AutoLoginExpired');
-		$mainFields->removeByName('PasswordEncryption');
-		$mainFields->removeByName('PasswordExpiry');
-		$mainFields->removeByName('LockedOutUntil');
-		
-		if(!self::config()->lock_out_after_incorrect_logins) {
-			$mainFields->removeByName('FailedLoginCount');
-		}
-		
-		$mainFields->removeByName('Salt');
-		$mainFields->removeByName('NumVisit');
-
-		$mainFields->makeFieldReadonly('LastVisited');
-
-		$fields->removeByName('Subscriptions');
-
-		// Groups relation will get us into logical conflicts because
-		// Members are displayed within  group edit form in SecurityAdmin
-		$fields->removeByName('Groups');
-
-		if(Permission::check('EDIT_PERMISSIONS')) {
-			$groupsMap = array();
-			foreach(Group::get() as $group) {
-				// Listboxfield values are escaped, use ASCII char instead of &raquo;
-				$groupsMap[$group->ID] = $group->getBreadcrumbs(' > ');
-			}
-			asort($groupsMap);
-			$fields->addFieldToTab('Root.Main',
-				ListboxField::create('DirectGroups', singleton('Group')->i18n_plural_name())
-					->setMultiple(true)
-					->setSource($groupsMap)
-					->setAttribute(
-						'data-placeholder', 
-						_t('Member.ADDGROUP', 'Add group', 'Placeholder text for a dropdown')
-					)
+			$password = new ConfirmedPasswordField(
+				'Password', 
+				null, 
+				null, 
+				null, 
+				true // showOnClick
 			);
+			$password->setCanBeEmpty(true);
+			if( ! $self->ID) $password->showOnClick = false;
+			$mainFields->replaceField('Password', $password);
 
-			// Add permission field (readonly to avoid complicated group assignment logic).
-			// This should only be available for existing records, as new records start
-			// with no permissions until they have a group assignment anyway.
-			if($this->ID) {
-				$permissionsField = new PermissionCheckboxSetField_Readonly(
-					'Permissions',
-					false,
-					'Permission',
-					'GroupID',
-					// we don't want parent relationships, they're automatically resolved in the field
-					$this->getManyManyComponents('Groups')
-				);
-				$fields->findOrMakeTab('Root.Permissions', singleton('Permission')->i18n_plural_name());
-				$fields->addFieldToTab('Root.Permissions', $permissionsField);
+			$mainFields->replaceField('Locale', new DropdownField(
+				"Locale", 
+				_t('Member.INTERFACELANG', "Interface Language", 'Language of the CMS'), 
+				i18n::get_existing_translations()
+			));
+
+			$mainFields->removeByName('RememberLoginToken');
+			$mainFields->removeByName('AutoLoginHash');
+			$mainFields->removeByName('AutoLoginExpired');
+			$mainFields->removeByName('PasswordEncryption');
+			$mainFields->removeByName('PasswordExpiry');
+			$mainFields->removeByName('LockedOutUntil');
+			
+			if( ! $self->config()->lock_out_after_incorrect_logins) {
+				$mainFields->removeByName('FailedLoginCount');
 			}
-		}
+			
+			$mainFields->removeByName('Salt');
+			$mainFields->removeByName('NumVisit');
 
-		$permissionsTab = $fields->fieldByName("Root")->fieldByName('Permissions');
-		if($permissionsTab) $permissionsTab->addExtraClass('readonly');
-		
-		$defaultDateFormat = Zend_Locale_Format::getDateFormat(new Zend_Locale($this->Locale));
-		$dateFormatMap = array(
-			'MMM d, yyyy' => Zend_Date::now()->toString('MMM d, yyyy'),
-			'yyyy/MM/dd' => Zend_Date::now()->toString('yyyy/MM/dd'),
-			'MM/dd/yyyy' => Zend_Date::now()->toString('MM/dd/yyyy'),
-			'dd/MM/yyyy' => Zend_Date::now()->toString('dd/MM/yyyy'),
-		);
-		$dateFormatMap[$defaultDateFormat] = Zend_Date::now()->toString($defaultDateFormat)
-			. sprintf(' (%s)', _t('Member.DefaultDateTime', 'default'));
-		$mainFields->push(
-			$dateFormatField = new MemberDatetimeOptionsetField(
-				'DateFormat',
-				$this->fieldLabel('DateFormat'),
-				$dateFormatMap
-			)
-		);
-		$dateFormatField->setValue($this->DateFormat);
-		
-		$defaultTimeFormat = Zend_Locale_Format::getTimeFormat(new Zend_Locale($this->Locale));
-		$timeFormatMap = array(
-			'h:mm a' => Zend_Date::now()->toString('h:mm a'),
-			'H:mm' => Zend_Date::now()->toString('H:mm'),
-		);
-		$timeFormatMap[$defaultTimeFormat] = Zend_Date::now()->toString($defaultTimeFormat)
-			. sprintf(' (%s)', _t('Member.DefaultDateTime', 'default'));
-		$mainFields->push(
-			$timeFormatField = new MemberDatetimeOptionsetField(
-				'TimeFormat',
-				$this->fieldLabel('TimeFormat'),
-				$timeFormatMap
-			)
-		);
-		$timeFormatField->setValue($this->TimeFormat);
+			$mainFields->makeFieldReadonly('LastVisited');
 
-		$this->extend('updateCMSFields', $fields);
+			$fields->removeByName('Subscriptions');
+
+			// Groups relation will get us into logical conflicts because
+			// Members are displayed within  group edit form in SecurityAdmin
+			$fields->removeByName('Groups');
+
+			if(Permission::check('EDIT_PERMISSIONS')) {
+				$groupsMap = array();
+				foreach(Group::get() as $group) {
+					// Listboxfield values are escaped, use ASCII char instead of &raquo;
+					$groupsMap[$group->ID] = $group->getBreadcrumbs(' > ');
+				}
+				asort($groupsMap);
+				$fields->addFieldToTab('Root.Main',
+					ListboxField::create('DirectGroups', singleton('Group')->i18n_plural_name())
+						->setMultiple(true)
+						->setSource($groupsMap)
+						->setAttribute(
+							'data-placeholder', 
+							_t('Member.ADDGROUP', 'Add group', 'Placeholder text for a dropdown')
+						)
+				);
+
+				// Add permission field (readonly to avoid complicated group assignment logic).
+				// This should only be available for existing records, as new records start
+				// with no permissions until they have a group assignment anyway.
+				if($self->ID) {
+					$permissionsField = new PermissionCheckboxSetField_Readonly(
+						'Permissions',
+						false,
+						'Permission',
+						'GroupID',
+						// we don't want parent relationships, they're automatically resolved in the field
+						$self->getManyManyComponents('Groups')
+					);
+					$fields->findOrMakeTab('Root.Permissions', singleton('Permission')->i18n_plural_name());
+					$fields->addFieldToTab('Root.Permissions', $permissionsField);
+				}
+			}
+
+			$permissionsTab = $fields->fieldByName("Root")->fieldByName('Permissions');
+			if($permissionsTab) $permissionsTab->addExtraClass('readonly');
+			
+			$defaultDateFormat = Zend_Locale_Format::getDateFormat(new Zend_Locale($self->Locale));
+			$dateFormatMap = array(
+				'MMM d, yyyy' => Zend_Date::now()->toString('MMM d, yyyy'),
+				'yyyy/MM/dd' => Zend_Date::now()->toString('yyyy/MM/dd'),
+				'MM/dd/yyyy' => Zend_Date::now()->toString('MM/dd/yyyy'),
+				'dd/MM/yyyy' => Zend_Date::now()->toString('dd/MM/yyyy'),
+			);
+			$dateFormatMap[$defaultDateFormat] = Zend_Date::now()->toString($defaultDateFormat)
+				. sprintf(' (%s)', _t('Member.DefaultDateTime', 'default'));
+			$mainFields->push(
+				$dateFormatField = new MemberDatetimeOptionsetField(
+					'DateFormat',
+					$self->fieldLabel('DateFormat'),
+					$dateFormatMap
+				)
+			);
+			$dateFormatField->setValue($self->DateFormat);
+			
+			$defaultTimeFormat = Zend_Locale_Format::getTimeFormat(new Zend_Locale($self->Locale));
+			$timeFormatMap = array(
+				'h:mm a' => Zend_Date::now()->toString('h:mm a'),
+				'H:mm' => Zend_Date::now()->toString('H:mm'),
+			);
+			$timeFormatMap[$defaultTimeFormat] = Zend_Date::now()->toString($defaultTimeFormat)
+				. sprintf(' (%s)', _t('Member.DefaultDateTime', 'default'));
+			$mainFields->push(
+				$timeFormatField = new MemberDatetimeOptionsetField(
+					'TimeFormat',
+					$self->fieldLabel('TimeFormat'),
+					$timeFormatMap
+				)
+			);
+			$timeFormatField->setValue($self->TimeFormat);
+		});
 		
-		return $fields;
+		return parent::getCMSFields();
 	}
 	
 	/**
diff --git a/tests/security/MemberTest.php b/tests/security/MemberTest.php
index 013d54903..f058a755f 100644
--- a/tests/security/MemberTest.php
+++ b/tests/security/MemberTest.php
@@ -613,6 +613,22 @@ class MemberTest extends FunctionalTest {
 			'Adding new admin group relation is allowed for admin members'
 		);
 	}
+
+	/**
+	 * Test that extensions using updateCMSFields() are applied correctly
+	 */
+	public function testUpdateCMSFields() {
+		Member::add_extension('MemberTest_FieldsExtension');
+
+		$member = singleton('Member');
+		$fields = $member->getCMSFields();
+
+		$this->assertNotNull($fields->dataFieldByName('Email'), 'Scaffolded fields are retained');
+		$this->assertNull($fields->dataFieldByName('Salt'), 'Field modifications run correctly');
+		$this->assertNotNull($fields->dataFieldByName('TestMemberField'), 'Extension is applied correctly');
+
+		Member::remove_extension('MemberTest_FieldsExtension');
+	}
 	
 	/**
 	 * Test that all members are returned
@@ -827,6 +843,18 @@ class MemberTest_ViewingDeniedExtension extends DataExtension implements TestOnl
 	}
 }
 
+/**
+ * @package framework
+ * @subpackage tests
+ */
+class MemberTest_FieldsExtension extends DataExtension implements TestOnly {
+
+	public function updateCMSFields(FieldList $fields) {
+		$fields->addFieldToTab('Root.Main', new TextField('TestMemberField', 'Test'));
+	}
+
+}
+
 /**
  * @package framework
  * @subpackage tests

From 80997171cc01423e4a10dd2bb146fa507c5d5890 Mon Sep 17 00:00:00 2001
From: Sriram Venkatesh <venksriram@gmail.com>
Date: Tue, 18 Feb 2014 10:21:07 +1300
Subject: [PATCH 03/39] Updated Expand CMS Panel to find first visible panel
 and added new test file

---
 .../Framework/Test/Behaviour/CmsUiContext.php   |  16 ++++++++--------
 tests/behat/features/files/document.pdf         | Bin 0 -> 18810 bytes
 2 files changed, 8 insertions(+), 8 deletions(-)
 create mode 100644 tests/behat/features/files/document.pdf

diff --git a/tests/behat/features/bootstrap/SilverStripe/Framework/Test/Behaviour/CmsUiContext.php b/tests/behat/features/bootstrap/SilverStripe/Framework/Test/Behaviour/CmsUiContext.php
index 14a2e383f..41fc7e0d0 100644
--- a/tests/behat/features/bootstrap/SilverStripe/Framework/Test/Behaviour/CmsUiContext.php
+++ b/tests/behat/features/bootstrap/SilverStripe/Framework/Test/Behaviour/CmsUiContext.php
@@ -184,15 +184,15 @@ class CmsUiContext extends BehatContext {
 	 * @When /^I expand the "([^"]*)" CMS Panel$/
 	 */
 	public function iExpandTheCmsPanel() {
-		// TODO Make dynamic, currently hardcoded to first panel
+		//Tries to find the first visiable toggle in the page
 		$page = $this->getSession()->getPage();
-
-		$panel_toggle_element = $page->find('css', '.cms-content > .cms-panel > .cms-panel-toggle > .toggle-expand');
-		assertNotNull($panel_toggle_element, 'Panel toggle not found');
-
-		if ($panel_toggle_element->isVisible()) {
-			$panel_toggle_element->click();
-		}
+		$toggle_elements = $page->findAll('css', '.toggle-expand');
+		assertNotNull($toggle_elements, 'Panel toggle not found');	
+		foreach($toggle_elements as $toggle){
+			if($toggle->isVisible()){
+				$toggle->click();
+			}
+		}		
 	}
 
 	/**
diff --git a/tests/behat/features/files/document.pdf b/tests/behat/features/files/document.pdf
new file mode 100644
index 0000000000000000000000000000000000000000..c01805e89c1684e79130151abc23bb80401583a9
GIT binary patch
literal 18810
zcmc({WmsIv+65XQKydc}jk~+M1r6@O-7UBi+}#~QZ~_E(cemhfA-KzJlF6LRnKS2n
z_qjhV4SQF=rM*jd*Q!-bA}1_L!$8XfP13b>x^+-^mNnMZ1I-Me2UzQwL348h=%fs-
zj2%n>EI^YyfKJrZ!okoEc(>4XFcdb_w>B^Y@bW_2JJ=cOT0%R6q^l3cd=*7*+Mv4a
z3qB5;hvSXZo)0<hSs)1PZ489Nrzd7MgM20bl0LI>r7C$^2~IB0Ap8<(-8)>=QCWEg
z?0(nN9)Icelh)1Z%-7YCn!8Bzr7LUB?@sAwWnVpRAKciyREM|tXk}WdZJ1iAcRU+Y
ztS3s55RR+%GoFsI8vX8ibE#DJC?B;TcXp_*oNZQGFA(f^LVK^QF5Mj2S!&#_HokIQ
zT_@h{A@z*Z?-{e6<9G~-vQi5z&~p#Le6L&E2%O`%FSpaGE?s&`xovO8RlnkWc+z#B
z3*SMde=Uww=|%|Asbc6VBhh)2_S7)n8nMH*Gi#-cf3)~8)0o`Zx-~JpUWDUp*-X2+
zpm$(&r%!Ysq`obwd7wAS#kw~Eq4G&+$?H9&*xo0&man*9%a$)3`KERn*YWPoICymm
z&G2O_zjj}$We!=JNGx^X1^Tl&FdVsFW$*77U~y_9khGE?J-o(WR%x8;qCE{o-dQ7M
z-mZ%jJJKb+1D7hh(hQJ2C13OiLYUi=y}BOVY{v19fy#W*u&fDoYs9W1TZ!-d=2|VI
zq7AA6M2x%N#~058EY%Y?r2u(1mW6pg-%4kha;eeZk!Iw=`(d-`$TN83VM?stGQI4?
zS<8bRM6+<NjFeZC9Dr9Gh{r|aKowcYd^|V?vYYkZ%H||}VjWY%S$=d4j8{?mo?Q`=
zJ&Bs&QKO`M6wMUCTb_A<*VckQY^f%$DZS@%D~H8*XCDBGDa2#BfQt~g@hD!l2Qmn#
zT|~<}kJhY+g}}Q&6mSyZD>(tFUhEZGx)gNegVYs=YE5fY<0K)Jrv=B84iZAFBPZ4l
zg}PRtc_mr5UY>mrS!I-uquWlJ$A4<B3QE_;>K>(Z4$}nhv^uJ?j=r60zUXP?<_t2n
zBvieLwS_%I=xffSuhzlb0GIJaPL(>L`*66P(8hJ3`}L0LCu$THxWZ=Urp5IsX?HyA
zd9@pb7|g~s*a4<jLo6DLieFCn3v^|dTfNVRJwJYJ03A%gjtoWPb!coT8m+uzpHd~$
z@UDS%Xos3T*A3<14SHKkcJ4kCD(a3kOjvYhC<PfbfClrF9#-7Q%L^AS7ckz9;>_!b
zk0byo3JTbohI@=>N9vpjd4UY=hq|)^RZolP9R1=k8-piZ$L>QnaU3<NnV0dKny+wy
z5jLdVxvxN~q204;%$WUlNG{RJ)Yz}#S`@o$K9`;dlyq)9QETUigFvl8i=jcaO86jt
zj7*WooQ*>TGlF}WnF2iy)lxL?(}1Tzof`y0EctF|M92$0lX}<+Z)*dQt4y%~qJU08
zJl6oQB_ni(tkEZ>%Zj-yECFQ>FVs#yZebm=$1~(nG{Ue&!nN}HQcyRee=Xo!NFD=N
zWp<tLg(DUjwY3Q`dAkA9yH9@H84Dz<B{nr&tkR1F_}{?UB?(B7gj0<CDY+z1Wexi4
za1+=qUfL`AUP%zUD9_^uAYv-?UO6^GPD%1ONi5JCu8lQR8w|W*2oBx5j4?g-XAiiY
zp%{@a9-MAMq@D0F!YdjFtHawXe1zClW;3u0OQ7yXhDf+4_SrS1NR)ztC3^QMj)|D0
zM}f9WMdO&d9>bzmW9@V$@aScl-mDL7zK2i<%SkXxv;nn6hMH8i(FG`?6djl?x1tA~
zp-c<q{JVh)@XOd36TblUz^x%v=kWPE!A`J;wz!8S41wm-gt3HT@+WV7^$FfkrGmqh
z?UqI=XDhotCZ3uSAAmy}i<Z{<`gi%<af32_@O)px^Gn4@Gk%+F<_W{06281!|F6R+
z4@m}!uJZjs5B%ea`b_6!{az*5*Gb=Uk`_mAVO6jwzaOk|yb0(Wu8V{B!b+JOQ;|?7
ztM$7dW}AxDbrWJLY(k1SUXy&C4%!<@k!F&&8YIaPy{brdCX7$wiX!k@kR|`6APre-
zWy0F%*+wRqp+8Fw3DI_yA`v=M5t5p=4bgWfSQMzoG4GxQMPfM;R6b=et&7+3gGGWg
zIwIZ61SZiP%rC5*n&XJ`^`v^el1q0N%W$%g?;8!w(Y?s_I)XQNSCp5+e2@d17SSxH
z8-vS`;ww5T^A#qDRzWpifaASwNOVsswpEU3sxe4v<x+8k%<fuo0dx0CZ)7e5HT;OX
zfLkq^9XFMqS2;sXFQ`|8v#MG50fAbFs!6BJhtBRhF^A$C4NXP14<xmP)E!f!WS_sb
z`E;wavGf*haP+6DbmmJO+Qzf&qC;ig%T-0|6s4kU=oWWviR2fsSCM{25PwteD#E2;
zg8UkRf@cKg%|z`RBUNK6EmBrdL{+c7<UudAxYF7}0rgwoM>EoObufO#kuYN--R?|B
z6WCDAyXF=WnsEeeUCzs)k8)`2bAa@nBj<#I@qOa`6Or<xFy1=97#|e5FbPz25k68h
zXlO?Ci^`?$hcU)5X|1GzF(fd<*Y$?wS(Gv!k#~)ti2(<5+f^h)ktc8g%~*4VdMbk%
zi_PJ(_yto`EuZY^#v8QS<6e%t<8W`|q4==5eDyZbatvWPkQ<!#De2@$tGV>iitR?s
z1+U%$;pyCxbHrt6<0jRLn<^J<1{1PJlcI@_kvciS+%S<)|Hzpe*j7`t%wIW;lY#ba
zkQsBXY65<M&D*nx{GhxL3#XFmKCgy?THj4svBxUb9^SxTOAdCNF^Qm}LVjl5ES?+w
z1FCui_8Zj_P|Lcz#q0{|uOA~{y@OViWc7r*@9md5!sjlEgOW^?%BTrU%!J4S`|>t)
zVi)E^RRC29(Xso!fx7Qj=BxlNxpr+D%(;+?jyl9JVIL{70*TZBCWx7F)&oXql}Zjc
zVT!1I8lazmTudEBofHn)JK+U2<@a%4&;!@NH^b^_ZOjgjHWu$E4CYJ*C(EE=v=Uyx
zs~b3r7s<7NUsmVBo7#uet#%oLQdibuhiiV>8?{Q>yz|XnO^scU^#<ouX^V*0q`Zm#
zo<wi}BG%Uou>(80vrlq_RhR$*Dx!{#O-^E-8$FgLM_gj7O_74>#^NLs({B(#1DmFq
zRLGp;*CtGzBtioM_bS-x%_m(kO<fT2%#bHx0*exqx%jPl8bDkeZTy#+#+5d?x^eF*
zsG5%J)rs>SX&jF0rGnLWJB1hFFRtsG?F(F~O%SHNYeVAXJ&s@Q%U{W3MMgueC1_gT
zZyaj4$|Fy&`*@Cak2Y^nQdYC8CFnAJSQU3C0&}6GsX5VBPY&%6sBa5ve??K!d_wHA
zJ@Gp2Fz7MM+%bo$+Yi3n6uDU%CI3;7zR5|oncq;CcWCk{*ddCPnzxNz$AIXCY>pa_
zFY-8{Fa+MWXpSf;3>N}M&ggDx5jsW$WmT4kJH_v6qMOv+CX?B@-{^?^v8Rj0(4&^>
z`;ZI!@lVEP5%?7m31>cjx=H3384$&-A>_9WW${!!e^aEbS8D<&;O8&R+~#GMlkwp0
zjuhJ^8$&`T@GqKzTYg&|ZR6dbNBC%IKEe*;blJ2?!6;AAF0UPhlYdSCrU)HWQ+ql$
z?C%dp)!s}cS|}G-y<D*w$#bksA?v7zEgzz|dgIQ$&ux*~85}};vtSUW8{eyC#*WYX
z_LR=o?K8gWGIsNTt>y@;u*ALxX4IHEntDX^Tj*qCg?n^5O?oq|R9$xd!WXPjhN0b{
z$i~u^JcZMBtnd=o7@3_{Fs7#;;g918a6EN=q!GFOGz%zfijqGEaG+yB=~ku>L?>)J
z!{pV&Z&`wV@2nLsydf-LGY=&R(({l1NXM@#p?XORj~k!*RvGSX3;MW8wHjpa0^=kh
z7+N$7CtfHmPTGP?kqQ~Jg-2Y*@GeCzND<{2cG1)BJoj`XmAF&8s9@u^Due6{xk$ZH
z07){cy@gS(7E8BLwCShP{EO(lP74DGO4J)@xzND|J*e@P7x8rRWTn0Y{bH)5MzX_x
zGz_{i3-6R-<1J(?>j|P#>`n_N8-%t$*rMtSiAQJ`beG~rmr9vM*l+9BvzT^y2a1-T
zcWmqq&9z}mIas(BOg(1ZF_49*<9|i!FE1TS=yO#OH<JupK)j1YiMS_~eD`2_=1Zgs
z0T0_DTe!wL7e8V?WDrmpNasF*iG)LfFYzsnlmy~+L;F-#lt73G;OOK1<fig+?EXU&
z6#@utfXC}rv)4B?SZxybY*Mg^U$)EH$UekWusj{ZZgZ*|Yo!=heL!iCHXF)1B@JII
zNC$`9L}SDeUD~T7Hr$soP-^Hi9Tdic6I<q{;2aa%0u73|&HwZsv#D=RE4W{($GiVb
zL{nB`t>Xn2d}|A(`Z9L?X?mnWv(w%~;5FuVKD@L|$KH;^c3shL1$3&f&14d(qZ#4&
zy;|DplEGAxptQid=z7mk-W7Z_5Eu9arfjQfD?7YhjbK;QE_*LlOXP#KWCIC<IIT9K
z6qEHr&kThnBqDvv!rd!~Wnv%<4G^F#S_6}dEJQ3zhe0Yc)UP0Fv}cUTaChR<Ac7rH
zG14nioR;*k57J)bfRa$~ULtq3uiURCheWfzjLN;YbKaRc3<(w=TZClQaW(!}xVi1E
znX7rhel}5tF_!(_HMDeTTY$dWxBYqaIeNzcO3^4|&beOWFplF+{E}J=DnqE4%m-Cn
zN}<=Enk34%C%$9MeQrxSstfhqycS;#tK2?G)y^u7QYg>rq@oFvU?A}+y=;8dL1M+C
zMJgN^5;#ECVXbC^WZfAQ<eDjQq?k@Xf>{>)NW6V=0l-Y9qQ*nUuJkjq%d4AOA*&qY
z5^D<S#c{PVN0B~-r4!u~i$@)$eV~+m)vSXNHHg-%-h<zjw+t&9nppvY9Z7fk-N{{u
zx}3lIgUI1R;mU=o)mARo!yY0h^W=-iP11Ncb_(9mw=ZLu?9!{urv0$z{QZ!rYAm~<
z62=!ka|gtM=z#?>)xipW2-mmBZ(X7)$6^6Lg3z(ZKI}KRi;nrm?-kLFcgWm%!fq<B
zO}ARC5vv)ECM9>y?rslb_`y+G%q0Om)>aW6Ck8^7ln(8T>W&6=cM`uSkMo@o!vdAU
z$gw##qtZuz7vj|nc#K%tEn`jf%deOb>GK8-S&!>nL@spTN^BohYgMV**=1ja=s#_P
z9}Pe1gnM>ge~iVA&;^N?w(-2<D|EFUhc>h__yZ&ZL(kay8Bjmpnb=ubpJSiHjKAS-
zMHd@G0G*t!@sF#Wp_K!G=_dx4H?+5Qw9_}V2eAG$2w7V>0ORce&$t~3(xnXzOmzjV
zodFv3Km#iSBY=&AQ41P~)BmXFIo~gQFK1`1uVCl^&;V8@EDE4gG<0?VXaVSitSzkV
z6l`?$4FS(IfRH@{fbB=|yu3j853KQrS(Jg69>D%=ho%!{0)`o$t9&L37=dp%er5Pq
z)eH<k+poI+;1+-l{E<fnzyP2VcqSOEfb0T*PT0`NRNqj{PS@ps6AuCMvf`+3Uq24B
zBKrpk1ULu1hlYx$C@INWaB@_Ox73KA$iXyTX~_M|G?_Zj(jEI!D~H<=AxGcga4b7D
zF{iCWau!eoc*X6wdpCTzPwsE+!nJbu@Zh=PCTy8r@STf7K+#?(o+`i4N=7==51&E=
zcS=UJ0PT8D&o->`pgyLxadyUdVy<erx5nx2lBXu#P={cjruGZsEkU%=3;g6vazpRW
zZMX^LbG#tjs_-S)$3!_`2r2dSljCU)`BgO03fnp4l;wI{5@mNc^*t@2HNk$5nvq5`
z5zU|XKaERGRbL5bHzAY>V~xI3ytH6JEri=h6Boj!I4zrAp_1xFil#z*10m01P@icg
zlkT|ch}o#s5W8`GiI~sZuk$guX0Iw4H^AeC6XoC`;xYK{NtGVLj*pw}lg8W5*fug<
zK7&A)nNs{qj538)H-8?M)e+RP?vsTOd~F&Kp({lqlQ4VfuE|*r`@Ep<3{zN1SE3vR
zFbwY#KB2IAbLrx%eKLZs)VeDJx=n7N?<Y67##1?9G_zhy*j1v<qmFSysiJy>R!G2e
z^N!#tt-k-5)b_eQcyXBg3U3+-$2eEsN7*%8rAKz7{-pcb&;oPR+q1-J*3JECZv)M7
zww9OsCfs$AqpUd{M@d)N)(~dtsh80|a-NK%pnWo1P1StPX%iu3NU8#syvqxmH}N(G
zMQL&R=v$o#@{k-awFOCoq@oqY)IN{jo08X5b1$51V!Ei+U)L#^H*h$=pCfd&ypdL^
zI{5H-d+B<&aEfO+@R5QXW%#qOQCy`)?&gy7*9W6$q)c|smYwDh_5Mc*5k$TK4t2^?
zRHbuextT6&V|Y)TT2D>B{GAJd2W}{y(#-Ml-CU#=SO<yG4*R$Gxe~_}rUdKASs{K*
zQ!<MB;b7|&C#TgK2GI`){8$f0e_tMc%!%iD!bZ>hYuY}~zh@J0s!9k63F_J#8UTLG
zCwYL@uQbnV#INb~uO-C(pB9DZdF}|D%fN{zX=-2(Tm^p4MXhI6?~m1j;qPS%={o3I
zSR4ObpX~own10Lg9|%N-KN!THbDjaf#LUF_zo&JnvZaZ}EEeyMrdmwCc)}(XMS_Le
zY?YOP#7rT{d=Z~PZ`BsN{ry|6h7ZI}_v!P+i46okRu>(tj1Rk~#rYNZB)9>Bd({Gd
zW|u@^9%EJb9~}8=4X6XqdN6bOV&Hl#zHz8jsRdF5NUx8(tX!p?Enji(c&tzfLJ<`9
z(ISaEnVQ?CHi>7npPFYiIoS6~3cEu+usRIyUoI&3G2X)LzK7ENUT(Rp9o}M9q(dng
zbhLLnuzvcE%L8Mr0_I@yfZoKb`w_$g#r5uXW`yRh_*`iBDl3rfovQj&FKqFc7xcsV
z%zCNiHil@H7wpnqO?PR$*Tbeh)p_CA##g$gI-%tpwpR?`S?{e^ROgpTKXB~Aj9t9w
zPV|yNqH)2<O_Z9Z{&eGYt2;-NwknXjurHIu!Dwpkd(@W|;VNGq0Wo5W<sOzO@nEpl
z8`ttF&UA~*ka6)8WagDhxkCaJoLh5!_!_d7cSi^POA>LxIWBqRd!kA3%yk;qQ2jxX
z??LZ9Z0qw*iit>-L*7hj5Hbb8-SfVSdZX6uL0v{ZpmsfO!#C%<B?69DHp{J}C_N5F
z{Rt-0P12WJEr~MDDR3$Ouwp%d*t+c8rb^D0{V)L)ytukInsD9PBCV{uL}+LMuzjIK
z$8-#W@usrRLr}j;(N&eYA(TDX>_o!wjTuB*TshKxJ>#$p`nBQ=S$%yw*$r`5Hf-m6
z4`=s+C?R6x$gbn=IP6HU?gfQcqaWqXZu#DtJu=3zx>LNN>5cY`kf+kCwRvMnrm%kp
zDj111lF@c-6~DHGf@yV+@WJJlF@}Hs0k)d}5tjkkKmv6SHN5*FM(I?8gldUvF~2eJ
z%PtSkgOpbg?zD%gg|-fUwsLBpa&ld+8@Un+l3<@Dj03;BCTT;jpX27$@dJjp7M?>c
zvBO*r5iUOhJp_3hgbmI$-Z8{6{4vNeflfnM-%wB(VO1DQ@-cm*i4iY|9-pM6NYeLv
zvb~x;VfV`eFj+jf<%Ws$`s#S(d5=+*BkIv+#>sZP*Lh%{-(#?bC?Lc0L#-Ej3Ef}h
z#fz13L})g?)Aw0-;p8qKr_3idM{eEOLqIqq^hoxMbqa+vb;TWyx9_VDD$-={mo%Js
zNjn6Hwbz9}Fu-RG<2=?aKGg-ouO;HOSnY)PFBc`=SL<BsFUO07`*{09oKfK8GtLyn
zht6x4RJrbR#ia*BGZcBn?WIpDch_0`%f|-KKDS#G#-0%<@#<4t2AxMI^Gt-y4CY$b
z*jPoquF<gUrU+vXkA4Skz-8bj4ZrT--U36EiQ^25_mFf563C2&<ZfxSm=egr<BP4O
z;h*oWj=<H>!GuIGJ&iEkshUgva)hF2EI-<Yo(*GPt|tdqh^alJm_scOcf;Hx`o{fw
zC@Llh)h>H=HIMJoJu|a%IXQ0<{k60sT!t+sZ1|&(g8}*6+*GMSAjWOVw{iC>H*%W=
z1JtjhJ$hhvewesBS34iMb2Ay4f@6_RZ}G@Y6lE8$>L<TPzp&oXA@rV{1{=PcW~hv;
zp3zGMi}GQn2OR<_Zj)YZY%_2B+6K0o=)K1nvhf9x7kqB((+>B}Fvv2qc&^d)l&U39
zUxxu7&wyJx7Az;bbuzL4j>&)&5wl^bo#y)?E0tE(SoDMK!kFe#SL1uZfmG>g?c`Um
zh3>AT9NZ9v&LON~w+ni?wiq;Z3Mj!kvTlA<i<4YY@YuWZk2zdPHnr8PQ&2<1>ET;;
zmzUy`_2`Y_rs?%Q5fF_YMk)sU^^`kImQEC#yW+K&EK(~v+fA%W854ZoDr~A)b3%A0
zDXUo1?rCqsS1XVLEg>=q4Uiap7CVY7!l}HYRhr{O<7ef`W5tc#jrN70Z}L5T&L$*Q
z^re#}o3r;k=i@WJ(JV5C6qL&t(srethj%Jv(=ee+X^J<%%g@pZFW3*xXXIDD&`QZn
zj}MG<cP$$|7#$(3hV6JQMg!ATU-+oI%0{b-2=^UQ_#32zxu^j?ZeArUz9YgN+~+9F
zqQkX9bvlML-!)-(=95n=Vs7rBSuiuvYy@$i-Vm`S1%V%fG5}ztKw;WgD`2LGc&N!~
zFy3E~+UkBO-Z#VVi2c-|Rlhm_u0mU9*B%d3rfIX~ONF6Xuc$&}V<=$YDZDF|)9>sL
z9;_VB25SDY*Rnn2<*1ma)3W)ZH(o`t2Kl)DAYQO9810F6a`lYa+~YgKR-V!kjBHNL
zoRP$Vpb@#&*Kgdya){;*5R8apO``8|n*$(>QuZ(MI`DAy4_BjZ1yM$CQuOC9J0TtN
zJm|;mI2Y;gTf_?e>YdNz8jPdnxBPd|(r`Hvi=-x6iFRaS0WO779j~SY(#%>oY_OL@
zZ~Cl1tO0cUAZ*$##cp~HwZB4y+10!o+?_pr+nO+5Zg_5v^`I{L4?&18_Yd7nYJ%+d
zaFj(&^XBr@N7bY}<lh$>OWs6{rkKV?auSyB*%~$Srl*WlJG&Od7>_viLy$i14TNt`
z33D^xS=;sWNHTLV;&6J=cwDOUuEJhcFL5Q2dmT9Gd9ow+Q3T5vR>$rXL$AH}E7!8z
z^$;!X$kZj^dwO&_INALuMVN~(P_DAEg)&Fhqy&ZZ#pvQ#EZ$|9WEv%t;}&yIAtno6
zvr{XkATx^j05T!y<-AWlsa>GKOR)Y5(wdQ!@mJcUS4AI|b&;GBmoR1mygq4%8=#C@
zf_-{oJI)EX=H31@{?%-BW?e~y^n=lvy?yrm!1i!_dU$?!aD1XNr!m`mD{AdIRgIOk
zai!*{0fg(PbQE6ExtDeji7CQYc%&|NNQO*)ulX-x$67%SUX<Sc2e<4OY-40#`xCY?
z{Enx7I$h5IN!ZX{-_F#=!5X+<DqyewjNmw!fR2`su8p{%sj-OzfQ^yq8Rh(pqhSO(
zTF)D+#z2RP5eTP%MF{>taWqU!Yye<12hiIC`g_1afcWe=T1M9r2$N(4mBf{msl*K}
zoD3aI^>t+o9Sv!eEFA1~rJienrjr0VYo_`FR>l^FK<|)F!NJf{8Ndh(Ng3)Im|7VF
z7}<dSp{}!vsR3}Omw|zi^=BgSABj}|Xe<jO{m(`L_kax<0SrIE=5J2lzuZ$swr5EA
z|M>+C1h34`B{8!<qsD)Kv9LWi;Thomr`TVqf8+(0L=Rx0|7H7mXJDcSu>H|e7T^>9
z(}#Yp@~=Mh54=mK;Hc;D1C=Y<IU4@#=VvGUXXO9vh390y4T&Fv1_+dYJal^i!%uJx
z++eq}cMvkswF8a;U<c{`@dnr_06GyX;C?%>zo3Dgr7v%7scZGi^1HYGd+UDz?4LmV
zkG*^b06WwF$@f-sv(T7z;oH%Si4i{`2|+CyEF_Ov7eXcpK?p{sScs#RtfJx53yyeK
zMc8ZiP1t2f+#B7|hgK+n#x(S3+DbBkR3nx!JhdZ$5H>i`Q5wghSf!*J8&fniM`#S*
z1icz2p=-)>rMampja}gJRdD20n*Dd4ox7H^JMF+QrXKZq5z@+&{Ik&Fdz|%GqL1L`
z&G|405Ncd4VO~fcOMBCeqhywik5~`o^rW;a9!G1FBW%mkYctgP=>bfGq3<8wQ>GaW
zJ-Kjaa`}OD$`Ui(K6!gyC7&ViGCwGFwq`%spFgcHHcN(HJ)A38)1y1TdT8Fkz*k4x
zm>@X!^7cH==sp`1;=1Av<;~D7ns&o?mir=hRagg}F~?JUMOR+NxS@M)+H8c_o5))_
z)HY)aS9Q}9#OOX4$uHYrxY^0cxj3fZLuv@uqaFttKIHF+>F0i}%CBssu<-q<@-yqU
zH(vTsH)m3+iz*pjbaLWNQYLttVUS}b{ecnE1RJL8aLMO{`T%SDM-$6*>&G?D;#=*m
zhKb;f=7X?8-}d16eG*S(+~^K|LjQy~Xc_Go!dOW3j+#|<8_O##^Y;GL<nBh=J;DJr
zwuD);hjz)s)edM+1R8(Z@Y&7MZM#xdUl#{v1nu?>bCw~SS_ZJP0l6nQ?mXGymvj>2
z^#KnsiL}aFk{i=0uc5)oXtk0x>KyVZ1I<{t4d>QTUwavKFRj)?apNG@t(1(|A=>MN
zEG%FT2WJF*pw&{-h@AxlGa|#6+RtEm=beY4Cadmj*uyxObH9!;1-yn1Y!fRDsn?Ka
zg2W(glL%sG@T`6#tr509uUug)uW0t@uV{9|PFdqg9lub^-Yk;ubZkKsU%RB8zZNOC
zoA9C6I(IGf(+9d`(as1<Y|<eZ)>kO*;2%iZm8B~9J@{6qGVy}^53_@K40doXLhtn+
z2p+qQ9*yjAt;YgC>!%`A4jxjMkXK~Gic4fIKzM6{U+5R04|UNi@E#7;QRnol#Z)CC
zkkqx*luo1BC68pV+!!R%njVYB&>Dt_+)tz-$FiZ4WsUT+q81lM7)T<Zy0A7m?~bW)
z4|Q#GUEhQ`!?|PWW;zS5WvT*dVZ)a7oF&nbM>mCVu^t!o%}1xb7#x#ihrXA!wlCdh
z+$P?@u-VO)>tnmKhg!9eWFYeC+d6rI6<EoWLM>1-Zo_mCy;MVu1C#cJ_mlCX^~M8v
zz}o%JzXI-oZ@{ZO{y8)2ger<1!qmVScU`j9Ql}?qg4J6rV=uNt3w_PvDs)IkVzU$d
z{7%^Eqkqf0Ah79z!<O!$>`}Zo#K#IPZmdg+)9)jP;Ep)8pk7iIzVCKI+qf_7Sj+J`
zJQ6D?#OL6dVe)ViyVWV;Qfai#t5Y9z%%iOSu5f)r^lA|n|0>yW2E-AIfV<MLi`L2e
zeD=kdxz3~G@trxaO=#6wYarbMomop+*e2lT^t&)wtuJ}NT#?R&qLTBhe2h$Q(Zz==
zl4_aY-3q!s3ymikkP)PRLr2PRy*rTQd${=SZaUhmprxg7b%a#D)VG)6wHC1B$fn%A
zHa7KOZ+|5lU{Wp~fz+p~hovqUp9Q{nP^KrHUPW38DO&>21w%fFcVc2bstBxl(IBXB
zUwRAjX!79s2us7(!6jCQIX*+LAC3+|!@@FS(t*8BiP(#l$6`5*FhpUw@V2jDSbHn*
zVDxl!eCj@mlWDjaa?%6JUa~}=Ybf4D=`Ne&QgM%m`$Ht<XAE4P`HYtK$mI|3g9Ma}
z$aN%JC?4@IfR2bywKrIeR8!~`jfLl33XYuK=Z*#_4Pk)^18W>B8$nNj8WZP*9!l6R
z5}9d5H1@gq1L?M_Fw32!ylQBz_)qB{moHkasq9J?uk8iS7sAE5A3jMnwoP`f_IDXs
zZ3PRmTjK6DVi`0+6FzmcBiVNIOMkI3Xo^RG$2-(*DW<$e`K<Joujtt3yhovqmn351
z_7l%kg(uVc1IA1;B+4m-Nnf!Gzhwnvvl)WxoS*h*NS;Fh1h=tHyz`2G4qn8Qc0?jc
zE}7w!!ckMWzINdF3a1M%5+m6Me-V6)|KvK`(NT6AS^Si^tZ{q?<2HH!`g=x7M#g%t
zPniG*SE|gYk>SDtqWe6^brtlT1|t|_I~*~s)&R2Zp}h|>mc=F~)j3tIwzmbibS<a>
z75_h9d<j!;79b8REjl<4x*_VbxtJX4&ag}DO4bs4E8GznDHoRUvRLq0$s=UN<S);7
zCG6dCv5*_ru)r4SC}co0PNbAVMl+}qBf|o4UEdiQpKFvQtsLQh^v^|^kNQYjC}U(S
zv;B2Tk>R+`n4Cf^@Vzr6d}5>5=Z))+<wO&+Unf&2Nj!S;mS?a|&Nl^>joqm;_*9Qc
zC1cZrqw(I`53L>--dDQMZHr4&QI_x*?s%giB&R|O5qm>+RCkztT>7*?i0#}q9yOCa
zr{7s)3?gCYu(|XtzHKCaFF8Kl=M&qP_cl7#@I6|iJBbCc{d@V`Pr4pe%$Zltr)MM)
zJezNZxO^{CE9%T34Zx6R7@6ZT@c64YbSbE@oX>cd886<g!+~FvFI}fyQ?K#V-JqAl
zKo06DJb8j0+mNTJ07O3d+{Iy^PzE`p2?K|aHh4>}Z;*;WS218+3Gp{GQhAQZk9dB<
zMGjSwc1(r=AMn$$$6~;FQMwRUzya)<J}MSlkuB;FY+L4AH}C2|{_KDtQW*ZRSFu?6
z(SyctYh@+PAZX1WkU-zIbe+{#CE;Gc3#S!0dAS*xzEeM<doOm@U!k>Y$@^vA%8Wsz
z!EU;2dCxuS`w86Pt`muG#Bx8E>yQ?NX9M@*dIV&8y0RaAlAnJ4oK2V2UYN^*kkw~I
zHLbWWa7qos--2-w@Pi^qHPJcNBYLz7NOhS7z{YOKZ8myZ>a*8(X4LRmhnDywajIZ;
z`J+m+N`*86o$wb*$1uX{>9;#nsTT025nObN@rIRoOk9EYxlfQ^_kBwL2-f}{d}|SJ
z1Rsk}NPp);F;R=3@}-lt$Wp~7wcqGo&a)G&9W}MXsf?g5Ix{Td)vSCyJKy?6#1KYv
zfI}DgwXK+Y(|a4jJsV;&2)Eu1_>Q%rMR7YLD8x(&HFqew??o7{m+^X)6D=7%@tR5)
z^tU)V%u+5%Uwqz_hrFSa+XJU;=Fi9Ycn%t`oizcY=<4&k(d>u)BP{y?|4U*hE<h<f
z8g31R86m<(%9noFZ7b<c&3hcfNifLJ_X)o36Y1RnO7?2|hghc<%5Geo#|jyng=R2C
zd-;MO5KVU6Nul*Q`5q_NE%FY5Az%Y^;5K9Zw{wFBCHNsb-jFo1m7?C&58uVU+M)S-
z6xy;aSaC;68*5gQV}I*1A<L-9qIsuqs)%(PosIvG7q!Vq*oVHc$OdiyC;=>)oHYRQ
zm=X-KnqDn<1N2)9k9P|xwx<w;%s8ky)M3#M%U{4F*4mTaPCecFt$uteWLx{3r|3Xz
z+2X&0it!yXP_E*Hv_jWEjEvmgmV)~2wjc>_rI?c*sI5uhf~RKx3Vk)03FNJh5A7>S
zg!dFdDhJ?P3$GPE;ec}czd^pi^&o%G1Y6YhLgx0RSIeXCNGxV}`yto<%9<D9;!VJW
zYAIkaU}3IEwkEOEjm)(d1s)IX`_N0!WZas?fyeeoo<hb7@6G;z@uJ;6s}6`jNJt28
zIJM#71vFA(n??AXr9vmNZ_xSVGop3|O6<zr$|3aJ1|6NGL6RP13&c*nO5(9_#kSMa
z(Mq;Q8|33rIyQUN^ln_zw4bLfgW;XSVPFg&b1lk0Yt%{*lKB@GBJPjQKwd|-QGFBm
zFo{R38vHQHN#*r2Vo=qcD?;gALCUK1>sWXHwd#;HW>%K)2WhZQQyq3V*g~H*X8JUU
z50h;+*qAaujHSBI_Am6@g7GirLBEkrYtjU{P8GZ%o^NwRR*jhJ9MPyq8#E@r=|J!8
z@Z`@T)<doM;*;8{hE9_$+@q322f-PL@uu^AUDtBJNPC^^y9B-NJyjRpof{=H?(rk>
zu&c`iw}rG|dEZuTdr^<t>oS!2`*lTkVjh=!+E}jbP>ftltqrll&d$lo44&L*6H`{~
zR6O|NIdV`O#XP5~2b=*PRH$(%0y$j@(D|%J8AK7}hEL0aC*KUZH$_?Hz868&pwPK`
zvkxpyhiQq_qlnAteFULxQQgMXp-egXlJHf&(f%ga@>o-x(JeRLb3Ppte)`?|XOBs&
z?>2l0FHrP#E+$u_M^N;>GP$66Z_d7IhY+ktY1X$iCjIKK)H|?M<!tG4bH}!f!Z~%>
zy0|!=G}!Otd9C?P{oL#WPt==_Qe$J*B8_OFwd=%!T97zqK|N`Hv?M9xIp3lSYK>wi
zQQx?#PhGr&Cgs=>${}LiM8T>WOtte+OlO67w4O1|r5EQp%nf|FD_u-2S0cV-WDUm`
z+F&R>(WuE*xkQ14M4cmHEew;Vh=9w-@Cq%-KGDlPsp1r*YgkKNS_pMWB?L{^OG=gw
z#>jghM@0rl)tjT1z=~%`sVlg46%5|j>VV7hw~cjpqwT-I>x}g24GY&;3N1M28m$n@
z4O$x+m%3Fbs@pwOWRV5@_WHEuO=>a`Zh~L(sb?gy1KaXO`?YY-EZ))g62AV%#`o~x
zP7$-2+r4xMMyooLXF5?#Xjkz3c;vgp8GN)yd_gw|Lavv!;$-mFe&^WEa`!759YGI{
z{L$q({yq!qS@f*?vBfBESvCl$-`j_jr|Hz!FiMY&m9Isp?sL#Q$DvzI0^U`3{4|ID
zG%KC`2(*ECnFyDOnK5_3jLmb`d|d;pcX~N#<8WiS^HwpzHZft>M1=;$O!LN(=IeNw
z8V!~pi;x7;qi2?;Go+m^WJQYJilV*lsa+R@Ko~csRt<O1sSeEf8+|r?NOQ$9R3_e{
zFx5(sPYY9rvmg)GI7Nl{w*-sEQ>s~0>(E1dQLm`xW!j4kxwc3WS0&ZU^kt>sDS|7G
zM1vulp~^)D148Q+E*cUJ^0q}AqY;Hv-tNBPSBaz3Rz4HCcgx)k@om^XDRRoHE%^Mc
zeq-1qOLR__Rx&R+o;rFzFg1DYGK_&I%gf6^MB;<HkUb!rQ*f1d6cgw5@<b|~EQ#=g
zgtWan)Jcr<mZI^Z^<<SWOq}WyM{7=zl?EIL{!nO#uN3~_c&3;?Jrs9px$l%c@w!HM
zuwn?~VwU~EhrokAQ6<^!VJT9w#3eynjfm^6Eb0OIntS?f|48U8WfyQaMT1d99nb+z
zMNxt_O3R2^s148Vl?kL2yWP@r&HesRnCY}oceeDZ2E;V2kK3C6{g?jK5#29bZiFky
z9CnuBQ{h&RZKUgRn#!EZlgrt#LOi)$dg&YMI||s=a_al!^vbee!8tS>=)?Cte()R&
zV{co8RIFOQj~wmkRWoJ8Bh2Rr6c%&s#Z4k%@I^WlF3l(f1-OEZY_m3ZW9{-AT9kxk
zvRj0rqG<VP$)pPzTU~MRXpNwMW-HqLY<i}(Oo$h#ir`+s$*2=*f{<#Hf7=UgYRX43
z?P!7)T58*4;kWL{?vNWky9ToGj&ofZ#Jet}HX&ty+^TRlL4-6YZO)sRAhEq(5Px)m
zX`XCAEaJGms@ptzi}o&L%;TH+{Otx8gs?L5+6%rErAoP%=w(EHwh9?eXHvU<c8li*
zUyJKYOTu$7(g7@Nc8Z*p1+J0|i6&v{4xoZ+l&#uUp%GoiJ;L=o91Qe!9bjoQPh_l2
z$Qdb{_7~Py(r^Pe+4><?C;0GBD#urEcf=S+*>~^7n;OpWsbqu5pe~Xs`%a7**R--j
zWt+|}p$>Mx*K6fGxy@hUX~3DN7+7N&@bL+?g7Zo}tn%zl4-=p5$xLU?m+X<oC1bP2
zOU6A#z}Y21>|&a{)tqw&N*UjtyiP^F6TnNmd1vglOS#4kedQDkgW1|9=v+W}xp6~^
zj!MEBVvbSvw!tnKOBmV%!QxzG)1J=iF{Ug@KdvXv?HoR1M}&32s~xl{kY$`_ii_9>
zV@1L#rnK_vTH?{rGoW>31xe||<)q+TY0q(wXX*Wg+Xc>t+z<H7H>sWri<3=XZm5P=
z%s9qQ*?Qh?L`oMI6sj9*WLkRk9(G&gb&}sP8^QZ3!Vw_nx?o)?!hK;m*Uzdp{=T@_
z0v*AeII5-UX=7+=`~4K3`f8+X(PO*4=c~n8`R-HGSN9yuSj5|J*S(w}7Wt47B;B`f
ziQy_>2iNADl9c9O=6wbKc4RbZ@nLwqHQ1w%_v$m)A%Lsvh(Cd06df}L9}_VwnB)mx
z8b(F^KQP75oZB;t$PDbrUt8%w()B-4i@(u=e=^0aKu-2|rWnZo{a=`3W~OJRm>H<U
z;a~!Au(JJ?DVCFy6%hV6ruYX*3{({SizEiJrGJpbtn9y$#2kMmiGdAzW|GALEWkwn
zB8i!QQqzBs#Lr};{BO!5#$WOupwQqSN#dU|{~Z4p8W)-sNaF&DTzX~zD?1B-1^BU_
z$=qifBjdA}0Z9A;-vcSnA8CMe@sISs?!WQ?)BPZcpVR+(u>cwOXOj8%J0lCw#=`oe
zOa@?m&woJG6Y%<6!*fl*Sm+<QfH|3fs)uI+nvvsY4rW%Sf6>f8q*DLydFKDphkvD*
zp?{1v`9CS<AI~26_8%!`U_bszDF2OO{=E}_*QxzMF#~rperULU$var+fe-0_9v7=o
zHMh{1#^u}5{yNJxJ9|Rp*&TV^6RAPwgx3<D?ytiYJy{^(JyuXUEN(ipt)!k}naxcq
z46Z-HXe#om5^c=Ci+QzEwV+6&?=m}uwb~H{l>lPlRyUQ^RLDdyX!d2z71z~*k5#~l
z?%eH)+erOR#@W-8=TmPb6p8;_pJ_+zL^R4-ar1}|Mc91=;y$OH8O@u8W0G@OOeUH#
z+Vowg!$-7RFA{&QFAn!*-8Vj0dd}zU1gAZx9rxpGgq6I4nv+SH8a>|h#x8IV<=Ob}
zcq^TZ53TIjZe?@%JnlE6Z&uYeb<bBsy?TRhxK!%#JoyNY5O2r7Zp%_PZQnV*d_X$?
zTujzlCF(WW?DI%@i&FefTUCpM26Ajgcm+E9x+)S*I&}GVDwLs~Bfy-stnRF<dWkL9
zvAYTsqJ+>ix+33#tkj=9$lmRCXVJzZ;i4VCO+wZZ*|y-6=uNBAQr-n5s|3gWYa}SI
z!R#T@>^&0)_xvUSgxt=2hOzvt?!w$g*6Xga=6F?>20X15dk3Bdss?T^ht9aM@6Ht!
z+TX&hqCDc!G>xeSM2oN&t!NdCJ5_tTX4<KeTC}^Nd$Flj%MdQKdx-5_DI40!j49ca
zS!ELaaPsX~K9Y~0gr70Rho5a_$(QOS7-}e(xQ~XkW`BN>PNU^)#iBeP$WkHf=#gF;
zjF+g$I#ON^IjbAYi>$y(VG7$O&l)HjW<4<>6~IH;9S6V(qF?}bRUA~+kdpmY943Sk
zU^;QS7xm_Ah+Y}oz6599=@XRvov}~#1(U%3+{`(&c>36UJHSy3cVe#aMMJpF9_6b{
zRzzM8H2)=hp`;sDv8tercK})!Ld4)UN!K-*W{(G`?jqu}kXWl}naRl-u022H+k%=8
zY;%Fg_+?kI`p)I?7Hc7B4FaEY%b&1QB5#Zy?jm)=h+df-AsvC91|+(h!lbfa1pDew
zNj-Xx93Wa*F$c-n#=IZ~$MQY&Q6!*>Y6Pr!rv-3>xxk;|1aW_nxKFHTg$<v3tkQ>R
zT)1HMp|#TPN3Ziq=g|yns3|EN9x0OL7S({~b0Ef{rg^8*=)4kJPI|Shu|=yn@~vT`
za(+C%XlhI8sI545rKzUN4tLTE>NYeFY<En%wq;D!3#KS!_A9yv-Eiq9THpK8gsU++
z@tVTZa}XSj<PmrUD`%WYHwSLt%}W|@J?d?iV?^)3u`Zz(c%aXr7u+vb30@$8IKOK9
z&4e3yOtNbln4zM#KG#DmUSr{}FV{u<2_znZe}$qY50;pxy+wZgLTpeUf7=RM+P~%m
zl}Bd7E|0HF`|DPIppI1SMvC9flxolDz0T|FMHsi2$XzW>5s~fSwlC;{ZU~(bnejBX
ztgC^iA>6ldy%}NS@C~96%N{)+Xl^w|q~91MG<}h{>;y;PKTSlON_60h_70uu5&@+}
zwgHA-Y7(y!f?z<^iMRb`!cBaT>vlr|MdR{zTi(O&xWx?DXO4IqzZqQ3lhSSiq3+C}
ze~SEiN|5wqfmlM&E=ns3EJ~!0qHmTUlD`Gv25QqKh#T_aoxp}Qq7{4wCwy8`VMM2b
zSkhA#Pe+p&)iDGedV37&VN)SZhv~fLvT-3^c>;|*SGXf7q!W6byU#37!{kUZIO_r!
z!ffDKKn_RRh=`_HU|}v%m27By)f)emIQLaIK#YP75jMz|SX?_+30+z~6mb;ot3qri
z<#25cUdpAD$dXpTl5Q$8oW@?I38~3v_72|CL9=}2P%_@6H`|=J4_Go4FfR6d`Myir
zvha>vOwBw;stwKgG)fKMSFe}R-%&>mT)&L4LzkH1Aa%02N3fxeradi}o`5r$M1*8V
zhl>!gp=RYkZ?Amy9P-sidL6o|`m&dh{a>cHJ4xP5zDkYlYFrE7ObTI-<X36I|I0=C
zM_i4ZK}AmZUf8r@wc)iCYA+HJFPPB=ami;a$j=!NpYf_G?C|xIeGNa+Cp2fUhN@AF
zk%nflBBl-Yrf5zWoAFgUndR=!p_cN9;BVJES?0XAa3Qokm{?SI8&{$r4Me6*35ztv
zosF!ilWeJGW8y%>Yr47YSYH^9&t3xXY#W{g6T$NMU!O-?brnKV4#F*|mKpRi34M`X
z_m`kHS_)FhJ9Y<g={Oj?YHO!1WiAk-hnq*&=r(BRULxek8If<_{<vVJPE9+30ZAIe
zfbwN>C>%~2Zt8X~H0-^)7e->M&J+Bp5=3Z;^$tT-I&9At=>{WaBG#dfCd6}~y$-g=
zke=4h7AtJ<*;F-B*HML=n<ki6QHEQnX!Mq=B$WP+AHEnY<u3PHkjz-e8cFYn$rwh6
zhRZHrCKB5=`8s&rs<_<zqy4o_6xDve#$hV~zUfKN!d6!4r9Nj(XDp`N>ux-3u_IrP
zP4Ky^lUoTnzUY%vP*%<j8rR4rW%hn8RaNK5)4;U;w!9Pg;yNk&2RPO{i#6bJRCMO;
z6QeFEx*MI?b6s`5JOosUtT%#Rj|Ic@sYAq1aiTXN%N|L~JXiN2|H}n;*63Wg(hjpR
zpfc6J)=W4y#6%uRnleX1gt;h)6m2|@Fh%h%#^E3Fiso~cy;TAgGt)YyFdC`^cozK&
z49Z;Civ(sb$YV0`_+d5B1tgpc5hv3X<<7*csbFh~s{%$c;tX>>N<<IUP?XMA6|%Rd
z4k&cmBaLt;;PAd)UtpiyLMS4!@3b+d-Lo#Yyk~N=VNRBY@U1c43nQ|?Po_QJItze(
zKiT^*2gk>IQh#&eb$2W_^Et#)SJZ2>erTcC^~gQRe(%yFW(QA?)%GIsKtB!Taf^&=
zPOVEu&~<k%d>6JoR8X1@8hAa<L2M#_`A@+;?WyjZ*!1K@=X8;LoVP^)wa>L3pYUKO
z2z9D$A#^pjJ*WlN9rP3%^;c+7IqZpfFtM~U6dxYks<!-~XD^$Vw&XnDS-Dd(GQ()V
zFpoz=^%H$rWSDUCXwer>l~nF=#W1pG+VGIPJA(*hnaZ-Sc<;~MA7Oi#R2ATxx3^FK
z-Dq!Azbgvjpr+sgdumpv8RCFNwY=RGZpOSq+wTIq<X<MIfidizVE8(YP}y3~S&>%<
zxmr5Lv+bh1crRI@Ht9Y{gU)U0qdS4pN4<5EJA>I3WfvG+V-H=AMDgu@@hOlBwa&!q
zJy50+BX?U4<r+Nz8XQ*GEM{vff_+F=$T{F=+nO?LG|dl~-++S81C_msEd2U9ING79
ze3C4f*18Yv&_QEMPK8)uam~&Fo;Vk)dv+V%p%!wTw;#Q|9K3Bt*$XCr=_QzoD#yt#
z<ske+7%>r3Umq+ZqhHt%;6Dc2Ch9yzW1_KC8B7cy5(Z1*m`nJDY<r!#tkWFrTpV;7
zZ22c%-j4OJM^)=*VctceTD=tf#zW-O3nspL-mt*I<MRdG6`sKS^X+wvHojj)VbBr}
zfGlk3>3zB|C`7O);=o8f!R9B~PpLPeEZ1GPH)6`9GU&3}`4OID)UP=&VZEvj<}<;q
zOmSTTId58-W*@hbrz5u0MOZ%dfZtzsn1+O}`@O%;oN1KkbEvCTTrp4Sa4W}*#8zSR
zNHw6~Vss9UyaQpd2kD~_PYJUZeDII~I6*hny)aw0|8Sgp@m?*HYU*8qSJ~{b49){b
zCn^*`__oi_AXan_^GmE-?Dvh#)i2i=QV6ML+X@LzgQkP#QgoXi8r#6kOocS=aXxHw
zaO=y?Lw#79UlDvOXmlAVqaxZ!h8~fruBySo==IR?4JLUnK7Xr*$Na2UB|-<!qHJTO
z>~`bu%Qq!ntFV*nlaKo#>12kCK2aHjlbaBXLRQ3gtCeVWcwYPfM2V|bkX@fX$iJiG
zA8_Fr`!LZnbNq>pf0vE_cO4bWzv-y{0UdL&{zXT{OwaKrI_3ayu>4g=C8s1Hr7G~B
z(D6@f{8u3r&9frsr<Cd$s{bja0)nXDrBr`F>A#`m-=$PPV5<CY8Xm@9DzpEFlAlrP
z{}Chqfo-3$?oTxQ3*r9j{tFcY<AK2KU-rL-fJpccl>Cf|pRw@I@_wS=zv5tE%pU@+
zpYp9=sQk|o|Ax2!jQPj<{~^WyZzVA^Gye<E{~~;zk4yb)^a2OTf0K><??LxhP!C}I
zsk{578~ZU-{u$IiQy_nW`v0yQ13vUW$p}*ipj43DUf0sb!jJ-}UUYOY0je0u<xEU1
zOl<(-jt=@JruNoWz$hW$7r#6!9Lb+gs@Ve#!1H7Vj{3mwh#?1x)Bv&y097CtMax3V
z40!9PYv<q!0G=}YabV5afdcwxc2jFB;pYQi<iebc^z`iXZ1fEDER4*|Z0hv%WWZlw
zsnXU4|2@fX^n|mWp%HLIFtS3^|M>%8Wnp1r0T=;(+8Ee4o>`#hAAr>#HhLxwb|A6w
zR~rjG8<5!etBs!idBXnH#>Bz;HyblOJ8&lbH6086GdJ~D8yg49zuOqt*qHyleGE*j
z9DlEa5xAuNTX`(>&tk&A*1^K?JgfiB#z_A+8yhp*-|Apv26AfumY0o<1-O>{wLEqP
z=6^4bf$2ZmfD7hd^D;0oKacCbl*hot&i1!-z@hQCI@tdHOc~gi=zsehKq)LxvugL_
z`-~J!T@8U_13)KlZ4Es4^apJvVP#|uJOuTF!jcdM9)sd$HsoLi{)b@E)iq*ZVr1rE
xH)3U>H)PW@Fl5y?&}TH_h5p}3fafTI`dE7h;JE)WC>hv+MM0C0h{%dU|35{Ppxgie

literal 0
HcmV?d00001


From f2568f8489303b7cdeb63e2f7234ab295acb9c64 Mon Sep 17 00:00:00 2001
From: Tom Densham <tomdensham@googlemail.com>
Date: Fri, 14 Feb 2014 13:29:54 +0000
Subject: [PATCH 04/39] FIX Requirement documentation of MySQL driver

Currently the documentation states that the `mysql` module for PHP is required, however as of #84 (over 2 years ago) this is no longer the case and the required module is now `mysqli`.
---
 docs/en/installation/server-requirements.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/en/installation/server-requirements.md b/docs/en/installation/server-requirements.md
index d735e5b98..f8c45ba96 100644
--- a/docs/en/installation/server-requirements.md
+++ b/docs/en/installation/server-requirements.md
@@ -11,7 +11,7 @@ Our web-based [PHP installer](/installation) can check if you meet the requireme
  * PHP 5.3.2+
  * We recommend using a PHP accelerator or opcode cache, such as [xcache](http://xcache.lighttpd.net/) or [WinCache](http://www.iis.net/download/wincacheforphp).
  * Allocate at least 48MB of memory to each PHP process. (SilverStripe can be resource hungry for some intensive operations.)
- * Required modules: dom, gd2, fileinfo, hash, iconv, mbstring, mysql (or other database driver), session, simplexml, tokenizer, xml.
+ * Required modules: dom, gd2, fileinfo, hash, iconv, mbstring, mysqli (or other database driver), session, simplexml, tokenizer, xml.
  * Recommended configuration
 
 		safe_mode = Off

From a6f794c3b999a63cd6f74525177024349697577a Mon Sep 17 00:00:00 2001
From: Ingo Schommer <me@chillu.com>
Date: Wed, 19 Feb 2014 15:20:24 +1300
Subject: [PATCH 05/39] Added 3.0.9-rc1 changelog

---
 docs/en/changelogs/rc/3.0.9-rc1.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 docs/en/changelogs/rc/3.0.9-rc1.md

diff --git a/docs/en/changelogs/rc/3.0.9-rc1.md b/docs/en/changelogs/rc/3.0.9-rc1.md
new file mode 100644
index 000000000..24dc8fe83
--- /dev/null
+++ b/docs/en/changelogs/rc/3.0.9-rc1.md
@@ -0,0 +1,15 @@
+# 3.0.9-rc1 (2014-02-19)
+
+## Overview
+
+ * Security: Require ADMIN for ?flush=1&isDev=1 ([SS-2014-001](http://www.silverstripe.org/ss-2014-001-require-admin-for-flush1-and-isdev1))
+ * Security: XSS in third party library (SWFUpload) ([SS-2014-002](http://www.silverstripe.org/ss-2014-002-xss-in-third-party-library-swfupload/))
+ * Security: SiteTree.ExtraMeta allows JavaScript for malicious CMS authors ([SS-2014-003](http://www.silverstripe.org/ss-2014-003-extrameta-allows-javascript-for-malicious-cms-authors-/))
+
+## Upgrading
+
+### SiteTree.ExtraMeta allows JavaScript for malicious CMS authors
+
+If you have previously used the `SiteTree.ExtraMeta` field for `<head>` markup
+other than its intended use case (`<meta>` and `<link>`), please consult
+[SS-2014-003](http://www.silverstripe.org/ss-2014-003-extrameta-allows-javascript-for-malicious-cms-authors-/).
\ No newline at end of file

From ec02df216007cdb9a76f7bb1c9d2439f586d77c3 Mon Sep 17 00:00:00 2001
From: Ingo Schommer <me@chillu.com>
Date: Wed, 19 Feb 2014 15:22:12 +1300
Subject: [PATCH 06/39] Removed SS-2014-002 from changelog, not backported to
 3.0

---
 docs/en/changelogs/rc/3.0.9-rc1.md | 11 +----------
 1 file changed, 1 insertion(+), 10 deletions(-)

diff --git a/docs/en/changelogs/rc/3.0.9-rc1.md b/docs/en/changelogs/rc/3.0.9-rc1.md
index 24dc8fe83..6ca75cbcb 100644
--- a/docs/en/changelogs/rc/3.0.9-rc1.md
+++ b/docs/en/changelogs/rc/3.0.9-rc1.md
@@ -3,13 +3,4 @@
 ## Overview
 
  * Security: Require ADMIN for ?flush=1&isDev=1 ([SS-2014-001](http://www.silverstripe.org/ss-2014-001-require-admin-for-flush1-and-isdev1))
- * Security: XSS in third party library (SWFUpload) ([SS-2014-002](http://www.silverstripe.org/ss-2014-002-xss-in-third-party-library-swfupload/))
- * Security: SiteTree.ExtraMeta allows JavaScript for malicious CMS authors ([SS-2014-003](http://www.silverstripe.org/ss-2014-003-extrameta-allows-javascript-for-malicious-cms-authors-/))
-
-## Upgrading
-
-### SiteTree.ExtraMeta allows JavaScript for malicious CMS authors
-
-If you have previously used the `SiteTree.ExtraMeta` field for `<head>` markup
-other than its intended use case (`<meta>` and `<link>`), please consult
-[SS-2014-003](http://www.silverstripe.org/ss-2014-003-extrameta-allows-javascript-for-malicious-cms-authors-/).
\ No newline at end of file
+ * Security: XSS in third party library (SWFUpload) ([SS-2014-002](http://www.silverstripe.org/ss-2014-002-xss-in-third-party-library-swfupload/))
\ No newline at end of file

From 4af711613fc9cce2f53f743bd722087d78f50ffe Mon Sep 17 00:00:00 2001
From: Ingo Schommer <me@chillu.com>
Date: Wed, 19 Feb 2014 15:23:42 +1300
Subject: [PATCH 07/39] 3.1.3-rc1 changelog

---
 docs/en/changelogs/3.1.3.md        | 16 ----------------
 docs/en/changelogs/rc/3.1.3-rc1.md | 22 ++++++++++++++++------
 2 files changed, 16 insertions(+), 22 deletions(-)
 delete mode 100644 docs/en/changelogs/3.1.3.md

diff --git a/docs/en/changelogs/3.1.3.md b/docs/en/changelogs/3.1.3.md
deleted file mode 100644
index 7cb25627a..000000000
--- a/docs/en/changelogs/3.1.3.md
+++ /dev/null
@@ -1,16 +0,0 @@
-# 3.1.3
-
-## Overview
-
- * Better loading performance when using multiple `UploadField` instances
- * Option for `force_js_to_bottom` on `Requirements` class (ignoring inline `<script>` tags)
- * Added `ListDecorator->filterByCallback()` for more sophisticated filtering
- * New `DataList` filters: `LessThanOrEqualFilter` and `GreaterThanOrEqualFilter`
- * "Cancel" button on "Add Page" form
- * Better code hinting on magic properties (for IDE autocompletion)
- * Increased Behat test coverage (editing HTML content, managing page permissions)
- * Support for PHPUnit 3.8
-
-## Upgrading
-
-## Changelog
\ No newline at end of file
diff --git a/docs/en/changelogs/rc/3.1.3-rc1.md b/docs/en/changelogs/rc/3.1.3-rc1.md
index 7dd18cbf2..3e0c2233f 100644
--- a/docs/en/changelogs/rc/3.1.3-rc1.md
+++ b/docs/en/changelogs/rc/3.1.3-rc1.md
@@ -1,13 +1,23 @@
-# 3.1.3-rc1
+# 3.1.3
 
 ## Overview
 
- * ExtraMeta fields can now only contain `meta` and `link` elements
+ * Security: Require ADMIN for ?flush=1&isDev=1 ([SS-2014-001](http://www.silverstripe.org/ss-2014-001-require-admin-for-flush1-and-isdev1))
+ * Security: XSS in third party library (SWFUpload) ([SS-2014-002](http://www.silverstripe.org/ss-2014-002-xss-in-third-party-library-swfupload/))
+ * Security: SiteTree.ExtraMeta allows JavaScript for malicious CMS authors ([SS-2014-003](http://www.silverstripe.org/ss-2014-003-extrameta-allows-javascript-for-malicious-cms-authors-/))
+ * Better loading performance when using multiple `UploadField` instances
+ * Option for `force_js_to_bottom` on `Requirements` class (ignoring inline `<script>` tags)
+ * Added `ListDecorator->filterByCallback()` for more sophisticated filtering
+ * New `DataList` filters: `LessThanOrEqualFilter` and `GreaterThanOrEqualFilter`
+ * "Cancel" button on "Add Page" form
+ * Better code hinting on magic properties (for IDE autocompletion)
+ * Increased Behat test coverage (editing HTML content, managing page permissions)
+ * Support for PHPUnit 3.8
 
 ## Upgrading
 
-### ExtraMeta fields can now only contain `meta` and `link` elements
+### SiteTree.ExtraMeta allows JavaScript for malicious CMS authors
 
-Previously ExtraMeta fields could contain any HTML elements. From 3.1.3-rc1 the contents are filtered
-on write to only allow `meta` and `link` elements. The first time after upgrading that you save a page
-that has other elements in ExtraMeta they will be deleted.
+If you have previously used the `SiteTree.ExtraMeta` field for `<head>` markup
+other than its intended use case (`<meta>` and `<link>`), please consult
+[SS-2014-003](http://www.silverstripe.org/ss-2014-003-extrameta-allows-javascript-for-malicious-cms-authors-/).
\ No newline at end of file

From 2bc62f2e71c03cf8e67a2ed7eb6f7dab7085d010 Mon Sep 17 00:00:00 2001
From: Ingo Schommer <me@chillu.com>
Date: Wed, 19 Feb 2014 15:39:54 +1300
Subject: [PATCH 08/39] Added changelog links

---
 docs/en/changelogs/rc/3.0.9-rc1.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/docs/en/changelogs/rc/3.0.9-rc1.md b/docs/en/changelogs/rc/3.0.9-rc1.md
index 6ca75cbcb..6babc2b0d 100644
--- a/docs/en/changelogs/rc/3.0.9-rc1.md
+++ b/docs/en/changelogs/rc/3.0.9-rc1.md
@@ -3,4 +3,10 @@
 ## Overview
 
  * Security: Require ADMIN for ?flush=1&isDev=1 ([SS-2014-001](http://www.silverstripe.org/ss-2014-001-require-admin-for-flush1-and-isdev1))
- * Security: XSS in third party library (SWFUpload) ([SS-2014-002](http://www.silverstripe.org/ss-2014-002-xss-in-third-party-library-swfupload/))
\ No newline at end of file
+ * Security: XSS in third party library (SWFUpload) ([SS-2014-002](http://www.silverstripe.org/ss-2014-002-xss-in-third-party-library-swfupload/))
+
+ ## Changelog
+
+ * [framework](https://github.com/silverstripe/silverstripe-framework/releases/tag/3.0.9-rc1)
+ * [cms](https://github.com/silverstripe/silverstripe-framework/releases/tag/3.0.9-rc1)
+ * [installer](https://github.com/silverstripe/silverstripe-framework/releases/tag/3.0.9-rc1)
\ No newline at end of file

From 6ba7b2e3d8185b7c11ae01294e69dbed4501f95c Mon Sep 17 00:00:00 2001
From: Ingo Schommer <me@chillu.com>
Date: Wed, 19 Feb 2014 15:40:16 +1300
Subject: [PATCH 09/39] Added changelog links

---
 docs/en/changelogs/rc/3.1.3-rc1.md | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/docs/en/changelogs/rc/3.1.3-rc1.md b/docs/en/changelogs/rc/3.1.3-rc1.md
index 3e0c2233f..7531b92a3 100644
--- a/docs/en/changelogs/rc/3.1.3-rc1.md
+++ b/docs/en/changelogs/rc/3.1.3-rc1.md
@@ -1,4 +1,4 @@
-# 3.1.3
+# 3.1.3-rc1
 
 ## Overview
 
@@ -20,4 +20,10 @@
 
 If you have previously used the `SiteTree.ExtraMeta` field for `<head>` markup
 other than its intended use case (`<meta>` and `<link>`), please consult
-[SS-2014-003](http://www.silverstripe.org/ss-2014-003-extrameta-allows-javascript-for-malicious-cms-authors-/).
\ No newline at end of file
+[SS-2014-003](http://www.silverstripe.org/ss-2014-003-extrameta-allows-javascript-for-malicious-cms-authors-/).
+
+## Changelog
+
+ * [framework](https://github.com/silverstripe/silverstripe-framework/releases/tag/3.1.3-rc1)
+ * [cms](https://github.com/silverstripe/silverstripe-framework/releases/tag/3.1.3-rc1)
+ * [installer](https://github.com/silverstripe/silverstripe-framework/releases/tag/3.1.3-rc1)
\ No newline at end of file

From caecc05b0bc5fde4a4e7f80f0f86aa7cbf45ebc8 Mon Sep 17 00:00:00 2001
From: Ingo Schommer <me@chillu.com>
Date: Wed, 19 Feb 2014 16:39:10 +1300
Subject: [PATCH 10/39] Upload path regression caused by 3d24079

---
 filesystem/Upload.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/filesystem/Upload.php b/filesystem/Upload.php
index 397542de3..90cb343dd 100644
--- a/filesystem/Upload.php
+++ b/filesystem/Upload.php
@@ -134,7 +134,7 @@ class Upload extends Controller {
 		$file = $nameFilter->filter($tmpFile['name']);
 		$fileName = basename($file);
 
-		$relativeFilePath = $parentFolder->getRelativePath() . "/$fileName";
+		$relativeFilePath = $parentFolder ? $parentFolder->getRelativePath() . "$fileName" : $fileName;		
 		
 		// Create a new file record (or try to retrieve an existing one)
 		if(!$this->file) {

From ced49d9090990d4f70bed4265def90c765e287ae Mon Sep 17 00:00:00 2001
From: Sander van Dragt <sander@vandragt.com>
Date: Wed, 19 Feb 2014 11:25:44 +0000
Subject: [PATCH 11/39] Better visibility of key phrasing

---
 docs/en/installation/composer.md | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/docs/en/installation/composer.md b/docs/en/installation/composer.md
index 3951205db..edfb69996 100644
--- a/docs/en/installation/composer.md
+++ b/docs/en/installation/composer.md
@@ -41,7 +41,7 @@ Composer updates regularly, so you should run this command fairly often. These i
 
 ## Create a new site
 
-Composer can create a new site for you, using the installer as a template:
+Composer can create a new site for you, using the installer as a template (by default composer will download the latest stable version):
 
 	composer create-project silverstripe/installer ./my/website/folder
 
@@ -50,8 +50,7 @@ For example, on OS X, you might use a subdirectory of `~/Sites`.
 As long as your web server is up and running, this will get all the code that you need. 
 Now visit the site in your web browser, and the installation process will be completed.
 
-By default composer will download the latest stable version. You can also specify
-a version to download that version explicitly, i.e. this will download the older `3.0.3` release:
+You can also specify a version to download that version explicitly, i.e. this will download the older `3.0.3` release:
 
 	composer create-project silverstripe/installer ./my/website/folder 3.0.3
 	

From a681bd7bd23ae5e31375abc71d4c6d405e0da4db Mon Sep 17 00:00:00 2001
From: Loz Calver <lozcalver@bigfork.co.uk>
Date: Wed, 19 Feb 2014 16:57:27 +0000
Subject: [PATCH 12/39] FIX: IE8 support in jquery.ondemand.js (fixes #2872)

---
 javascript/jquery-ondemand/jquery.ondemand.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/javascript/jquery-ondemand/jquery.ondemand.js b/javascript/jquery-ondemand/jquery.ondemand.js
index e5ff5fcf8..ec647e66b 100644
--- a/javascript/jquery-ondemand/jquery.ondemand.js
+++ b/javascript/jquery-ondemand/jquery.ondemand.js
@@ -16,7 +16,7 @@
 (function($){
 
 	var decodePath = function(str) {
-		return str.replace(/%2C/g,',').replace(/\&amp;/g, '&').trim();
+		return str.replace(/%2C/g,',').replace(/\&amp;/g, '&').replace(/^\s+|\s+$/g, '');
 	};
 
 	$.extend({

From 46695d3b4b871ddfc88ab7d7ffc83bf6d67edc0d Mon Sep 17 00:00:00 2001
From: Fred Condo <fcondo@quinn.com>
Date: Tue, 18 Feb 2014 15:10:02 -0800
Subject: [PATCH 13/39] Combine form validation topic with forms topic

- Proofread entire file (forms & form validation topics)
- Re-wrap paragraphs to 80 columns
- Correct/update links from other doc files
---
 docs/en/topics/datamodel.md       |   2 +-
 docs/en/topics/form-validation.md | 159 ----------------
 docs/en/topics/forms.md           | 290 ++++++++++++++++++++++++------
 docs/en/topics/index.md           |   3 +-
 4 files changed, 235 insertions(+), 219 deletions(-)
 delete mode 100644 docs/en/topics/form-validation.md

diff --git a/docs/en/topics/datamodel.md b/docs/en/topics/datamodel.md
index 7306ac2d3..6643b5656 100755
--- a/docs/en/topics/datamodel.md
+++ b/docs/en/topics/datamodel.md
@@ -720,7 +720,7 @@ an object, not for displaying the objects contained in the relation.
 ## Validation and Constraints
 
 Traditionally, validation in SilverStripe has been mostly handled on the
-controller through [form validation](/topics/form-validation).
+controller through [form validation](/topics/forms#form-validation).
 
 While this is a useful approach, it can lead to data inconsistencies if the
 record is modified outside of the controller and form context.
diff --git a/docs/en/topics/form-validation.md b/docs/en/topics/form-validation.md
deleted file mode 100644
index 94f7264bc..000000000
--- a/docs/en/topics/form-validation.md
+++ /dev/null
@@ -1,159 +0,0 @@
-# Form Validation
-
-SilverStripe provides PHP form validation out of the box,
-but doesn't come with any built-in JavaScript validation
-(the previously used `Validator.js` approach has been deprecated).
-
-## Required Fields
-
-Validators are implemented as an argument to the `[api:Form]` constructor,
-and are subclasses of the abstract `[api:Validator]` base class.
-The only implementation which comes with SilverStripe is
-the `[api:RequiredFields]` class, which ensures fields are filled out
-when the form is submitted.
-
-	:::php
-	public function Form() {
-		$form = new Form($this, 'Form',
-			new FieldList(
-				new TextField('MyRequiredField'),
-				new TextField('MyOptionalField')
-			),
-			new FieldList(
-				new FormAction('submit', 'Submit form')
-			),
-			new RequiredFields(array('MyRequiredField'))
-		);
-		// Optional: Add a CSS class for custom styling
-		$form->dataFieldByName('MyRequiredField')->addExtraClass('required');
-		return $form;
-	}
-
-## Form Field Validation
-
-Form fields are responsible for validating the data they process,
-through the `[api:FormField->validate()] method. There are many fields
-for different purposes (see ["form field types"](/reference/form-field-types) for a full list).
-
-## Adding your own validation messages
-
-In many cases, you want to add PHP validation which is more complex than
-validating the format or existence of a single form field input.
-For example, you might want to have dependent validation on
-a postcode which depends on the country you've selected in a different field.
-
-There's two ways to go about this: Either you can attach a custom error message
-to a specific field, or a generic message for the whole form.
-
-Example: Validate postcodes based on the selected country (on the controller).
-
-	:::php
-	class MyController extends Controller {
-		private static $allowed_actions = array('Form');
-		public function Form() {
-			return Form::create($this, 'Form',
-				new FieldList(
-					new NumericField('Postcode'),
-					new CountryDropdownField('Country')
-				),
-				new FieldList(
-					new FormAction('submit', 'Submit form')
-				),
-				new RequiredFields(array('Country'))
-			);
-		}
-		public function submit($data, $form) {
-			// At this point, RequiredFields->validate() will have been called already,
-			// so we can assume that the values exist.
-			
-			// German postcodes need to be five digits
-			if($data['Country'] == 'de' && isset($data['Postcode']) && strlen($data['Postcode']) != 5) {
-				$form->addErrorMessage('Postcode', 'Need five digits for German postcodes', 'bad');
-				return $this->redirectBack();
-			}
-			
-			// Global validation error (not specific to form field)
-			if($data['Country'] == 'IR' && isset($data['Postcode']) && $data['Postcode']) {
-				$form->sessionMessage("Ireland doesn't have postcodes!", 'bad');
-				return $this->redirectBack();
-			}
-			
-			// continue normal processing...
-		}
-	}
-
-## JavaScript Validation
-
-While there are no built-in JavaScript validation handlers in SilverStripe,
-the `FormField` API is flexible enough to provide the information required
-in order to plug in custom libraries.
-
-### HTML5 attributes
-
-HTML5 specifies some built-in form validations ([source](http://www.w3.org/wiki/HTML5_form_additions)),
-which are evaluated by modern browsers without any need for JavaScript.
-SilverStripe supports this by allowing to set custom attributes on fields.
-
-	:::php
-	// Markup contains <input type="text" required />
-	TextField::create('MyText')->setAttribute('required', true);
-	
-	// Markup contains <input type="url" pattern="https?://.+" />
-	TextField::create('MyText')
-		->setAttribute('type', 'url')
-		->setAttribute('pattern', 'https?://.+')
-
-### HTML5 metadata
-
-In addition, HTML5 elements can contain custom data attributes with the `data-` prefix.
-These are general purpose attributes, but can be used to hook in your own validation.
-
-	:::php
-	// Validate a specific date format (in PHP)
-	// Markup contains <input type="text" data-dateformat="dd.MM.yyyy" />
-	DateField::create('MyDate')->setConfig('dateformat', 'dd.MM.yyyy');
-	
-	// Limit extensions on upload (in PHP)
-	// Markup contains <input type="file" data-allowed-extensions="jpg,jpeg,gif" />
-	$exts = array('jpg', 'jpeg', 'gif');
-	$validator = new Upload_Validator();
-	$validator->setAllowedExtensions($exts);
-	$upload = Upload::create()->setValidator($validator);
-	$fileField = FileField::create('MyFile')->setUpload(new);
-	$fileField->setAttribute('data-allowed-extensions', implode(',', $exts));
-
-Note that these examples don't have any effect on the client as such,
-but are just a starting point for custom validation with JavaScript.
-
-## Model Validation
-
-An alternative (or additional) approach to validation is to place it directly
-on the model. SilverStripe provides a `[api:DataObject->validate()]` method for this purpose.
-Refer to the ["datamodel" topic](/topics/datamodel#validation-and-constraints) for more information.
-
-## Validation in the CMS
-
-Since you're not creating the forms for editing CMS records,
-SilverStripe provides you with a `getCMSValidator()` method on your models
-to return a `[api:Validator]` instance.
-
-	:::php
-	class Page extends SiteTree {
-		private static $db = array('MyRequiredField' => 'Text');
-		
-		public function getCMSValidator() {
-			return new RequiredFields(array('MyRequiredField'));
-		}
-	}
-
-## Subclassing Validator
-
-To create your own validator, you need to subclass validator and define two methods:
-
- *  **javascript()** Should output a snippet of JavaScript that will get called to perform javascript validation.
- *  **php($data)** Should return true if the given data is valid, and call $this->validationError() if there were any
-errors.
-
-## Related
-
- * Model Validation with [api:DataObject->validate()]
diff --git a/docs/en/topics/forms.md b/docs/en/topics/forms.md
index 3de8c2fe2..41eeff251 100644
--- a/docs/en/topics/forms.md
+++ b/docs/en/topics/forms.md
@@ -1,6 +1,6 @@
 # Forms
 
-HTML forms are in practice the most used way to communicate with a browser.
+HTML forms are in practice the most used way to interact with a user.
 SilverStripe provides classes to generate and handle the actions and data from a
 form.
 
@@ -9,14 +9,14 @@ form.
 A fully implemented form in SilverStripe includes a couple of classes that
 individually have separate concerns.
 
- * Controller - Takes care of assembling the form and receiving data from it.
- * Form - Holds sets of fields, actions and validators.
- * FormField  - Fields that receive data or displays them, e.g input fields.
- * FormActions - Often submit buttons that executes actions.
- * Validators - Validate the whole form, see [Form validation](form-validation.md) topic for more information.
+* Controller—Takes care of assembling the form and receiving data from it.
+* Form—Holds sets of fields, actions and validators.
+* FormField —Fields that receive data or displays them, e.g input fields.
+* FormActions—Often submit buttons that executes actions.
+* Validators—Validate the whole form.
 
-Depending on your needs you can customize and override any of the above classes,
-however the defaults are often sufficient.
+Depending on your needs you can customize and override any of the above classes;
+the defaults, however, are often sufficient.
 
 ## The Controller
 
@@ -53,12 +53,13 @@ in a controller.
 The name of the form ("HelloForm") is passed into the `Form` constructor as a
 second argument. It needs to match the method name.
 
-Since forms need a URL, the `HelloForm()` method needs to be handled like any
-other controller action. In order to whitelist its access through URLs, we add
-it to the `$allowed_actions` array.
+Because forms need a URL, the `HelloForm()` method needs to be handled like any
+other controller action. To grant it access through URLs, we add it to the
+`$allowed_actions` array.
 
-Form actions ("doSayHello") on the other hand should NOT be included here, these
-are handled separately through `Form->httpSubmission()`.
+Form actions ("doSayHello"), on the other hand, should _not_ be included in
+`$allowed_actions`; these are handled separately through
+`Form->httpSubmission()`.
 
 You can control access on form actions either by conditionally removing a
 `FormAction` from the form construction, or by defining `$allowed_actions` in
@@ -68,19 +69,21 @@ your own `Form` class (more information in the
 **Page.ss**
 
 	:::ss
-	<!-- place where you would like the form to show up -->
+	<%-- place where you would like the form to show up --%>
 	<div>$HelloForm</div>
 
 <div class="warning" markdown='1'>
-Be sure to add the Form name 'HelloForm' to the Controller::$allowed_actions()
-to be sure that form submissions get through to the correct action.
+Be sure to add the Form name 'HelloForm' to your controller's $allowed_actions
+array to enable form submissions.
 </div>
 
 <div class="notice" markdown='1'>
-You'll notice that we've used a new notation for creating form fields, using `create()` instead of the `new` operator. 
-These are functionally equivalent, but allows PHP to chain operations like `setTitle()` without assigning the field 
-instance to a temporary variable. For in-depth information on the create syntax, see the [Injector](/reference/injector) 
-documentation or the API documentation for `[api:Object]`::create().
+You'll notice that we've used a new notation for creating form fields, using
+`create()` instead of the `new` operator. These are functionally equivalent, but
+allows PHP to chain operations like `setTitle()` without assigning the field
+instance to a temporary variable. For in-depth information on the create syntax,
+see the [Injector](/reference/injector) documentation or the API documentation
+for `[api:Object]`::create().
 </div>
 
 ## The Form
@@ -95,13 +98,18 @@ Creating a form is a matter of defining a method to represent that form. This
 method should return a form object. The constructor takes the following
 arguments:
 
-*  `$controller`: This must be an instance of the controller that contains the form, often `$this`.
-*  `$name`: This must be the name of the method on that controller that is called to return the form.  The first two
-fields allow the form object to be re-created after submission.  **It's vital that they are properly set - if you ever
-have problems with form action handler not working, check that these values are correct.**
-*  `$fields`: A `[api:FieldList]` containing `[api:FormField]` instances make up fields in the form.
-*  `$actions`: A `[api:FieldList]` containing the `[api:FormAction]` objects - the buttons at the bottom.
-*  `$validator`: An optional `[api:Validator]` for validation of the form.
+* `$controller`: This must be an instance of the controller that contains the
+	form, often `$this`.
+* `$name`: This must be the name of the method on that controller that is
+	called to return the form. The first two arguments allow the form object
+	to be re-created after submission. **It's vital that they be properly
+	set—if you ever have problems with a form action handler not working,
+	check that these values are correct.**
+* `$fields`: A `[api:FieldList]` containing `[api:FormField]` instances make
+	up fields in the form.
+* `$actions`: A `[api:FieldList]` containing the `[api:FormAction]` objects -
+	the buttons at the bottom.
+* `$validator`: An optional `[api:Validator]` for validation of the form.
 
 Example: 
 
@@ -119,13 +127,14 @@ Example:
 
 ## Subclassing a form
 
-It's the responsibility of your subclass' constructor to call 
+It's the responsibility of your subclass's constructor to call 
 
 	:::php
 	parent::__construct()
 
-with the right parameters.  You may choose to take $fields and $actions as arguments if you wish, but $controller and
-$name must be passed - their values depend on where the form is instantiated.
+with the right parameters. You may choose to take $fields and $actions as
+arguments if you wish, but $controller and $name must be passed—their values
+depend on where the form is instantiated.
 
 	:::php
 	class MyForm extends Form {
@@ -141,8 +150,9 @@ $name must be passed - their values depend on where the form is instantiated.
 	}
 
 
-The real difference, however, is that you can then define your controller methods within the form class itself. This 
-means that the form takes responsibilities from the controller and manage how to parse and use the form 
+The real difference, however, is that you can then define your controller
+methods within the form class itself. This means that the form takes
+responsibilities from the controller and manage how to parse and use the form
 data.
 
 **Page.php**
@@ -211,10 +221,10 @@ form.
 		)
 	);
 
-##  Readonly
+## Readonly
 
 You can turn a form or individual fields into a readonly version. This is handy
-in the case of confirmation pages or when certain fields can be edited due to
+in the case of confirmation pages or when certain fields cannot be edited due to
 permissions.
 
 Readonly on a Form
@@ -241,10 +251,13 @@ Readonly on a FormField
 
 You can use a custom form template to render with, instead of *Form.ss*
 
-It's recommended you only do this if you've got a lot of presentation text, graphics that surround the form fields. This
-is better than defining those as *LiteralField* objects, as it doesn't clutter the data layer with presentation junk.
+It's recommended you do this only if you have a lot of presentation text or
+graphics that surround the form fields. This is better than defining those as
+*LiteralField* objects, as it doesn't clutter the data layer with presentation
+junk.
 
-First of all, you need to create your form on it's own class, that way you can define a custom template using a `forTemplate()` method on your Form class.
+First you need to create your own form class extending Form; that way you can
+define a custom template using a `forTemplate()` method on your Form class.
 
 	:::php
 	class MyForm extends Form {
@@ -305,14 +318,16 @@ your project. Here is an example of basic customization:
 		<% end_if %>
 	</form>
 
-`$Fields.dataFieldByName(FirstName)` will return the form control contents of `Field()` for the particular field object,
-in this case `EmailField->Field()` or `PasswordField->Field()` which returns an `<input>` element with specific markup 
-for the type of field. Pass in the name of the field as the first parameter, as done above, to render it into the 
-template.
+`$Fields.dataFieldByName(FirstName)` will return the form control contents of
+`Field()` for the particular field object, in this case `EmailField->Field()` or
+`PasswordField->Field()` which returns an `<input>` element with specific markup
+for the type of field. Pass in the name of the field as the first parameter, as
+done above, to render it into the template.
 
-To find more methods, have a look at the `[api:Form]` class and `[api:FieldList]` class as there is a lot of different 
-methods of customising the form templates. An example is that you could use `<% loop $Fields %>` instead of specifying 
-each field manually, as we've done above.
+To find more methods, have a look at the `[api:Form]` class and
+`[api:FieldList]` class as there is a lot of different methods of customising
+the form templates. An example is that you could use `<% loop $Fields %>`
+instead of specifying each field manually, as we've done above.
 
 ### Custom form field templates
 
@@ -333,19 +348,20 @@ Each form field is rendered into a form via the
 `<div>` as well as a `<label>` element (if applicable).
 
 You can also render each field without these structural elements through the
-`[FormField->Field()](api:FormField)` method. In order to influence the form
-rendering, overloading these two methods is a good start.
+`[FormField->Field()](api:FormField)` method. To influence form rendering,
+overriding these two methods is a good start.
 
-In addition, most form fields are rendered through SilverStripe templates, e.g.
-`TextareaField` is rendered via `framework/templates/forms/TextareaField.ss`.
+In addition, most form fields are rendered through SilverStripe templates; for
+example, `TextareaField` is rendered via
+`framework/templates/forms/TextareaField.ss`.
 
-These templates can be overwritten globally by placing a template with the same
-name in your `mysite` directory, or set on a form field instance via anyone of
+These templates can be overridden globally by placing a template with the same
+name in your `mysite` directory, or set on a form field instance via any of
 these methods:
 
- - FormField->setTemplate()
- - FormField->setFieldHolderTemplate()
- - FormField->getSmallFieldHolderTemplate()
+- FormField->setTemplate()
+- FormField->setFieldHolderTemplate()
+- FormField->getSmallFieldHolderTemplate()
  
 <div class="hint" markdown='1'>
 Caution: Not all FormFields consistently uses templates set by the above methods.
@@ -358,7 +374,7 @@ by adding a hidden *SecurityID* parameter to each form. See
 [secure-development](/topics/security) for details.
 
 In addition, you should limit forms to the intended HTTP verb (mostly `GET` or `POST`)
-to further reduce attack surface, by using `[api:Form->setStrictFormMethodCheck()]`.
+to further reduce attack exposure, by using `[api:Form->setStrictFormMethodCheck()]`.
 
 	:::php
 	$myForm->setFormMethod('POST');
@@ -391,12 +407,172 @@ Adds a new text field called FavouriteColour next to the Content field in the CM
 	:::php
 	$this->Fields()->addFieldToTab('Root.Content', new TextField('FavouriteColour'), 'Content');
 
+## Form Validation
+
+SilverStripe provides PHP form validation out of the box, but doesn't come with
+any built-in JavaScript validation (the previously used `Validator.js` approach
+has been deprecated).
+
+### Required Fields
+
+Validators are implemented as an argument to the `[api:Form]` constructor, and
+are subclasses of the abstract `[api:Validator]` base class. The only
+implementation that comes with SilverStripe is the `[api:RequiredFields]` class,
+which ensures that fields are filled out when the form is submitted.
+
+	:::php
+	public function Form() {
+		$form = new Form($this, 'Form',
+			new FieldList(
+				new TextField('MyRequiredField'),
+				new TextField('MyOptionalField')
+			),
+			new FieldList(
+				new FormAction('submit', 'Submit form')
+			),
+			new RequiredFields(array('MyRequiredField'))
+		);
+		// Optional: Add a CSS class for custom styling
+		$form->dataFieldByName('MyRequiredField')->addExtraClass('required');
+		return $form;
+	}
+
+### Form Field Validation
+
+Form fields are responsible for validating the data they process, through the
+`[api:FormField->validate()]` method. There are many fields for different
+purposes (see ["form field types"](/reference/form-field-types) for a full list).
+
+### Adding your own validation messages
+
+In many cases, you want to add PHP validation that is more complex than
+validating the format or existence of a single form field input. For example,
+you might want to have dependent validation on a postcode which depends on the
+country you've selected in a different field.
+
+There are two ways to go about this: attach a custom error message to a specific
+field, or a generic message to the whole form.
+
+Example: Validate postcodes based on the selected country (on the controller).
+
+	:::php
+	class MyController extends Controller {
+		private static $allowed_actions = array('Form');
+		public function Form() {
+			return Form::create($this, 'Form',
+				new FieldList(
+					new NumericField('Postcode'),
+					new CountryDropdownField('Country')
+				),
+				new FieldList(
+					new FormAction('submit', 'Submit form')
+				),
+				new RequiredFields(array('Country'))
+			);
+		}
+		public function submit($data, $form) {
+			// At this point, RequiredFields->validate() will have been called already,
+			// so we can assume that the values exist.
+			
+			// German postcodes need to be five digits
+			if($data['Country'] == 'de' && isset($data['Postcode']) && strlen($data['Postcode']) != 5) {
+				$form->addErrorMessage('Postcode', 'Need five digits for German postcodes', 'bad');
+				return $this->redirectBack();
+			}
+			
+			// Global validation error (not specific to form field)
+			if($data['Country'] == 'IR' && isset($data['Postcode']) && $data['Postcode']) {
+				$form->sessionMessage("Ireland doesn't have postcodes!", 'bad');
+				return $this->redirectBack();
+			}
+			
+			// continue normal processing...
+		}
+	}
+
+### JavaScript Validation
+
+Although there are no built-in JavaScript validation handlers in SilverStripe,
+the `FormField` API is flexible enough to provide the information required in
+order to plug in custom libraries.
+
+#### HTML5 attributes
+
+HTML5 specifies some built-in form validations
+([source](http://www.w3.org/wiki/HTML5_form_additions)), which are evaluated by
+modern browsers without any need for JavaScript. SilverStripe supports this by
+allowing to set custom attributes on fields.
+
+	:::php
+	// Markup contains <input type="text" required />
+	TextField::create('MyText')->setAttribute('required', true);
+	
+	// Markup contains <input type="url" pattern="https?://.+" />
+	TextField::create('MyText')
+		->setAttribute('type', 'url')
+		->setAttribute('pattern', 'https?://.+')
+
+#### HTML5 metadata
+
+In addition, HTML5 elements can contain custom data attributes with the `data-`
+prefix. These are general-purpose attributes, but can be used to hook in your
+own validation.
+
+	:::php
+	// Validate a specific date format (in PHP)
+	// Markup contains <input type="text" data-dateformat="dd.MM.yyyy" />
+	DateField::create('MyDate')->setConfig('dateformat', 'dd.MM.yyyy');
+	
+	// Limit extensions on upload (in PHP)
+	// Markup contains <input type="file" data-allowed-extensions="jpg,jpeg,gif" />
+	$exts = array('jpg', 'jpeg', 'gif');
+	$validator = new Upload_Validator();
+	$validator->setAllowedExtensions($exts);
+	$upload = Upload::create()->setValidator($validator);
+	$fileField = FileField::create('MyFile')->setUpload(new);
+	$fileField->setAttribute('data-allowed-extensions', implode(',', $exts));
+
+Note that these examples don't have any effect on the client as such, but are
+just a starting point for custom validation with JavaScript.
+
+### Model Validation
+
+An alternative (or additional) approach to validation is to place it directly on
+the model. SilverStripe provides a `[api:DataObject->validate()]` method for
+this purpose. Refer to the
+["datamodel" topic](/topics/datamodel#validation-and-constraints) for more information.
+
+### Validation in the CMS
+
+Since you're not creating the forms for editing CMS records, SilverStripe
+provides you with a `getCMSValidator()` method on your models to return a
+`[api:Validator]` instance.
+
+	:::php
+	class Page extends SiteTree {
+		private static $db = array('MyRequiredField' => 'Text');
+		
+		public function getCMSValidator() {
+			return new RequiredFields(array('MyRequiredField'));
+		}
+	}
+
+### Subclassing Validator
+
+To create your own validator, you need to subclass validator and define two methods:
+
+* **javascript()** Should output a snippet of JavaScript that will get called
+	to perform javascript validation.
+* **php($data)** Should return true if the given data is valid, and call
+	$this->validationError() if there were any errors.
+
 ## Related
 
-*  [Form Field Types](/reference/form-field-types)
-*  [MultiForm Module](http://silverstripe.org/multi-form-module)
+* [Form Field Types](/reference/form-field-types)
+* [MultiForm Module](http://silverstripe.org/multi-form-module)
+* Model Validation with [api:DataObject->validate()]
 
-##  API Documentation
+## API Documentation
 
 * `[api:Form]`
 * `[api:FormField]`
diff --git a/docs/en/topics/index.md b/docs/en/topics/index.md
index e102bb2b4..b663c1929 100644
--- a/docs/en/topics/index.md
+++ b/docs/en/topics/index.md
@@ -16,8 +16,7 @@ It is where most documentation should live, and is the natural "second step" aft
  * [Environment management](environment-management): Sharing configuration details (e.g. database login, passwords) with multiple websites via a `_ss_environment.php` file
  * [Error Handling](error-handling): Error messages and filesystem logs
  * [Files and Images](files): File and Image management in the database and how to manipulate images
- * [Form Validation](form-validation): Built-in validation on form fields, and how to extend it
- * [Forms](forms): Create your own form, add fields and create your own form template using the existing `Form` class
+ * [Forms & form validation](forms): Create your own form, add fields and create your own form template using the existing `Form` class
  * [Internationalization (i18n)](i18n): Displaying templates and PHP code in different languages using i18n
  * [Javascript](javascript): Best practices for developing with JavaScript in SilverStripe
  * [Module Development](module-development): Creating a module (also known as "extension" or "plugin") to contain reusable functionality

From fff9222dd3c2065ea9fc769c731b0231b7357997 Mon Sep 17 00:00:00 2001
From: sanjay <sanjaymundhra1988@gmail.com>
Date: Thu, 20 Feb 2014 16:40:47 +0530
Subject: [PATCH 14/39] update dataobject.md

fixex typo
---
 docs/en/reference/dataobject.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/en/reference/dataobject.md b/docs/en/reference/dataobject.md
index 56d5daba8..ec211ac7e 100644
--- a/docs/en/reference/dataobject.md
+++ b/docs/en/reference/dataobject.md
@@ -208,7 +208,7 @@ Non-textual elements (such as images and their manipulations) can also be used i
 	    'HeroImage' => 'Image'
 	  );
 	  private static $summary_fields = array(
-	    'Name' => 'Name,
+	    'Name' => 'Name',
 	    'HeroImage.CMSThumbnail' => 'Hero Image'
 	  );
 	}

From ebeb663ddf9cd254eb076333b492d5a989f13135 Mon Sep 17 00:00:00 2001
From: Damian Mooyman <damian.mooyman@gmail.com>
Date: Thu, 20 Feb 2014 14:03:40 +1300
Subject: [PATCH 15/39] BUG Fixed critical issue with Folder::find_or_make
 failing to handle invalid filename characters BUG Fix UploadField duplicate
 checking with invalid folderName

---
 filesystem/Folder.php           | 23 +++++++++++++----------
 forms/UploadField.php           |  8 ++++++--
 tests/filesystem/FolderTest.php | 17 +++++++++++++++++
 3 files changed, 36 insertions(+), 12 deletions(-)

diff --git a/filesystem/Folder.php b/filesystem/Folder.php
index 5bfcd0422..3af480f51 100644
--- a/filesystem/Folder.php
+++ b/filesystem/Folder.php
@@ -57,20 +57,23 @@ class Folder extends File {
 
 		$parentID = 0;
 		$item = null;
+		$filter = FileNameFilter::create();
 		foreach($parts as $part) {
 			if(!$part) continue; // happens for paths with a trailing slash
-			$item = DataObject::get_one(
-				"Folder", 
-				sprintf(
-					"\"Name\" = '%s' AND \"ParentID\" = %d",
-					Convert::raw2sql($part), 
-					(int)$parentID
-				)
-			);
+			
+			// Ensure search includes folders with illegal characters removed, but
+			// err in favour of matching existing folders if $folderPath
+			// includes illegal characters itself.
+			$partSafe = $filter->filter($part);
+			$item = Folder::get()->filter(array(
+				'ParentID' => $parentID,
+				'Name' => array($partSafe, $part)
+			))->first();
+			
 			if(!$item) {
 				$item = new Folder();
 				$item->ParentID = $parentID;
-				$item->Name = $part;
+				$item->Name = $partSafe;
 				$item->Title = $part;
 				$item->write();
 			}
@@ -460,7 +463,7 @@ class Folder extends File {
 	 * Get the children of this folder that are also folders.
 	 */
 	public function ChildFolders() {
-		return DataObject::get("Folder", "\"ParentID\" = " . (int)$this->ID);
+		return Folder::get()->filter('ParentID', $this->ID);
 	}
 	
 	/**
diff --git a/forms/UploadField.php b/forms/UploadField.php
index a740a362c..a09dc496a 100644
--- a/forms/UploadField.php
+++ b/forms/UploadField.php
@@ -1273,11 +1273,15 @@ class UploadField extends FileField {
 		$nameFilter = FileNameFilter::create();
 		$filteredFile = basename($nameFilter->filter($originalFile));
 		
+		// Resolve expected folder name
+		$folderName = $this->getFolderName();
+		$folder = Folder::find_or_make($folderName);
+		$parentPath = BASE_PATH."/".$folder->getFilename();
+		
 		// check if either file exists
-		$folder = $this->getFolderName();
 		$exists = false;
 		foreach(array($originalFile, $filteredFile) as $file) {
-			if(file_exists(ASSETS_PATH."/$folder/$file")) {
+			if(file_exists($parentPath.$file)) {
 				$exists = true;
 				break;
 			}
diff --git a/tests/filesystem/FolderTest.php b/tests/filesystem/FolderTest.php
index 229f8a048..d37d69b2f 100644
--- a/tests/filesystem/FolderTest.php
+++ b/tests/filesystem/FolderTest.php
@@ -338,4 +338,21 @@ class FolderTest extends SapphireTest {
 		))->count());
 	}
 	
+	public function testIllegalFilenames() {
+		
+		// Test that generating a filename with invalid characters generates a correctly named folder.
+		$folder = Folder::find_or_make('/FolderTest/EN_US Lang');
+		$this->assertEquals(ASSETS_DIR.'/FolderTest/EN-US-Lang/', $folder->getRelativePath());
+		
+		// Test repeatitions of folder
+		$folder2 = Folder::find_or_make('/FolderTest/EN_US Lang');
+		$this->assertEquals($folder->ID, $folder2->ID);
+		
+		$folder3 = Folder::find_or_make('/FolderTest/EN--US_L!ang');
+		$this->assertEquals($folder->ID, $folder3->ID);
+		
+		$folder4 = Folder::find_or_make('/FolderTest/EN-US-Lang');
+		$this->assertEquals($folder->ID, $folder4->ID);
+	}
+	
 }

From c7e57e0087eb2fa948478daae438d6f1c1d74bf1 Mon Sep 17 00:00:00 2001
From: Thomas Speak <TomSpeak@users.noreply.github.com>
Date: Thu, 20 Feb 2014 13:06:48 +0000
Subject: [PATCH 16/39] DOC: DropdownField __construct

Current docs make PHPStorm spew errors about data types.

`new CheckboxSetField('Countries'...);`

Causes `Expected The, got string`.

Simple restructure.
---
 forms/DropdownField.php | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/forms/DropdownField.php b/forms/DropdownField.php
index 60b66df5e..4ef3572b1 100644
--- a/forms/DropdownField.php
+++ b/forms/DropdownField.php
@@ -117,15 +117,15 @@ class DropdownField extends FormField {
 	protected $disabledItems = array();
 	
 	/**
-	 * Creates a new dropdown field.
-	 * @param $name The field name
-	 * @param $title The field title
-	 * @param $source An map of the dropdown items
-	 * @param $value The current value
-	 * @param $form The parent form
-	 * @param $emptyString mixed Add an empty selection on to of the {@link $source}-Array (can also be boolean, which
-	 *                           results in an empty string).  Argument is deprecated in 3.1, please use
-	 *                           {@link setEmptyString()} and/or {@link setHasEmptyDefault(true)} instead.
+	 * @param string $name The field name
+	 * @param string $title The field title
+	 * @param array $source An map of the dropdown items
+	 * @param string $value The current value
+	 * @param Form $form The parent form
+	 * @param string|bool $emptyString Add an empty selection on to of the {@link $source}-Array (can also be
+	 *					boolean, which  results in an empty string).  Argument is deprecated
+	 * 					in 3.1, please use{@link setEmptyString()} and/or
+	 * 					{@link setHasEmptyDefault(true)} instead.
 	 */
 	public function __construct($name, $title=null, $source=array(), $value='', $form=null, $emptyString=null) {
 		$this->setSource($source);

From 2ae65a6f3d5a9a480a58b004203cb1ddcc00e675 Mon Sep 17 00:00:00 2001
From: KarlKl <karl.klingelhuber@cads.at>
Date: Fri, 21 Feb 2014 09:04:53 +0100
Subject: [PATCH 17/39] Silverstripe.com is not this version

On Silverstripe.com(http://doc.silverstripe.com/framework/en/3.0/topics/shortcodes) is an older version of this file.
From the "Built-in Shortcodes"-heading down to the bottom the page is marked as code.

Cheers
K
---
 docs/en/topics/shortcodes.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/docs/en/topics/shortcodes.md b/docs/en/topics/shortcodes.md
index d11b07091..bb7b85475 100644
--- a/docs/en/topics/shortcodes.md
+++ b/docs/en/topics/shortcodes.md
@@ -97,6 +97,7 @@ CMS users still need to remember the specific syntax, but these shortcodes can f
 for more advanced editing interfaces (with visual placeholders). See the built-in `[embed]` shortcode as an example
 for coupling shortcodes with a form to create and edit placeholders.
 
+
 ## Built-in Shortcodes
 
 SilverStripe comes with several shortcode parsers already.
@@ -140,4 +141,4 @@ The parser will recognise this as:
 
 ## Related
 
-  * [Wordpress implementation](http://codex.wordpress.org/Shortcode_API)
\ No newline at end of file
+  * [Wordpress implementation](http://codex.wordpress.org/Shortcode_API)

From 437cbe0d91ceb210c6d24d99f97d19f346e5a0ae Mon Sep 17 00:00:00 2001
From: Thomas Speak <TomSpeak@users.noreply.github.com>
Date: Thu, 20 Feb 2014 13:19:53 +0000
Subject: [PATCH 18/39] DOC: SapphireTest `objFromFixture`

The current docs for `objFromFixture` cause PHPStorm to generate an error because of the mismatched data types.

`$product = $this->objFromFixture('ProductPage', 'StandardSpecs');`

Causes: `Expected The, got string`.
---
 dev/SapphireTest.php | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/dev/SapphireTest.php b/dev/SapphireTest.php
index e13b4c518..4e4c7d9eb 100644
--- a/dev/SapphireTest.php
+++ b/dev/SapphireTest.php
@@ -388,11 +388,11 @@ class SapphireTest extends PHPUnit_Framework_TestCase {
 
 		return $id;
 	}
-	
+
 	/**
 	 * Return all of the IDs in the fixture of a particular class name.
 	 * Will collate all IDs form all fixtures if multiple fixtures are provided.
-	 * 
+	 *
 	 * @param string $className
 	 * @return A map of fixture-identifier => object-id
 	 */
@@ -402,9 +402,11 @@ class SapphireTest extends PHPUnit_Framework_TestCase {
 
 	/**
 	 * Get an object from the fixture.
-	 * 
-	 * @param $className The data class, as specified in your fixture file.  Parent classes won't work
-	 * @param $identifier The identifier string, as provided in your fixture file
+	 *
+	 * @param string $className The data class, as specified in your fixture file. Parent classes won't work
+	 * @param string $identifier The identifier string, as provided in your fixture file
+	 *
+	 * @return DataObject
 	 */
 	protected function objFromFixture($className, $identifier) {
 		$obj = $this->getFixtureFactory()->get($className, $identifier);

From 733bc42dd728dad2531e745612d65e61541043b4 Mon Sep 17 00:00:00 2001
From: Howard Grigg <howard@gri.gg>
Date: Sat, 22 Feb 2014 17:16:07 +1000
Subject: [PATCH 19/39] MINOR Corrected links for 'Topics' documentation index

---
 docs/en/topics/index.md | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/docs/en/topics/index.md b/docs/en/topics/index.md
index e102bb2b4..031056547 100644
--- a/docs/en/topics/index.md
+++ b/docs/en/topics/index.md
@@ -22,12 +22,14 @@ It is where most documentation should live, and is the natural "second step" aft
  * [Javascript](javascript): Best practices for developing with JavaScript in SilverStripe
  * [Module Development](module-development): Creating a module (also known as "extension" or "plugin") to contain reusable functionality
  * [Modules](modules): Introduction, how to download and install a module (e.g. with blog or forum functionality)
+ * [Page Type Templates](page-type-templates): How to build templates for all your different page types
  * [Page Types](page-types): What is a "page type" and how do you create one?
+ * [Rich Text Editing](rich-text-editing): How to use and configure SilverStripes built in HTML Editor
  * [Search](search): Searching for properties in the database as well as other documents
  * [Security](security): How to develop secure SilverStripe applications with good code examples
- * [Shortcodes](shortcodes): Use simple placeholders for powerful content replacements like multimedia embeds
  * [Templates](templates): SilverStripe template syntax: Variables, loops, includes and much more
  * [Testing](testing): Functional and Unit Testing with PHPUnit and SilverStripe's testing framework
- * [Developing Themes](theme-development): Package templates, images and CSS to a reusable theme
- * [Widgets](widgets): Small feature blocks which can be placed on a page by the CMS editor, also outlines how to create and add widgets
+ * [Theme Development](theme-development): Package templates, images and CSS to a reusable theme
+ * [Using Themes](themes): How to download and install themes
  * [Versioning](versioning): Extension for SiteTree and other classes to store old versions and provide "staging"
+ * [Widgets](widgets): Small feature blocks which can be placed on a page by the CMS editor, also outlines how to create and add widgets

From d6b75acbc496a2a6cf2774bd1bcea5d855bfc831 Mon Sep 17 00:00:00 2001
From: Ingo Schommer <me@chillu.com>
Date: Mon, 24 Feb 2014 10:08:09 +1300
Subject: [PATCH 20/39] Added 3.1.3-rc2 changelog

---
 docs/en/changelogs/rc/3.1.3-rc2.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 docs/en/changelogs/rc/3.1.3-rc2.md

diff --git a/docs/en/changelogs/rc/3.1.3-rc2.md b/docs/en/changelogs/rc/3.1.3-rc2.md
new file mode 100644
index 000000000..47edfc088
--- /dev/null
+++ b/docs/en/changelogs/rc/3.1.3-rc2.md
@@ -0,0 +1,12 @@
+# 3.1.3-rc2
+
+# Overview
+
+ * Fixed regression around CMS loading in IE8
+ * Fixed regression in folder creation on upload
+
+
+### Bugfixes
+
+ * 2014-02-20 [ebeb663](https://github.com/silverstripe/sapphire/commit/ebeb663) Fixed critical issue with Folder::find_or_make failing to handle invalid filename characters BUG Fix UploadField duplicate checking with invalid folderName (Damian Mooyman)
+ * 2014-02-19 [a681bd7](https://github.com/silverstripe/sapphire/commit/a681bd7) IE8 support in jquery.ondemand.js (fixes #2872) (Loz Calver)

From af01d7f02407a2aad2941360d6931c567334509f Mon Sep 17 00:00:00 2001
From: Sean Harvey <sean@silverstripe.com>
Date: Mon, 24 Feb 2014 15:38:53 +1300
Subject: [PATCH 21/39] Adding defaults for unhandled event priorities in log
 formatters.

Unhandled types wouldn't show up in the error format message, and a
notice "undefined $errtype" is displayed on these cases.
---
 dev/LogErrorEmailFormatter.php | 3 +++
 dev/LogErrorFileFormatter.php  | 4 +++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/dev/LogErrorEmailFormatter.php b/dev/LogErrorEmailFormatter.php
index 370a6d5e5..195aefcfd 100644
--- a/dev/LogErrorEmailFormatter.php
+++ b/dev/LogErrorEmailFormatter.php
@@ -23,6 +23,9 @@ class SS_LogErrorEmailFormatter implements Zend_Log_Formatter_Interface {
 				$errorType = 'Notice';
 				$colour = 'grey';
 				break;
+			default:
+				$errorType = $event['priorityName'];
+				$colour = 'grey';
 		}
 
 		if(!is_array($event['message'])) {
diff --git a/dev/LogErrorFileFormatter.php b/dev/LogErrorFileFormatter.php
index 9b4f82f9b..5a64d8ca7 100644
--- a/dev/LogErrorFileFormatter.php
+++ b/dev/LogErrorFileFormatter.php
@@ -15,7 +15,7 @@ class SS_LogErrorFileFormatter implements Zend_Log_Formatter_Interface {
 		$errfile = $event['message']['errfile'];
 		$errline = $event['message']['errline'];
 		$errcontext = $event['message']['errcontext'];
-		
+
 		switch($event['priorityName']) {
 			case 'ERR':
 				$errtype = 'Error';
@@ -26,6 +26,8 @@ class SS_LogErrorFileFormatter implements Zend_Log_Formatter_Interface {
 			case 'NOTICE':
 				$errtype = 'Notice';
 				break;
+			default:
+				$errtype = $event['priorityName'];
 		}
 
 		$urlSuffix = '';

From 8b923006227b0177983c96b949edaa6df18fbbf8 Mon Sep 17 00:00:00 2001
From: Will Rossiter <will.rossiter@gmail.com>
Date: Mon, 24 Feb 2014 21:41:48 +1300
Subject: [PATCH 22/39] Add support for many_many_extraField in YAML

Format is

RelationName:
  - =>Obj.name:
    ExtraFieldName: "Foo"
---
 dev/FixtureBlueprint.php           |  57 +++++++---
 docs/en/topics/testing/fixtures.md | 177 ++++++++++++++++++++++-------
 tests/dev/FixtureBlueprintTest.php |  59 +++++++++-
 tests/dev/FixtureFactoryTest.php   |  19 ++++
 4 files changed, 247 insertions(+), 65 deletions(-)

diff --git a/dev/FixtureBlueprint.php b/dev/FixtureBlueprint.php
index e74bdee11..532c16b56 100644
--- a/dev/FixtureBlueprint.php
+++ b/dev/FixtureBlueprint.php
@@ -128,27 +128,48 @@ class FixtureBlueprint {
 			// Populate all relations
 			if($data) foreach($data as $fieldName => $fieldVal) {
 				if($obj->many_many($fieldName) || $obj->has_many($fieldName)) {
+					$obj->write();
+
 					$parsedItems = array();
-					$items = preg_split('/ *, */',trim($fieldVal));
-					foreach($items as $item) {
-						// Check for correct format: =><relationname>.<identifier>.
-						// Ignore if the item has already been replaced with a numeric DB identifier
-						if(!is_numeric($item) && !preg_match('/^=>[^\.]+\.[^\.]+/', $item)) {
-							throw new InvalidArgumentException(sprintf(
-								'Invalid format for relation "%s" on class "%s" ("%s")',
-								$fieldName,
-								$class,
-								$item
-							));
+
+					if(is_array($fieldVal)) {
+						// handle lists of many_many relations. Each item can
+						// specify the many_many_extraFields against each 
+						// related item.
+						foreach($fieldVal as $relVal) {
+							$item = key($relVal);
+							$id = $this->parseValue($item, $fixtures);
+							$parsedItems[] = $id;
+
+							array_shift($relVal);
+
+							$obj->getManyManyComponents($fieldName)->add(
+								$id, $relVal
+							);
+						}
+					} else {
+						$items = preg_split('/ *, */',trim($fieldVal));
+
+						foreach($items as $item) {
+							// Check for correct format: =><relationname>.<identifier>.
+							// Ignore if the item has already been replaced with a numeric DB identifier
+							if(!is_numeric($item) && !preg_match('/^=>[^\.]+\.[^\.]+/', $item)) {
+								throw new InvalidArgumentException(sprintf(
+									'Invalid format for relation "%s" on class "%s" ("%s")',
+									$fieldName,
+									$class,
+									$item
+								));
+							}
+
+							$parsedItems[] = $this->parseValue($item, $fixtures);
 						}
 
-						$parsedItems[] = $this->parseValue($item, $fixtures);
-					}
-					$obj->write();
-					if($obj->has_many($fieldName)) {
-						$obj->getComponents($fieldName)->setByIDList($parsedItems);
-					} elseif($obj->many_many($fieldName)) {
-						$obj->getManyManyComponents($fieldName)->setByIDList($parsedItems);
+						if($obj->has_many($fieldName)) {
+							$obj->getComponents($fieldName)->setByIDList($parsedItems);
+						} elseif($obj->many_many($fieldName)) {
+							$obj->getManyManyComponents($fieldName)->setByIDList($parsedItems);
+						}
 					}
 				} elseif($obj->has_one($fieldName)) {
 					// Sets has_one with relation name
diff --git a/docs/en/topics/testing/fixtures.md b/docs/en/topics/testing/fixtures.md
index 77a1886c2..5053cd143 100644
--- a/docs/en/topics/testing/fixtures.md
+++ b/docs/en/topics/testing/fixtures.md
@@ -2,38 +2,42 @@
 
 ## Overview
 
-You will often find the need to test your functionality with some consistent data.
-If we are testing our code with the same data each time,
-we can trust our tests to yeild reliable results.
-In Silverstripe we define this data via 'fixtures' (so called because of their fixed nature).
-The `[api:SapphireTest]` class takes care of populating a test database with data from these fixtures -
-all we have to do is define them, and we have a few ways in which we can do this.
+You will often find the need to test your functionality with some consistent 
+data. If we are testing our code with the same data each time, we can trust our 
+tests to yield reliable results.
+
+In Silverstripe we define this data via 'fixtures' (so called because of their 
+fixed nature). The `[api:SapphireTest]` class takes care of populating a test 
+database with data from these fixtures - all we have to do is define them, and 
+we have a few ways in which we can do this.
 
 ## YAML Fixtures
 
-YAML is a markup language which is deliberately simple and easy to read,
-so it is ideal for fixture generation.
+YAML is a markup language which is deliberately simple and easy to read, so it 
+is ideal for fixture generation.
 
 Say we have the following two DataObjects:
 
 	:::php
 	class Player extends DataObject {
-		static $db = array (
+		
+		private static $db = array (
 			'Name' => 'Varchar(255)'
 		);
 
-		static $has_one = array(
+		private static $has_one = array(
 			'Team' => 'Team'
 		);
 	}
 
 	class Team extends DataObject {
-		static $db = array (
+
+		private static $db = array (
 			'Name' => 'Varchar(255)',
 			'Origin' => 'Varchar(255)'
 		);
 
-		static $has_many = array(
+		private static $has_many = array(
 			'Players' => 'Player'
 		);
 	}
@@ -59,31 +63,42 @@ We can represent multiple instances of them in `YAML` as follows:
 			Name: The Crusaders
 			Origin: Bay of Plenty
 
-Our `YAML` is broken up into three levels, signified by the indentation of each line.
-In the first level of indentation, `Player` and `Team`,
-represent the class names of the objects we want to be created for the test.
+Our `YAML` is broken up into three levels, signified by the indentation of each 
+line. In the first level of indentation, `Player` and `Team`, represent the 
+class names of the objects we want to be created for the test.
 
-The second level, `john`/`joe`/`jack` & `hurricanes`/`crusaders`, are identifiers.
-These are what you pass as the second argument of `SapphireTest::objFromFixture()`.
-Each identifier you specify represents a new object.
+The second level, `john`/`joe`/`jack` & `hurricanes`/`crusaders`, are 
+identifiers. These are what you pass as the second argument of 
+`SapphireTest::objFromFixture()`. Each identifier you specify represents a new 
+object.
 
 The third and final level represents each individual object's fields.
-A field can either be provided with raw data (such as the Names for our Players),
-or we can define a relationship, as seen by the fields prefixed with `=>`.
 
-Each one of our Players has a relationship to a Team,
-this is shown with the `Team` field for each `Player` being set to `=>Team.` followed by a team name.
-Take the player John for example, his team is the Hurricanes which is represented by `=>Team.hurricanes`.
-This is tells the system that we want to set up a relationship for the `Player` object `john` with the `Team` object `hurricanes`.
+A field can either be provided with raw data (such as the names for our 
+Players), or we can define a relationship, as seen by the fields prefixed with 
+`=>`.
+
+Each one of our Players has a relationship to a Team, this is shown with the 
+`Team` field for each `Player` being set to `=>Team.` followed by a team name.
+
+Take the player John for example, his team is the Hurricanes which is 
+represented by `=>Team.hurricanes`.
+
+This is tells the system that we want to set up a relationship for the `Player` 
+object `john` with the `Team` object `hurricanes`.
+
 It will populate the `Player` object's `TeamID` with the ID of `hurricanes`,
 just like how a relationship is always set up.
 
 <div class="hint" markdown='1'>
-Note that we use the name of the relationship (Team), and not the name of the database field (TeamID).
+Note that we use the name of the relationship (Team), and not the name of the 
+database field (TeamID).
 </div>
 
-This style of relationship declaration can be used for both a `has-one` and a `many-many` relationship.
-For `many-many` relationships, we specify a comma separated list of values.
+This style of relationship declaration can be used for both a `has-one` and a 
+`many-many` relationship. For `many-many` relationships, we specify a comma 
+separated list of values.
+
 For example we could just as easily write the above as:
 
 	:::yml
@@ -104,27 +119,97 @@ For example we could just as easily write the above as:
 			Origin: Bay of Plenty
 			Players: =>Player.joe,=>Player.jack
 
-A crucial thing to note is that **the YAML file specifies DataObjects, not database records**.
-The database is populated by instantiating DataObject objects and setting the fields declared in the YML,
-then calling write() on those objects.
-This means that any `onBeforeWrite()` or default value logic will be executed as part of the test.
-The reasoning behind this is to allow us to test the `onBeforeWrite` functionality of our objects.
-You can see this kind of testing in action in the `testURLGeneration()` test from the example in
-[Creating a SilverStripe Test](creating-a-silverstripe-test).
+A crucial thing to note is that **the YAML file specifies DataObjects, not 
+database records**.
+
+The database is populated by instantiating DataObject objects and setting the 
+fields declared in the YML, then calling write() on those objects. This means 
+that any `onBeforeWrite()` or default value logic will be executed as part of 
+the test. The reasoning behind this is to allow us to test the `onBeforeWrite` 
+functionality of our objects.
+
+You can see this kind of testing in action in the `testURLGeneration()` test 
+from the example in [Creating a SilverStripe Test](creating-a-silverstripe-test).
+
+### Defining many_many_extraFields
+
+`many_many` relations can have additional database fields attached to the 
+relationship. For example we may want to declare the role each player has in the
+team.
+
+	:::php
+	class Player extends DataObject {
+		
+		private static $db = array (
+			'Name' => 'Varchar(255)'
+		);
+
+		private static $belongs_many_many = array(
+			'Teams' => 'Team'
+		);
+	}
+
+	class Team extends DataObject {
+
+		private static $db = array (
+			'Name' => 'Varchar(255)'
+		);
+
+		private static $many_many = array(
+			'Players' => 'Player'
+		);
+
+		private static $many_many_extraFields = array(
+			"Players" => array(
+				"Role" => "Varchar"
+			);
+		);	
+	}
+
+To provide the value for the many_many_extraField use the YAML list syntax.
+
+	:::yml
+	Player:
+	  john:
+	    Name: John
+	  joe:
+	    Name: Joe
+	  jack:
+	    Name: Jack
+	Team:
+	  hurricanes:
+	    Name: The Hurricanes
+	    Players: 
+	      - =>Player.john:
+ 	        Role: Captain
+
+	  crusaders:
+	    Name: The Crusaders
+	    Players: 
+	      - =>Player.joe:
+	        Role: Captain
+	      - =>Player.jack:
+	        Role: Winger
 
 ## Test Class Definition
 
 ### Manual Object Creation
 
-Sometimes statically defined fixtures don't suffice. This could be because of the complexity of the tested model,
-or because the YAML format doesn't allow you to modify all of a model's state.
-One common example here is publishing pages (page fixtures aren't published by default).
+Sometimes statically defined fixtures don't suffice. This could be because of 
+the complexity of the tested model, or because the YAML format doesn't allow you 
+to modify all of a model's state.
+
+One common example here is publishing pages (page fixtures aren't published by 
+default).
 
 You can always resort to creating objects manually in the test setup phase.
-Since the test database is cleared on every test method, you'll get a fresh set of test instances every time.
+
+Since the test database is cleared on every test method, you'll get a fresh set 
+of test instances every time.
 
 	:::php
 	class SiteTreeTest extends SapphireTest {
+
 		function setUp() {
 			parent::setUp();
 
@@ -140,16 +225,20 @@ Since the test database is cleared on every test method, you'll get a fresh set
 
 ### Why Factories?
 
-While manually defined fixtures provide full flexibility, they offer very little in terms of structure and convention.
-Alternatively, you can use the `[api:FixtureFactory]` class, which allows you to set default values,
-callbacks on object creation, and dynamic/lazy value setting.
+While manually defined fixtures provide full flexibility, they offer very little 
+in terms of structure and convention. Alternatively, you can use the 
+`[api:FixtureFactory]` class, which allows you to set default values, callbacks 
+on object creation, and dynamic/lazy value setting.
 
 <div class="hint" markdown='1'>
-SapphireTest uses FixtureFactory under the hood when it is provided with YAML based fixtures.
+SapphireTest uses FixtureFactory under the hood when it is provided with YAML 
+based fixtures.
 </div>
 
-The idea is that rather than instantiating objects directly, we'll have a factory class for them.
-This factory can have so called "blueprints" defined on it, which tells the factory how to instantiate an object of a specific type. Blueprints need a name, which is usually set to the class it creates.
+The idea is that rather than instantiating objects directly, we'll have a 
+factory class for them. This factory can have so called "blueprints" defined on 
+it, which tells the factory how to instantiate an object of a specific type. 
+Blueprints need a name, which is usually set to the class it creates.
 
 ### Usage
 
diff --git a/tests/dev/FixtureBlueprintTest.php b/tests/dev/FixtureBlueprintTest.php
index a5613d85f..591ab6e36 100644
--- a/tests/dev/FixtureBlueprintTest.php
+++ b/tests/dev/FixtureBlueprintTest.php
@@ -12,6 +12,58 @@ class FixtureBlueprintTest extends SapphireTest {
 		'FixtureFactoryTest_DataObjectRelation'
 	);
 
+	public function testCreateWithRelationshipExtraFields() {
+		$blueprint = new FixtureBlueprint('FixtureFactoryTest_DataObject');
+
+		$relation1 = new FixtureFactoryTest_DataObjectRelation();
+		$relation1->write();
+		$relation2 = new FixtureFactoryTest_DataObjectRelation();
+		$relation2->write();
+
+		// in YAML these look like
+		// RelationName:
+		//   - =>Relational.obj:
+		//     ExtraFieldName: test
+		//   - =>..
+		$obj = $blueprint->createObject(
+			'one',
+			array(
+				'ManyMany' => 
+					array(
+						array(
+							"=>FixtureFactoryTest_DataObjectRelation.relation1" => array(), 
+							"Label" => 'This is a label for relation 1'
+						),
+						array(
+							"=>FixtureFactoryTest_DataObjectRelation.relation2" => array(),
+							"Label" => 'This is a label for relation 2'
+						)
+					)
+			),
+			array(
+				'FixtureFactoryTest_DataObjectRelation' => array(
+					'relation1' => $relation1->ID,
+					'relation2' => $relation2->ID
+				)
+			)
+		);
+
+		$this->assertEquals(2, $obj->ManyMany()->Count());
+		$this->assertNotNull($obj->ManyMany()->find('ID', $relation1->ID));
+		$this->assertNotNull($obj->ManyMany()->find('ID', $relation2->ID));
+
+		$this->assertEquals(
+			array('Label' => 'This is a label for relation 1'),
+			$obj->ManyMany()->getExtraData('ManyMany', $relation1->ID)
+		);
+
+		$this->assertEquals(
+			array('Label' => 'This is a label for relation 2'),
+			$obj->ManyMany()->getExtraData('ManyMany', $relation2->ID)
+		);
+	}
+
+
 	public function testCreateWithoutData() {
 		$blueprint = new FixtureBlueprint('FixtureFactoryTest_DataObject');
 		$obj = $blueprint->createObject('one');
@@ -28,6 +80,7 @@ class FixtureBlueprintTest extends SapphireTest {
 		$this->assertEquals('My Name', $obj->Name);
 	}
 
+
 	public function testCreateWithRelationship() {
 		$blueprint = new FixtureBlueprint('FixtureFactoryTest_DataObject');
 
@@ -127,7 +180,7 @@ class FixtureBlueprintTest extends SapphireTest {
 		$this->assertEquals(99, $obj->ID);
 	}
 
-	function testCallbackOnBeforeCreate() {
+	public function testCallbackOnBeforeCreate() {
 		$blueprint = new FixtureBlueprint('FixtureFactoryTest_DataObject');
 		$this->_called = 0;
 		$self = $this;
@@ -144,7 +197,7 @@ class FixtureBlueprintTest extends SapphireTest {
 		$this->_called = 0;
 	}
 
-	function testCallbackOnAfterCreate() {
+	public function testCallbackOnAfterCreate() {
 		$blueprint = new FixtureBlueprint('FixtureFactoryTest_DataObject');
 		$this->_called = 0;
 		$self = $this;
@@ -161,7 +214,7 @@ class FixtureBlueprintTest extends SapphireTest {
 		$this->_called = 0;
 	}
 
-	function testDefineWithDefaultCustomSetters() {
+	public function testDefineWithDefaultCustomSetters() {
 		$blueprint = new FixtureBlueprint(
 			'FixtureFactoryTest_DataObject', 
 			null,
diff --git a/tests/dev/FixtureFactoryTest.php b/tests/dev/FixtureFactoryTest.php
index 2dd7685e2..a08d87ef7 100644
--- a/tests/dev/FixtureFactoryTest.php
+++ b/tests/dev/FixtureFactoryTest.php
@@ -1,4 +1,5 @@
 <?php
+
 /**
  * @package framework
  * @subpackage tests
@@ -151,19 +152,37 @@ class FixtureFactoryTest extends SapphireTest {
 
 }
 
+/**
+ * @package framework
+ * @subpackage tests
+ */
 class FixtureFactoryTest_DataObject extends DataObject implements TestOnly {
+	
 	private static $db = array(
 		"Name" => "Varchar"
 	);
+	
 	private static $many_many = array(
 		"ManyMany" => "FixtureFactoryTest_DataObjectRelation"
 	);
+
+	private static $many_many_extraFields = array(
+		"ManyMany" => array(
+			"Label" => "Varchar"
+		)
+	);
 }
 
+/**
+ * @package framework
+ * @subpackage tests
+ */
 class FixtureFactoryTest_DataObjectRelation extends DataObject implements TestOnly {
+	
 	private static $db = array(
 		"Name" => "Varchar"
 	);
+	
 	private static $belongs_many_many = array(
 		"TestParent" => "FixtureFactoryTest_DataObject"
 	); 

From 9afcf8f01ac6b5c3c054b9a49f1731d35aa868ed Mon Sep 17 00:00:00 2001
From: Ingo Schommer <me@chillu.com>
Date: Mon, 24 Feb 2014 18:45:18 +1300
Subject: [PATCH 23/39] Allow vetoing forgot password requests

---
 security/MemberLoginForm.php | 25 +++++++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

diff --git a/security/MemberLoginForm.php b/security/MemberLoginForm.php
index cccdf9089..c95216b42 100644
--- a/security/MemberLoginForm.php
+++ b/security/MemberLoginForm.php
@@ -1,6 +1,14 @@
 <?php
 /**
- * Log-in form for the "member" authentication method
+ * Log-in form for the "member" authentication method.
+ *
+ * Available extension points:
+ * - "authenticationFailed": Called when login was not successful. 
+ *    Arguments: $data containing the form submission
+ * - "forgotPassword": Called before forgot password logic kicks in, 
+ *    allowing extensions to "veto" execution by returning FALSE. 
+ *    Arguments: $member containing the detected Member record
+ * 
  * @package framework
  * @subpackage security
  */
@@ -256,9 +264,12 @@ JS
 
 
 	/**
-	 * Forgot password form handler method
-	 *
-	 * This method is called when the user clicks on "I've lost my password"
+	 * Forgot password form handler method.
+	 * Called when the user clicks on "I've lost my password".
+	 * Extensions can use the 'forgotPassword' method to veto executing
+	 * the logic, by returning FALSE. In this case, the user will be redirected back
+	 * to the form without further action. It is recommended to set a message
+	 * in the form detailing why the action was denied.
 	 *
 	 * @param array $data Submitted data
 	 */
@@ -267,6 +278,12 @@ JS
 		$SQL_email = $SQL_data['Email'];
 		$member = DataObject::get_one('Member', "\"Email\" = '{$SQL_email}'");
 
+		// Allow vetoing forgot password requests
+		$results = $this->extend('forgotPassword', $member);
+		if($results && is_array($results) && in_array(false, $results, true)) {
+			return $this->controller->redirect('Security/lostpassword');
+		}
+
 		if($member) {
 			$token = $member->generateAutologinTokenAndStoreHash();
 

From 56e0c72cb06db692d4c2417506c7da4ea5486f8c Mon Sep 17 00:00:00 2001
From: torleif <torleifw@gmail.com>
Date: Wed, 26 Feb 2014 13:39:14 +1300
Subject: [PATCH 24/39] Update shortcodes.md

Trying to link to [embed] causes the parser to break. (see: http://doc.silverstripe.org/framework/en/reference/shortcodes)
---
 docs/en/reference/shortcodes.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/en/reference/shortcodes.md b/docs/en/reference/shortcodes.md
index 76984bc66..a6c6885ac 100644
--- a/docs/en/reference/shortcodes.md
+++ b/docs/en/reference/shortcodes.md
@@ -97,7 +97,7 @@ plus some `width` and `height` arguments. We'll add defaults to those in our sho
 
 The hard bits are taken care of (parsing out the shortcodes), everything we need to do is a bit of string replacement.
 CMS users still need to remember the specific syntax, but these shortcodes can form the basis
-for more advanced editing interfaces (with visual placeholders). See the built-in `[embed]` shortcode as an example
+for more advanced editing interfaces (with visual placeholders). See the built-in `embed` shortcode as an example
 for coupling shortcodes with a form to create and edit placeholders.
 
 ## Built-in Shortcodes
@@ -238,4 +238,4 @@ The parser will raise an error if it can not find a matching opening tag for any
 
 ## Related
 
-  * [Wordpress implementation](http://codex.wordpress.org/Shortcode_API)
\ No newline at end of file
+  * [Wordpress implementation](http://codex.wordpress.org/Shortcode_API)

From 3e5ac7cdcc85ec6ea5f6f72889cf95815d29470f Mon Sep 17 00:00:00 2001
From: Igor <igor.nadj@gmail.com>
Date: Wed, 26 Feb 2014 14:09:09 +1300
Subject: [PATCH 25/39] Update File.php

Adding warning, took me a couple hours to figure this out...

The file does not get moved because of this line:
https://github.com/silverstripe/silverstripe-framework/blob/3.1/filesystem/File.php#L515

Maybe add to the method doc, telling people to set ParentId and Name instead if they want to change the location of a file (if that's the correct method).
---
 filesystem/File.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/filesystem/File.php b/filesystem/File.php
index d88f00af1..358c190be 100644
--- a/filesystem/File.php
+++ b/filesystem/File.php
@@ -732,7 +732,7 @@ class File extends DataObject {
 	}
 
 	/**
-	 * Does not change the filesystem itself, please use {@link write()} for this.
+	 * Caution: this does not change the location of the file on the filesystem.
 	 */
 	public function setFilename($val) {
 		$this->setField('Filename', $val);

From c74137e679a226c70f013e8f0a47b18629222173 Mon Sep 17 00:00:00 2001
From: Will Rossiter <will.rossiter@gmail.com>
Date: Fri, 28 Feb 2014 21:24:09 +1300
Subject: [PATCH 26/39] FIX: getMessageFromSession returning null on first
 access

---
 forms/Form.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/forms/Form.php b/forms/Form.php
index edd318176..ca38874eb 100644
--- a/forms/Form.php
+++ b/forms/Form.php
@@ -1016,12 +1016,17 @@ class Form extends RequestHandler {
 		return $this->messageType;
 	}
 
+	/**
+	 * @return string
+	 */
 	protected function getMessageFromSession() {
 		if($this->message || $this->messageType) {
 			return $this->message;
-		}else{
+		} else {
 			$this->message = Session::get("FormInfo.{$this->FormName()}.formError.message");
 			$this->messageType = Session::get("FormInfo.{$this->FormName()}.formError.type");
+
+			return $this->message;
 		}
 	}
 

From 1795b21df054f3e843f04065d4e2cec5395fbeb2 Mon Sep 17 00:00:00 2001
From: Colin Richardson <feejin@gmail.com>
Date: Sun, 2 Mar 2014 14:43:44 +0000
Subject: [PATCH 27/39] Remove redundant underscore and update the comment

---
 model/URLSegmentFilter.php           | 2 +-
 tests/model/URLSegmentFilterTest.php | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/model/URLSegmentFilter.php b/model/URLSegmentFilter.php
index 83c5fa363..9db39725d 100644
--- a/model/URLSegmentFilter.php
+++ b/model/URLSegmentFilter.php
@@ -33,7 +33,7 @@ class URLSegmentFilter extends Object {
 		'/[_.]+/u' => '-', // underscores and dots to dashes
 		'/[^A-Za-z0-9\-]+/u' => '', // remove non-ASCII chars, only allow alphanumeric and dashes
 		'/[\-]{2,}/u' => '-', // remove duplicate dashes
-		'/^[\-_]/u' => '', // Remove all leading dashes or underscores
+		'/^[\-]+/u' => '' // Remove all leading dashes
 	);
 	
 	/**
diff --git a/tests/model/URLSegmentFilterTest.php b/tests/model/URLSegmentFilterTest.php
index 44e8a69ea..74ef70094 100644
--- a/tests/model/URLSegmentFilterTest.php
+++ b/tests/model/URLSegmentFilterTest.php
@@ -77,4 +77,9 @@ class URLSegmentFilterTest extends SapphireTest {
 		$this->assertEquals('url-contains-dot', $filter->filter('url-contains.dot'));
 	}
 
+	public function testRemoveLeadingDashes() {
+		$filter = new URLSegmentFilter();
+		$this->assertEquals('url-has-leading-dashes', $filter->filter('---url-has-leading-dashes'));
+	}
+
 }

From ead3e263786e85ef00ffa76d8d740a62526c5414 Mon Sep 17 00:00:00 2001
From: Ingo Schommer <me@chillu.com>
Date: Mon, 3 Mar 2014 08:54:18 +1300
Subject: [PATCH 28/39] Added 3.1.3 changelog

---
 docs/en/changelogs/3.1.3.md | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 docs/en/changelogs/3.1.3.md

diff --git a/docs/en/changelogs/3.1.3.md b/docs/en/changelogs/3.1.3.md
new file mode 100644
index 000000000..d43eb42fb
--- /dev/null
+++ b/docs/en/changelogs/3.1.3.md
@@ -0,0 +1,29 @@
+# 3.1.3
+
+## Overview
+
+ * Security: Require ADMIN for ?flush=1&isDev=1 ([SS-2014-001](http://www.silverstripe.org/ss-2014-001-require-admin-for-flush1-and-isdev1))
+ * Security: XSS in third party library (SWFUpload) ([SS-2014-002](http://www.silverstripe.org/ss-2014-002-xss-in-third-party-library-swfupload/))
+ * Security: SiteTree.ExtraMeta allows JavaScript for malicious CMS authors ([SS-2014-003](http://www.silverstripe.org/ss-2014-003-extrameta-allows-javascript-for-malicious-cms-authors-/))
+ * Better loading performance when using multiple `UploadField` instances
+ * Option for `force_js_to_bottom` on `Requirements` class (ignoring inline `<script>` tags)
+ * Added `ListDecorator->filterByCallback()` for more sophisticated filtering
+ * New `DataList` filters: `LessThanOrEqualFilter` and `GreaterThanOrEqualFilter`
+ * "Cancel" button on "Add Page" form
+ * Better code hinting on magic properties (for IDE autocompletion)
+ * Increased Behat test coverage (editing HTML content, managing page permissions)
+ * Support for PHPUnit 3.8
+
+## Upgrading
+
+### SiteTree.ExtraMeta allows JavaScript for malicious CMS authors
+
+If you have previously used the `SiteTree.ExtraMeta` field for `<head>` markup
+other than its intended use case (`<meta>` and `<link>`), please consult
+[SS-2014-003](http://www.silverstripe.org/ss-2014-003-extrameta-allows-javascript-for-malicious-cms-authors-/).
+
+## Changelog
+
+ * [framework](https://github.com/silverstripe/silverstripe-framework/releases/tag/3.1.3)
+ * [cms](https://github.com/silverstripe/silverstripe-framework/releases/tag/3.1.3)
+ * [installer](https://github.com/silverstripe/silverstripe-framework/releases/tag/3.1.3)
\ No newline at end of file

From b489f4086602b78f98a47a4e756b122c0bd6e4b6 Mon Sep 17 00:00:00 2001
From: Ingo Schommer <me@chillu.com>
Date: Mon, 3 Mar 2014 10:19:08 +1300
Subject: [PATCH 29/39] Added 3.0.9 changelog

---
 docs/en/changelogs/3.0.9.md | 35 ++++++-----------------------------
 1 file changed, 6 insertions(+), 29 deletions(-)

diff --git a/docs/en/changelogs/3.0.9.md b/docs/en/changelogs/3.0.9.md
index 089cde8f8..d734f9f61 100644
--- a/docs/en/changelogs/3.0.9.md
+++ b/docs/en/changelogs/3.0.9.md
@@ -2,34 +2,11 @@
 
 ## Overview
 
-### Default current Versioned "stage" to "Live" rather than "Stage"
+ * Security: Require ADMIN for ?flush=1&isDev=1 ([SS-2014-001](http://www.silverstripe.org/ss-2014-001-require-admin-for-flush1-and-isdev1))
+ * Security: XSS in third party library (SWFUpload) ([SS-2014-002](http://www.silverstripe.org/ss-2014-002-xss-in-third-party-library-swfupload/))
 
-Previously only the controllers responsible for page and CMS display 
-(`LeftAndMain` and `ContentController`) explicitly set a stage through
-`Versioned::choose_site_stage()`. Unless this method is called,
-the default stage will be "Stage", showing draft content.
-Any direct subclasses of `Controller` interacting with "versioned" objects
-are vulnerable to exposing unpublished content, unless `choose_site_stage()`
-is called explicitly in their own logic.
+## Changelog
 
-In order to provide more secure default behaviour, we have changed
-`choose_site_stage()` to be called on all requests, defaulting to the "Live" stage.
-If your logic relies on querying draft content, use `Versioned::reading_stage('Stage')`.
-
-Important: The `choose_site_stage()` call only deals with setting the default stage,
-and doesn't check if the user is authenticated to view it. As with any other controller logic,
-please use `DataObject->canView()` to determine permissions.
-
-	:::php
-	class MyController extends Controller {
-		private static $allowed_actions = array('showpage');
-		public function showpage($request) {
-			$page = Page::get()->byID($request->param('ID'));
-			if(!$page->canView()) return $this->httpError(401);
-			// continue with authenticated logic...
-		}
-	}
-
-### API Changes
-
- * 2013-08-03 [0e7231f](https://github.com/silverstripe/sapphire/commit/0e7231f) Disable discontinued Google Spellcheck in TinyMCE (Ingo Schommer)
\ No newline at end of file
+ * [framework](https://github.com/silverstripe/silverstripe-framework/releases/tag/3.0.9)
+ * [cms](https://github.com/silverstripe/silverstripe-framework/releases/tag/3.0.9)
+ * [installer](https://github.com/silverstripe/silverstripe-framework/releases/tag/3.0.9)
\ No newline at end of file

From a7d1991f70224b2de7a6d52a0d9daaac972c4cc1 Mon Sep 17 00:00:00 2001
From: mullerivan <mullerivan@gmail.com>
Date: Mon, 3 Mar 2014 02:40:33 -0200
Subject: [PATCH 30/39] Update css.md

---
 docs/en/topics/css.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/en/topics/css.md b/docs/en/topics/css.md
index e6043f46d..77db60f0f 100644
--- a/docs/en/topics/css.md
+++ b/docs/en/topics/css.md
@@ -21,7 +21,7 @@ In your controller (e.g. `mysite/code/Page.php`):
 			// either specify the css file manually
 			Requirements::css("mymodule/css/my.css", "screen,projection");
 			// or mention the css filename and SilverStripe will get the file from the current theme and add it to the template
-			Requirements::themedCSS('print', 'print'); 
+			Requirements::themedCSS('print', null,'print'); 
 		}
 	}
 

From c047a7b990094da8af1c69ac0f77b0a8c91bf4f8 Mon Sep 17 00:00:00 2001
From: Ingo Schommer <me@chillu.com>
Date: Mon, 3 Mar 2014 17:46:02 +1300
Subject: [PATCH 31/39] Reset FailedLoginCount on successful password reset

---
 security/ChangePasswordForm.php | 5 +++++
 tests/security/SecurityTest.php | 7 +++++++
 2 files changed, 12 insertions(+)

diff --git a/security/ChangePasswordForm.php b/security/ChangePasswordForm.php
index 2dfbe51f3..be5d90313 100644
--- a/security/ChangePasswordForm.php
+++ b/security/ChangePasswordForm.php
@@ -104,6 +104,11 @@ class ChangePasswordForm extends Form {
 				
 				// TODO Add confirmation message to login redirect
 				Session::clear('AutoLoginHash');
+
+				// Clear locked out status
+				$member->LockedOutUntil = null;
+				$member->FailedLoginCount = null;
+				$member->write();
 				
 				if (isset($_REQUEST['BackURL']) 
 					&& $_REQUEST['BackURL'] 
diff --git a/tests/security/SecurityTest.php b/tests/security/SecurityTest.php
index 0f76c7ac6..90d1cb617 100644
--- a/tests/security/SecurityTest.php
+++ b/tests/security/SecurityTest.php
@@ -213,6 +213,9 @@ class SecurityTest extends FunctionalTest {
 	
 	public function testChangePasswordFromLostPassword() {
 		$admin = $this->objFromFixture('Member', 'test');
+		$admin->FailedLoginCount = 99;
+		$admin->LockedOutUntil = SS_Datetime::now()->Format('Y-m-d H:i:s');
+		$admin->write();
 
 		$this->assertNull($admin->AutoLoginHash, 'Hash is empty before lost password');
 		
@@ -243,6 +246,10 @@ class SecurityTest extends FunctionalTest {
 		$goodResponse = $this->doTestLoginForm('sam@silverstripe.com' , 'changedPassword');
 		$this->assertEquals(302, $goodResponse->getStatusCode());
 		$this->assertEquals($this->idFromFixture('Member', 'test'), $this->session()->inst_get('loggedInAs'));
+
+		$admin = DataObject::get_by_id('Member', $admin->ID, false);
+		$this->assertNull($admin->LockedOutUntil);
+		$this->assertEquals(0, $admin->FailedLoginCount);
 	}
 		
 	public function testRepeatedLoginAttemptsLockingPeopleOut() {

From fb0fe3e689f372a2993c37d067df6c11de2792bd Mon Sep 17 00:00:00 2001
From: sanjay <sanjaymundhra1988@gmail.com>
Date: Mon, 3 Mar 2014 15:24:10 +0530
Subject: [PATCH 32/39] Update 1-building-site

Possessive pronoun "your" was misspelled as "you"...so the required change performed.
---
 docs/en/tutorials/1-building-a-basic-site.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/en/tutorials/1-building-a-basic-site.md b/docs/en/tutorials/1-building-a-basic-site.md
index e89f81f66..a6b1c2384 100644
--- a/docs/en/tutorials/1-building-a-basic-site.md
+++ b/docs/en/tutorials/1-building-a-basic-site.md
@@ -45,7 +45,7 @@ When designing your site you should only need to modify the *mysite*, *themes* a
 
 ![](_images/tutorial1_cms-basic.jpg)
 
-The CMS is the area in which you can manage your site content. You can access the cms at http://localhost/your_site_name/admin (or http://yourdomain.com/admin if you are using you own domain name). You
+The CMS is the area in which you can manage your site content. You can access the cms at http://localhost/your_site_name/admin (or http://yourdomain.com/admin if you are using your own domain name). You
 will be presented with a login screen. Login using the details you provided at installation. After logging in you
 should see the CMS interface with a list of the pages currently on your website (the site tree). Here you can add, delete and reorganize pages. If you need to delete, publish, or unpublish a page, first check "multi-selection" at the top. You will then be able to perform actions on any checked files using the "Actions" dropdown. Clicking on a page will open it in the page editing interface pictured below (we've entered some test content).
 

From 7b13041449861bcc358b049731a17ebe59974fd4 Mon Sep 17 00:00:00 2001
From: Colin Richardson <feejin@gmail.com>
Date: Mon, 3 Mar 2014 22:22:03 +0000
Subject: [PATCH 33/39] Remove trailing dashes from URLSegment

---
 model/URLSegmentFilter.php           | 3 ++-
 tests/model/URLSegmentFilterTest.php | 9 +++++++--
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/model/URLSegmentFilter.php b/model/URLSegmentFilter.php
index 9db39725d..38b125a86 100644
--- a/model/URLSegmentFilter.php
+++ b/model/URLSegmentFilter.php
@@ -33,7 +33,8 @@ class URLSegmentFilter extends Object {
 		'/[_.]+/u' => '-', // underscores and dots to dashes
 		'/[^A-Za-z0-9\-]+/u' => '', // remove non-ASCII chars, only allow alphanumeric and dashes
 		'/[\-]{2,}/u' => '-', // remove duplicate dashes
-		'/^[\-]+/u' => '' // Remove all leading dashes
+		'/^[\-]+/u' => '', // Remove all leading dashes
+		'/[\-]+$/u' => '' // Remove all trailing dashes
 	);
 	
 	/**
diff --git a/tests/model/URLSegmentFilterTest.php b/tests/model/URLSegmentFilterTest.php
index 74ef70094..4dd77a97c 100644
--- a/tests/model/URLSegmentFilterTest.php
+++ b/tests/model/URLSegmentFilterTest.php
@@ -41,8 +41,8 @@ class URLSegmentFilterTest extends SapphireTest {
 	public function testReplacesCommonNonAsciiCharacters() {
 		$f = new URLSegmentFilter();
 		$this->assertEquals(
-			urlencode('aa1-'),
-			$f->filter('Aa1~!@#$%^*()_`-=;\':"[]\{}|,./<>?')
+			urlencode('aa1-a'),
+			$f->filter('Aa1~!@#$%^*()_`-=;\':"[]\{}|,./<>?a')
 		);
 	}
 
@@ -82,4 +82,9 @@ class URLSegmentFilterTest extends SapphireTest {
 		$this->assertEquals('url-has-leading-dashes', $filter->filter('---url-has-leading-dashes'));
 	}
 
+	public function testReplacesTrailingDashes() {
+		$filter = new URLSegmentFilter();
+		$this->assertEquals('url-has-trailing-dashes', $filter->filter('url-has-trailing-dashes--'));
+	}
+
 }

From c3994f4ce7ae869bd53647d0ffe0c400c88460f3 Mon Sep 17 00:00:00 2001
From: torleif <torleifw@gmail.com>
Date: Tue, 4 Mar 2014 11:32:45 +1300
Subject: [PATCH 34/39] Update preview.md

The JavaScript entwine example contains an extra jQuery wrapper
---
 docs/en/reference/preview.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/docs/en/reference/preview.md b/docs/en/reference/preview.md
index 9a48a7111..6c23293d0 100644
--- a/docs/en/reference/preview.md
+++ b/docs/en/reference/preview.md
@@ -66,7 +66,6 @@ Note how the configuration happens in different entwine namespaces
 				}
 			});
 		});
-	});
 	}(jQuery));
 
 Load the file in the CMS via setting adding 'mysite/javascript/MyLeftAndMain.Preview.js'

From 3c1e82b42c282ab64dfe7f5a68a50f59d8ebcc69 Mon Sep 17 00:00:00 2001
From: Devlin <support@layon.de>
Date: Tue, 4 Mar 2014 13:10:48 +0100
Subject: [PATCH 35/39] Upload: retrieve existing File if an object without an
 ID is given and replaceFile=true

---
 filesystem/Upload.php           | 19 ++++---
 tests/filesystem/UploadTest.php | 87 +++++++++++++++++++++++++++++++++
 2 files changed, 99 insertions(+), 7 deletions(-)

diff --git a/filesystem/Upload.php b/filesystem/Upload.php
index 90cb343dd..a6ab0beba 100644
--- a/filesystem/Upload.php
+++ b/filesystem/Upload.php
@@ -139,14 +139,19 @@ class Upload extends Controller {
 		// Create a new file record (or try to retrieve an existing one)
 		if(!$this->file) {
 			$fileClass = File::get_class_for_file_extension(pathinfo($tmpFile['name'], PATHINFO_EXTENSION));
-			if($this->replaceFile) {
-				$this->file = File::get()
-					->filter(array(
-						'Name' => $fileName,
-						'ParentID' => $parentFolder ? $parentFolder->ID : 0
-					))->First();
+			$this->file = new $fileClass();
+		}
+		if(!$this->file->ID && $this->replaceFile) {
+			$fileClass = $this->file->class;
+			$file = File::get()
+				->filter(array(
+					'ClassName' => $fileClass,
+					'Name' => $fileName,
+					'ParentID' => $parentFolder ? $parentFolder->ID : 0
+				))->First();
+			if($file) {
+				$this->file = $file;
 			}
-			if(!$this->file) $this->file = new $fileClass();
 		}
 		
 		// if filename already exists, version the filename (e.g. test.gif to test1.gif)
diff --git a/tests/filesystem/UploadTest.php b/tests/filesystem/UploadTest.php
index d5b255d35..48a833027 100644
--- a/tests/filesystem/UploadTest.php
+++ b/tests/filesystem/UploadTest.php
@@ -377,6 +377,93 @@ class UploadTest extends SapphireTest {
 		$file->delete();
 		$file2->delete();
 	}
+	
+	public function testReplaceFileWithLoadIntoFile() {
+		// create tmp file
+		$tmpFileName = 'UploadTest-testUpload.txt';
+		$tmpFilePath = TEMP_FOLDER . '/' . $tmpFileName;
+		$tmpFileContent = '';
+		for ($i = 0; $i < 10000; $i++)
+			$tmpFileContent .= '0';
+		file_put_contents($tmpFilePath, $tmpFileContent);
+
+		// emulates the $_FILES array
+		$tmpFile = array(
+			'name' => $tmpFileName,
+			'type' => 'text/plaintext',
+			'size' => filesize($tmpFilePath),
+			'tmp_name' => $tmpFilePath,
+			'extension' => 'txt',
+			'error' => UPLOAD_ERR_OK,
+		);
+
+		// Make sure there are none here, otherwise they get renamed incorrectly for the test.
+		$this->deleteTestUploadFiles("/UploadTest-testUpload.*/");
+
+		$v = new UploadTest_Validator();
+
+		// test upload into default folder
+		$u = new Upload();
+		$u->setValidator($v);
+		$u->load($tmpFile);
+		$file = $u->getFile();
+
+		$this->assertEquals(
+				'UploadTest-testUpload.txt',
+				$file->Name,
+				'File is uploaded without extension'
+		);
+		$this->assertFileExists(
+				BASE_PATH . '/' . $file->getFilename(),
+				'File exists'
+		);
+
+		// replace=true
+		$u = new Upload();
+		$u->setValidator($v);
+		$u->setReplaceFile(true);
+		$u->loadIntoFile($tmpFile, new File());
+		$file2 = $u->getFile();
+		$this->assertEquals(
+				'UploadTest-testUpload.txt',
+				$file2->Name,
+				'File does not receive new name'
+		);
+		$this->assertFileExists(
+				BASE_PATH . '/' . $file2->getFilename(),
+				'File exists'
+		);
+		$this->assertEquals(
+				$file->ID,
+				$file2->ID,
+				'File database record is the same'
+		);
+
+		// replace=false
+		$u = new Upload();
+		$u->setValidator($v);
+		$u->setReplaceFile(false);
+		$u->loadIntoFile($tmpFile, new File());
+		$file3 = $u->getFile();
+		$this->assertEquals(
+				'UploadTest-testUpload2.txt',
+				$file3->Name,
+				'File does receive new name'
+		);
+		$this->assertFileExists(
+				BASE_PATH . '/' . $file3->getFilename(),
+				'File exists'
+		);
+		$this->assertGreaterThan(
+				$file2->ID,
+				$file3->ID,
+				'File database record is not the same'
+		);
+
+		$file->delete();
+		$file2->delete();
+		$file3->delete();
+	}
 
 }
 class UploadTest_Validator extends Upload_Validator implements TestOnly {

From 6d5d3d8cb7e69e0b37471b1e34077211b0f631fe Mon Sep 17 00:00:00 2001
From: Damian Mooyman <damian.mooyman@gmail.com>
Date: Wed, 5 Mar 2014 11:47:02 +1300
Subject: [PATCH 36/39] Rewrote usages of error suppression operator

---
 control/Director.php                   |  5 ++---
 dev/Backtrace.php                      |  2 +-
 dev/Debug.php                          |  7 ++++++-
 dev/Log.php                            |  6 +++---
 dev/LogErrorEmailFormatter.php         |  4 ++--
 dev/install/install.php5               | 18 +++++++++++-------
 docs/en/howto/phpunit-configuration.md |  2 +-
 forms/Form.php                         |  2 +-
 forms/FormField.php                    |  2 +-
 forms/gridfield/GridField.php          |  3 ++-
 model/Database.php                     | 10 ++++++----
 model/HTMLValue.php                    |  6 +++++-
 tests/security/BasicAuthTest.php       | 16 ++++++++--------
 13 files changed, 49 insertions(+), 34 deletions(-)

diff --git a/control/Director.php b/control/Director.php
index 4b63a9092..dafa2340f 100644
--- a/control/Director.php
+++ b/control/Director.php
@@ -208,9 +208,8 @@ class Director implements TemplateGlobalProvider {
 		Requirements::set_backend(new Requirements_Backend());
 
 		// Handle absolute URLs
-		if (@parse_url($url, PHP_URL_HOST) != '') {
-			$bits = parse_url($url);
-			$_SERVER['HTTP_HOST'] = $bits['host'];
+		if ($host = parse_url($url, PHP_URL_HOST)) {
+			$_SERVER['HTTP_HOST'] = $host;
 			$url = Director::makeRelative($url);
 		}
 
diff --git a/dev/Backtrace.php b/dev/Backtrace.php
index 704381322..f77d3464b 100644
--- a/dev/Backtrace.php
+++ b/dev/Backtrace.php
@@ -90,7 +90,7 @@ class SS_Backtrace {
 		// Filter out arguments
 		foreach($bt as $i => $frame) {
 			$match = false;
-			if(@$bt[$i]['class']) {
+			if(!empty($bt[$i]['class'])) {
 				foreach(self::$ignore_function_args as $fnSpec) {
 					if(is_array($fnSpec) && $bt[$i]['class'] == $fnSpec[0] && $bt[$i]['function'] == $fnSpec[1]) {
 						$match = true;
diff --git a/dev/Debug.php b/dev/Debug.php
index 7755f26eb..0ed8a2027 100644
--- a/dev/Debug.php
+++ b/dev/Debug.php
@@ -419,7 +419,12 @@ class Debug {
 		$reporter = self::create_debug_view();
 		
 		// Coupling alert: This relies on knowledge of how the director gets its URL, it could be improved.
-		$httpRequest = isset($_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : @$_REQUEST['url'];
+		$httpRequest = null;
+		if(isset($_SERVER['REQUEST_URI'])) {
+			$httpRequest = $_SERVER['REQUEST_URI'];
+		} elseif(isset($_REQUEST['url'])) {
+			$httpRequest = $_REQUEST['url'];
+		}
 		if(isset($_SERVER['REQUEST_METHOD'])) $httpRequest = $_SERVER['REQUEST_METHOD'] . ' ' . $httpRequest;
 
 		$reporter->writeHeader($httpRequest);
diff --git a/dev/Log.php b/dev/Log.php
index ed2a65b0c..18223b5b5 100644
--- a/dev/Log.php
+++ b/dev/Log.php
@@ -94,7 +94,7 @@ class SS_Log {
 			// Add default context (shouldn't change until the actual log event happens)
 			foreach(static::$log_globals as $globalName => $keys) {
 				foreach($keys as $key) {
-					$val = @$GLOBALS[$globalName][$key];
+					$val = isset($GLOBALS[$globalName][$key]) ? $GLOBALS[$globalName][$key] : null;
 					static::$logger->setEventItem(sprintf('$%s[\'%s\']', $globalName, $key), $val);
 				}
 			}
@@ -167,8 +167,8 @@ class SS_Log {
 			$message = array(
 				'errno' => '',
 				'errstr' => $message,
-				'errfile' => @$lastTrace['file'],
-				'errline' => @$lastTrace['line'],
+				'errfile' => isset($lastTrace['file']) ? $lastTrace['file'] : null,
+				'errline' => isset($lastTrace['line']) ? $lastTrace['line'] : null,
 				'errcontext' => $trace
 			);
 		}
diff --git a/dev/LogErrorEmailFormatter.php b/dev/LogErrorEmailFormatter.php
index 370a6d5e5..3bb22eeac 100644
--- a/dev/LogErrorEmailFormatter.php
+++ b/dev/LogErrorEmailFormatter.php
@@ -63,8 +63,8 @@ class SS_LogErrorEmailFormatter implements Zend_Log_Formatter_Interface {
 		$relfile = Director::makeRelative($errfile);
 		if($relfile && $relfile[0] == '/') $relfile = substr($relfile, 1);
 		
-		$host = @$_SERVER['HTTP_HOST'];
-		$uri = @$_SERVER['REQUEST_URI'];
+		$host = isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : null;
+		$uri = isset($_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : null;
 
 		$subject = "[$errorType] in $relfile:{$errline} (http://{$host}{$uri})";
 
diff --git a/dev/install/install.php5 b/dev/install/install.php5
index 575801b47..06c161542 100644
--- a/dev/install/install.php5
+++ b/dev/install/install.php5
@@ -362,11 +362,15 @@ class InstallRequirements {
 	 */
 	function findWebserver() {
 		// Try finding from SERVER_SIGNATURE or SERVER_SOFTWARE
-		$webserver = @$_SERVER['SERVER_SIGNATURE'];
-		if(!$webserver) $webserver = @$_SERVER['SERVER_SOFTWARE'];
+		if(!empty($_SERVER['SERVER_SIGNATURE'])) {
+			$webserver = $_SERVER['SERVER_SIGNATURE'];
+		} elseif(!empty($_SERVER['SERVER_SOFTWARE'])) {
+			$webserver = $_SERVER['SERVER_SOFTWARE'];
+		} else {
+			return false;
+		}
 
-		if($webserver) return strip_tags(trim($webserver));
-		else return false;
+		return strip_tags(trim($webserver));
 	}
 
 	/**
@@ -913,7 +917,7 @@ class InstallRequirements {
 			$this->testing($testDetails);
 			return true;
 		} else {
-			if(!@$result['cannotCreate']) {
+			if(empty($result['cannotCreate'])) {
 				$testDetails[2] .= ". Please create the database manually.";
 			} else {
 				$testDetails[2] .= " (user '$databaseConfig[username]' doesn't have CREATE DATABASE permissions.)";
@@ -972,7 +976,7 @@ class InstallRequirements {
 		$section = $testDetails[0];
 		$test = $testDetails[1];
 
-		$this->tests[$section][$test] = array("error", @$testDetails[2]);
+		$this->tests[$section][$test] = array("error", isset($testDetails[2]) ? $testDetails[2] : null);
 		$this->errors[] = $testDetails;
 	}
 
@@ -980,7 +984,7 @@ class InstallRequirements {
 		$section = $testDetails[0];
 		$test = $testDetails[1];
 
-		$this->tests[$section][$test] = array("warning", @$testDetails[2]);
+		$this->tests[$section][$test] = array("warning", isset($testDetails[2]) ? $testDetails[2] : null);
 		$this->warnings[] = $testDetails;
 	}
 
diff --git a/docs/en/howto/phpunit-configuration.md b/docs/en/howto/phpunit-configuration.md
index fde20de6d..4ac184feb 100644
--- a/docs/en/howto/phpunit-configuration.md
+++ b/docs/en/howto/phpunit-configuration.md
@@ -71,7 +71,7 @@ Example `mysite/_config.php`:
 	// Customized configuration for running with different database settings.
 	// Ensure this code comes after ConfigureFromEnv.php
 	if(Director::isDev()) {
-		if($db = @$_GET['db']) {
+		if(isset($_GET['db']) && ($db = $_GET['db'])) {
 			global $databaseConfig;
 			if($db == 'sqlite3') $databaseConfig['type'] = 'SQLite3Database';
 		}
diff --git a/forms/Form.php b/forms/Form.php
index 7e7398ef2..9f3e6361f 100644
--- a/forms/Form.php
+++ b/forms/Form.php
@@ -651,7 +651,7 @@ class Form extends RequestHandler {
 	 * @return String
 	 */
 	public function getAttribute($name) {
-		return @$this->attributes[$name];
+		if(isset($this->attributes[$name])) return $this->attributes[$name];
 	}
 
 	public function getAttributes() {
diff --git a/forms/FormField.php b/forms/FormField.php
index 16abd410b..e0468164f 100644
--- a/forms/FormField.php
+++ b/forms/FormField.php
@@ -361,7 +361,7 @@ class FormField extends RequestHandler {
 	 */
 	public function getAttribute($name) {
 		$attrs = $this->getAttributes();
-		return @$attrs[$name];
+		if(isset($attrs[$name])) return $attrs[$name];
 	}
 	
 	/**
diff --git a/forms/gridfield/GridField.php b/forms/gridfield/GridField.php
index 33d23100d..a252c108e 100644
--- a/forms/gridfield/GridField.php
+++ b/forms/gridfield/GridField.php
@@ -591,7 +591,8 @@ class GridField extends FormField {
 	public function gridFieldAlterAction($data, $form, SS_HTTPRequest $request) {
 		$html = '';
 		$data = $request->requestVars();
-		$fieldData = @$data[$this->getName()];
+		$name = $this->getName();
+		$fieldData = isset($data[$name]) ? $data[$name] : null;
 
 		// Update state from client
 		$state = $this->getState(false);
diff --git a/model/Database.php b/model/Database.php
index 699bb9625..287538614 100644
--- a/model/Database.php
+++ b/model/Database.php
@@ -214,14 +214,16 @@ abstract class SS_Database {
 		foreach($this->schemaUpdateTransaction as $tableName => $changes) {
 			switch($changes['command']) {
 				case 'create':
-				$this->createTable($tableName, $changes['newFields'], $changes['newIndexes'], $changes['options'],
-					@$changes['advancedOptions']);
+					$this->createTable($tableName, $changes['newFields'], $changes['newIndexes'], $changes['options'],
+						isset($changes['advancedOptions']) ? $changes['advancedOptions'] : null
+					);
 					break;
 				
 				case 'alter':
 					$this->alterTable($tableName, $changes['newFields'], $changes['newIndexes'],
-					$changes['alteredFields'], $changes['alteredIndexes'], $changes['alteredOptions'],
-					@$changes['advancedOptions']);
+						$changes['alteredFields'], $changes['alteredIndexes'], $changes['alteredOptions'],
+						isset($changes['advancedOptions']) ? $changes['advancedOptions'] : null
+					);
 					break;
 			}
 		}
diff --git a/model/HTMLValue.php b/model/HTMLValue.php
index e06d3e5d7..fc8d06a19 100644
--- a/model/HTMLValue.php
+++ b/model/HTMLValue.php
@@ -73,10 +73,14 @@ class SS_HTMLValue extends ViewableData {
 		// This behaviour is apparently XML spec, but we don't want this because it messes up the HTML
 		$content = str_replace(chr(13), '', $content);
 
-		return @$this->getDocument()->loadHTML(
+		$errorState = libxml_use_internal_errors(true);
+		$result = $this->getDocument()->loadHTML(
 			'<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>' .
 			"<body>$content</body></html>"
 		);
+		libxml_clear_errors();
+		libxml_use_internal_errors($errorState);
+		return $result;
 	}
 
 	/**
diff --git a/tests/security/BasicAuthTest.php b/tests/security/BasicAuthTest.php
index 4920e4284..f432af400 100644
--- a/tests/security/BasicAuthTest.php
+++ b/tests/security/BasicAuthTest.php
@@ -26,8 +26,8 @@ class BasicAuthTest extends FunctionalTest {
 	}
 
 	public function testBasicAuthEnabledWithoutLogin() {
-		$origUser = @$_SERVER['PHP_AUTH_USER'];
-		$origPw = @$_SERVER['PHP_AUTH_PW'];
+		$origUser = isset($_SERVER['PHP_AUTH_USER']) ? $_SERVER['PHP_AUTH_USER'] : null;
+		$origPw = isset($_SERVER['PHP_AUTH_PW']) ? $_SERVER['PHP_AUTH_PW'] : null;
 		
 		unset($_SERVER['PHP_AUTH_USER']);
 		unset($_SERVER['PHP_AUTH_PW']);
@@ -40,8 +40,8 @@ class BasicAuthTest extends FunctionalTest {
 	}
 	
 	public function testBasicAuthDoesntCallActionOrFurtherInitOnAuthFailure() {
-		$origUser = @$_SERVER['PHP_AUTH_USER'];
-		$origPw = @$_SERVER['PHP_AUTH_PW'];
+		$origUser = isset($_SERVER['PHP_AUTH_USER']) ? $_SERVER['PHP_AUTH_USER'] : null;
+		$origPw = isset($_SERVER['PHP_AUTH_PW']) ? $_SERVER['PHP_AUTH_PW'] : null;
 		
 		unset($_SERVER['PHP_AUTH_USER']);
 		unset($_SERVER['PHP_AUTH_PW']);
@@ -60,8 +60,8 @@ class BasicAuthTest extends FunctionalTest {
 	}
 
 	public function testBasicAuthEnabledWithPermission() {
-		$origUser = @$_SERVER['PHP_AUTH_USER'];
-		$origPw = @$_SERVER['PHP_AUTH_PW'];
+		$origUser = isset($_SERVER['PHP_AUTH_USER']) ? $_SERVER['PHP_AUTH_USER'] : null;
+		$origPw = isset($_SERVER['PHP_AUTH_PW']) ? $_SERVER['PHP_AUTH_PW'] : null;
 		
 		$_SERVER['PHP_AUTH_USER'] = 'user-in-mygroup@test.com';
 		$_SERVER['PHP_AUTH_PW'] = 'wrongpassword';
@@ -83,8 +83,8 @@ class BasicAuthTest extends FunctionalTest {
 	}
 	
 	public function testBasicAuthEnabledWithoutPermission() {
-		$origUser = @$_SERVER['PHP_AUTH_USER'];
-		$origPw = @$_SERVER['PHP_AUTH_PW'];
+		$origUser = isset($_SERVER['PHP_AUTH_USER']) ? $_SERVER['PHP_AUTH_USER'] : null;
+		$origPw = isset($_SERVER['PHP_AUTH_PW']) ? $_SERVER['PHP_AUTH_PW'] : null;
 		
 		$_SERVER['PHP_AUTH_USER'] = 'user-without-groups@test.com';
 		$_SERVER['PHP_AUTH_PW'] = 'wrongpassword';

From 0cbad41d3b011dd7684b5f862dba9c6dfa1415f6 Mon Sep 17 00:00:00 2001
From: Damian Mooyman <damian.mooyman@gmail.com>
Date: Wed, 5 Mar 2014 11:47:02 +1300
Subject: [PATCH 37/39] Rewrote usages of error suppression operator

---
 control/Director.php                   |  2 +-
 dev/Debug.php                          |  7 ++++++-
 dev/Log.php                            |  4 ++--
 dev/LogErrorEmailFormatter.php         |  4 ++--
 dev/install/install.php5               | 18 +++++++++++-------
 docs/en/howto/phpunit-configuration.md |  2 +-
 forms/Form.php                         |  2 +-
 forms/FormField.php                    |  2 +-
 forms/HtmlEditorSanitiser.php          | 16 ++++++++--------
 forms/gridfield/GridField.php          |  3 ++-
 model/Database.php                     | 10 ++++++----
 model/HTMLValue.php                    |  6 +++++-
 parsers/ShortcodeParser.php            |  4 ++--
 tests/security/BasicAuthTest.php       | 16 ++++++++--------
 14 files changed, 56 insertions(+), 40 deletions(-)

diff --git a/control/Director.php b/control/Director.php
index 3ea35b395..1c9373fef 100644
--- a/control/Director.php
+++ b/control/Director.php
@@ -245,7 +245,7 @@ class Director implements TemplateGlobalProvider {
 		Requirements::set_backend(new Requirements_Backend());
 
 		// Handle absolute URLs
-		if (@parse_url($url, PHP_URL_HOST) != '') {
+		if (parse_url($url, PHP_URL_HOST)) {
 			$bits = parse_url($url);
 			// If a port is mentioned in the absolute URL, be sure to add that into the 
 			// HTTP host
diff --git a/dev/Debug.php b/dev/Debug.php
index 46a0c430f..65d1ed8e6 100644
--- a/dev/Debug.php
+++ b/dev/Debug.php
@@ -401,7 +401,12 @@ class Debug {
 		$reporter = self::create_debug_view();
 		
 		// Coupling alert: This relies on knowledge of how the director gets its URL, it could be improved.
-		$httpRequest = isset($_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : @$_REQUEST['url'];
+		$httpRequest = null;
+		if(isset($_SERVER['REQUEST_URI'])) {
+			$httpRequest = $_SERVER['REQUEST_URI'];
+		} elseif(isset($_REQUEST['url'])) {
+			$httpRequest = $_REQUEST['url'];
+		}
 		if(isset($_SERVER['REQUEST_METHOD'])) $httpRequest = $_SERVER['REQUEST_METHOD'] . ' ' . $httpRequest;
 
 		$reporter->writeHeader($httpRequest);
diff --git a/dev/Log.php b/dev/Log.php
index ef70dba89..ade21604e 100644
--- a/dev/Log.php
+++ b/dev/Log.php
@@ -167,8 +167,8 @@ class SS_Log {
 			$message = array(
 				'errno' => '',
 				'errstr' => $message,
-				'errfile' => @$lastTrace['file'],
-				'errline' => @$lastTrace['line'],
+				'errfile' => isset($lastTrace['file']) ? $lastTrace['file'] : null,
+				'errline' => isset($lastTrace['line']) ? $lastTrace['line'] : null,
 				'errcontext' => $trace
 			);
 		}
diff --git a/dev/LogErrorEmailFormatter.php b/dev/LogErrorEmailFormatter.php
index 195aefcfd..b9213005b 100644
--- a/dev/LogErrorEmailFormatter.php
+++ b/dev/LogErrorEmailFormatter.php
@@ -66,8 +66,8 @@ class SS_LogErrorEmailFormatter implements Zend_Log_Formatter_Interface {
 		$relfile = Director::makeRelative($errfile);
 		if($relfile && $relfile[0] == '/') $relfile = substr($relfile, 1);
 		
-		$host = @$_SERVER['HTTP_HOST'];
-		$uri = @$_SERVER['REQUEST_URI'];
+		$host = isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : null;
+		$uri = isset($_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : null;
 
 		$subject = "[$errorType] in $relfile:{$errline} (http://{$host}{$uri})";
 
diff --git a/dev/install/install.php5 b/dev/install/install.php5
index a7dc9fbea..92a90938b 100755
--- a/dev/install/install.php5
+++ b/dev/install/install.php5
@@ -386,11 +386,15 @@ class InstallRequirements {
 	 */
 	function findWebserver() {
 		// Try finding from SERVER_SIGNATURE or SERVER_SOFTWARE
-		$webserver = @$_SERVER['SERVER_SIGNATURE'];
-		if(!$webserver) $webserver = @$_SERVER['SERVER_SOFTWARE'];
+		if(!empty($_SERVER['SERVER_SIGNATURE'])) {
+			$webserver = $_SERVER['SERVER_SIGNATURE'];
+		} elseif(!empty($_SERVER['SERVER_SOFTWARE'])) {
+			$webserver = $_SERVER['SERVER_SOFTWARE'];
+		} else {
+			return false;
+		}
 
-		if($webserver) return strip_tags(trim($webserver));
-		else return false;
+		return strip_tags(trim($webserver));
 	}
 
 	/**
@@ -1116,7 +1120,7 @@ class InstallRequirements {
 			$this->testing($testDetails);
 			return true;
 		} else {
-			if(!@$result['cannotCreate']) {
+			if(empty($result['cannotCreate'])) {
 				$testDetails[2] .= ". Please create the database manually.";
 			} else {
 				$testDetails[2] .= " (user '$databaseConfig[username]' doesn't have CREATE DATABASE permissions.)";
@@ -1194,7 +1198,7 @@ class InstallRequirements {
 		$section = $testDetails[0];
 		$test = $testDetails[1];
 
-		$this->tests[$section][$test] = array("error", @$testDetails[2]);
+		$this->tests[$section][$test] = array("error", isset($testDetails[2]) ? $testDetails[2] : null);
 		$this->errors[] = $testDetails;
 	}
 
@@ -1202,7 +1206,7 @@ class InstallRequirements {
 		$section = $testDetails[0];
 		$test = $testDetails[1];
 
-		$this->tests[$section][$test] = array("warning", @$testDetails[2]);
+		$this->tests[$section][$test] = array("warning", isset($testDetails[2]) ? $testDetails[2] : null);
 		$this->warnings[] = $testDetails;
 	}
 
diff --git a/docs/en/howto/phpunit-configuration.md b/docs/en/howto/phpunit-configuration.md
index fde20de6d..4ac184feb 100644
--- a/docs/en/howto/phpunit-configuration.md
+++ b/docs/en/howto/phpunit-configuration.md
@@ -71,7 +71,7 @@ Example `mysite/_config.php`:
 	// Customized configuration for running with different database settings.
 	// Ensure this code comes after ConfigureFromEnv.php
 	if(Director::isDev()) {
-		if($db = @$_GET['db']) {
+		if(isset($_GET['db']) && ($db = $_GET['db'])) {
 			global $databaseConfig;
 			if($db == 'sqlite3') $databaseConfig['type'] = 'SQLite3Database';
 		}
diff --git a/forms/Form.php b/forms/Form.php
index ca38874eb..2ad6cfbf6 100644
--- a/forms/Form.php
+++ b/forms/Form.php
@@ -683,7 +683,7 @@ class Form extends RequestHandler {
 	 * @return String
 	 */
 	public function getAttribute($name) {
-		return @$this->attributes[$name];
+		if(isset($this->attributes[$name])) return $this->attributes[$name];
 	}
 
 	public function getAttributes() {
diff --git a/forms/FormField.php b/forms/FormField.php
index d69e42199..4007bc627 100644
--- a/forms/FormField.php
+++ b/forms/FormField.php
@@ -358,7 +358,7 @@ class FormField extends RequestHandler {
 	 */
 	public function getAttribute($name) {
 		$attrs = $this->getAttributes();
-		return @$attrs[$name];
+		if(isset($attrs[$name])) return $attrs[$name];
 	}
 	
 	/**
diff --git a/forms/HtmlEditorSanitiser.php b/forms/HtmlEditorSanitiser.php
index a4aa1fe4a..920a750c8 100644
--- a/forms/HtmlEditorSanitiser.php
+++ b/forms/HtmlEditorSanitiser.php
@@ -62,10 +62,10 @@ class HtmlEditorSanitiser {
 		foreach(explode(',', $validElements) as $validElement) {
 			if(preg_match($elementRuleRegExp, $validElement, $matches)) {
 
-				$prefix = @$matches[1];
-				$elementName = @$matches[2];
-				$outputName = @$matches[3];
-				$attrData = @$matches[4];
+				$prefix = isset($matches[1]) ? $matches[1] : null;
+				$elementName = isset($matches[2]) ? $matches[2] : null;
+				$outputName = isset($matches[3]) ? $matches[3] : null;
+				$attrData = isset($matches[4]) ? $matches[4] : null;
 
 				// Create the new element
 				$element = new stdClass();
@@ -91,10 +91,10 @@ class HtmlEditorSanitiser {
 						if(preg_match($attrRuleRegExp, $attr, $matches)) {
 							$attr = new stdClass();
 
-							$attrType = @$matches[1];
-							$attrName = str_replace('::', ':', @$matches[2]);
-							$prefix = @$matches[3];
-							$value = @$matches[4];
+							$attrType = isset($matches[1]) ? $matches[1] : null;
+							$attrName = isset($matches[2]) ? str_replace('::', ':', $matches[2]) : null;
+							$prefix = isset($matches[3]) ? $matches[3] : null;
+							$value = isset($matches[4]) ? $matches[4] : null;
 
 							// Required
 							if($attrType === '!') {
diff --git a/forms/gridfield/GridField.php b/forms/gridfield/GridField.php
index 7a1e3fef4..3e84087b3 100644
--- a/forms/gridfield/GridField.php
+++ b/forms/gridfield/GridField.php
@@ -615,7 +615,8 @@ class GridField extends FormField {
 	public function gridFieldAlterAction($data, $form, SS_HTTPRequest $request) {
 		$html = '';
 		$data = $request->requestVars();
-		$fieldData = @$data[$this->getName()];
+		$name = $this->getName();
+		$fieldData = isset($data[$name]) ? $data[$name] : null;
 
 		// Update state from client
 		$state = $this->getState(false);
diff --git a/model/Database.php b/model/Database.php
index 752eb8153..9ea005ae4 100644
--- a/model/Database.php
+++ b/model/Database.php
@@ -211,14 +211,16 @@ abstract class SS_Database {
 		foreach($this->schemaUpdateTransaction as $tableName => $changes) {
 			switch($changes['command']) {
 				case 'create':
-				$this->createTable($tableName, $changes['newFields'], $changes['newIndexes'], $changes['options'],
-					@$changes['advancedOptions']);
+					$this->createTable($tableName, $changes['newFields'], $changes['newIndexes'], $changes['options'],
+						isset($changes['advancedOptions']) ? $changes['advancedOptions'] : null
+					);
 					break;
 				
 				case 'alter':
 					$this->alterTable($tableName, $changes['newFields'], $changes['newIndexes'],
-					$changes['alteredFields'], $changes['alteredIndexes'], $changes['alteredOptions'],
-					@$changes['advancedOptions']);
+						$changes['alteredFields'], $changes['alteredIndexes'], $changes['alteredOptions'],
+						isset($changes['advancedOptions']) ? $changes['advancedOptions'] : null
+					);
 					break;
 			}
 		}
diff --git a/model/HTMLValue.php b/model/HTMLValue.php
index 7888806f4..63e983f1f 100644
--- a/model/HTMLValue.php
+++ b/model/HTMLValue.php
@@ -163,9 +163,13 @@ class SS_HTML4Value extends SS_HTMLValue {
 		// Reset the document if we're in an invalid state for some reason
 		if (!$this->isValid()) $this->setDocument(null);
 
-		return @$this->getDocument()->loadHTML(
+		$errorState = libxml_use_internal_errors(true);
+		$result = $this->getDocument()->loadHTML(
 			'<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>' .
 			"<body>$content</body></html>"
 		);
+		libxml_clear_errors();
+		libxml_use_internal_errors($errorState);
+		return $result;
 	}
 }
diff --git a/parsers/ShortcodeParser.php b/parsers/ShortcodeParser.php
index c091a835a..f4f66eda0 100644
--- a/parsers/ShortcodeParser.php
+++ b/parsers/ShortcodeParser.php
@@ -229,8 +229,8 @@ class ShortcodeParser {
 					'text' => $match[0][0],
 					's' => $match[0][1],
 					'e' => $match[0][1] + strlen($match[0][0]),
-					'open' =>  @$match['open'][0],
-					'close' => @$match['close'][0],
+					'open' =>  isset($match['open'][0]) ? $match['open'][0] : null,
+					'close' => isset($match['close'][0]) ? $match['close'][0] : null,
 					'attrs' => $attrs,
 					'content' => '',
 					'escaped' => !empty($match['oesc'][0]) || !empty($match['cesc1'][0]) || !empty($match['cesc2'][0])
diff --git a/tests/security/BasicAuthTest.php b/tests/security/BasicAuthTest.php
index 649845d03..686db0b50 100644
--- a/tests/security/BasicAuthTest.php
+++ b/tests/security/BasicAuthTest.php
@@ -26,8 +26,8 @@ class BasicAuthTest extends FunctionalTest {
 	}
 
 	public function testBasicAuthEnabledWithoutLogin() {
-		$origUser = @$_SERVER['PHP_AUTH_USER'];
-		$origPw = @$_SERVER['PHP_AUTH_PW'];
+		$origUser = isset($_SERVER['PHP_AUTH_USER']) ? $_SERVER['PHP_AUTH_USER'] : null;
+		$origPw = isset($_SERVER['PHP_AUTH_PW']) ? $_SERVER['PHP_AUTH_PW'] : null;
 		
 		unset($_SERVER['PHP_AUTH_USER']);
 		unset($_SERVER['PHP_AUTH_PW']);
@@ -40,8 +40,8 @@ class BasicAuthTest extends FunctionalTest {
 	}
 	
 	public function testBasicAuthDoesntCallActionOrFurtherInitOnAuthFailure() {
-		$origUser = @$_SERVER['PHP_AUTH_USER'];
-		$origPw = @$_SERVER['PHP_AUTH_PW'];
+		$origUser = isset($_SERVER['PHP_AUTH_USER']) ? $_SERVER['PHP_AUTH_USER'] : null;
+		$origPw = isset($_SERVER['PHP_AUTH_PW']) ? $_SERVER['PHP_AUTH_PW'] : null;
 		
 		unset($_SERVER['PHP_AUTH_USER']);
 		unset($_SERVER['PHP_AUTH_PW']);
@@ -60,8 +60,8 @@ class BasicAuthTest extends FunctionalTest {
 	}
 
 	public function testBasicAuthEnabledWithPermission() {
-		$origUser = @$_SERVER['PHP_AUTH_USER'];
-		$origPw = @$_SERVER['PHP_AUTH_PW'];
+		$origUser = isset($_SERVER['PHP_AUTH_USER']) ? $_SERVER['PHP_AUTH_USER'] : null;
+		$origPw = isset($_SERVER['PHP_AUTH_PW']) ? $_SERVER['PHP_AUTH_PW'] : null;
 		
 		$_SERVER['PHP_AUTH_USER'] = 'user-in-mygroup@test.com';
 		$_SERVER['PHP_AUTH_PW'] = 'wrongpassword';
@@ -83,8 +83,8 @@ class BasicAuthTest extends FunctionalTest {
 	}
 	
 	public function testBasicAuthEnabledWithoutPermission() {
-		$origUser = @$_SERVER['PHP_AUTH_USER'];
-		$origPw = @$_SERVER['PHP_AUTH_PW'];
+		$origUser = isset($_SERVER['PHP_AUTH_USER']) ? $_SERVER['PHP_AUTH_USER'] : null;
+		$origPw = isset($_SERVER['PHP_AUTH_PW']) ? $_SERVER['PHP_AUTH_PW'] : null;
 		
 		$_SERVER['PHP_AUTH_USER'] = 'user-without-groups@test.com';
 		$_SERVER['PHP_AUTH_PW'] = 'wrongpassword';

From 07ca70fce4a4bd7fe458acfa5fc4912f9ebffa3c Mon Sep 17 00:00:00 2001
From: Tim Snadden <tim@snadden.com>
Date: Mon, 10 Mar 2014 11:13:19 +1300
Subject: [PATCH 38/39] Update composer.md

---
 docs/en/installation/composer.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/en/installation/composer.md b/docs/en/installation/composer.md
index f020ebc62..4b11a6e27 100644
--- a/docs/en/installation/composer.md
+++ b/docs/en/installation/composer.md
@@ -116,7 +116,7 @@ So you want to contribute to SilverStripe? Fantastic! You can do this with compo
 You have to tell composer three things in order to be able to do this:
 
   - Keep the full git repository information
-  - Include dependancies marked as "developer" requirements
+  - Include dependencies marked as "developer" requirements
   - Use the development version, not the latest stable version
 
 The first two steps are done as part of the initial create project using additional arguments.
@@ -233,7 +233,7 @@ For more information, read the ["Repositories" chapter of the Composer documenta
 
 ### Forks and branch names
 
-Generally, you should keep using the same pattern of branch names as the main repositories does. If your version is a fork of 3.0, then call the branch `3.0`, not `3.0-myproj` or `myproj`. Otherwise, the depenency resolution gets confused.
+Generally, you should keep using the same pattern of branch names as the main repositories does. If your version is a fork of 3.0, then call the branch `3.0`, not `3.0-myproj` or `myproj`. Otherwise, the dependency resolution gets confused.
 
 Sometimes, however, this isn't feasible.  For example, you might have a number of project forks stored in a single repository, such as your personal github fork of a project.  Or you might be testing/developing a feature branch.  Or it might just be confusing to other team members to call the branch of your modified version `3.0`.
 
@@ -312,4 +312,4 @@ You don't have to, Composer is designed to work on the constraints you set.
 You can declare the ["minimum-stability"](http://getcomposer.org/doc/04-schema.md#minimum-stability)
 on your project as suitable, or even whitelist specific modules as tracking
 a development branch while keeping others to their stable release.
-Read up on [Composer "lock" files](http://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file) on how this all fits together.
\ No newline at end of file
+Read up on [Composer "lock" files](http://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file) on how this all fits together.

From 21f462a77bb77bf4b283d49211c67899635b727e Mon Sep 17 00:00:00 2001
From: Simon Welsh <simon@simon.geek.nz>
Date: Mon, 10 Mar 2014 22:48:22 +1300
Subject: [PATCH 39/39] Update nginx.md

Provides a nginx.conf that follows nginx good practices and duplicates the functionality of
the .htaccess files in framework, cms and installer.
---
 docs/en/installation/nginx.md | 151 ++++++++++++++++------------------
 1 file changed, 69 insertions(+), 82 deletions(-)

diff --git a/docs/en/installation/nginx.md b/docs/en/installation/nginx.md
index b9390385d..a1f58a488 100644
--- a/docs/en/installation/nginx.md
+++ b/docs/en/installation/nginx.md
@@ -1,6 +1,6 @@
 # Nginx
 
-These instructions are also covered in less detail on the
+These instructions are also covered on the
 [Nginx Wiki](http://wiki.nginx.org/SilverStripe).
 
 The prerequisite is that you have already installed Nginx and you are
@@ -11,92 +11,79 @@ configuration settings:
 
 	server {
 		listen 80;
-		
-		# SSL configuration (optional, but recommended for security)
-		include ssl
-		
-		root /var/www/example.com;
-		index index.php index.html index.htm;
-		
-		server_name example.com;
-		
-		include silverstripe3;
-		include htaccess;
-	}
-
-Here is the include file `silverstripe3`:
-
-	location / {
-		try_files $uri @silverstripe;
-	}
-	 
-	location @silverstripe {
-		include fastcgi_params;
-		
-		# Defend against arbitrary PHP code execution
-		# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
-		# More info:
-		# https://nealpoole.com/blog/2011/04/setting-up-php-fastcgi-and-nginx-dont-trust-the-tutorials-check-your-configuration/
-		fastcgi_split_path_info ^(.+\.php)(/.+)$;
-		
-		fastcgi_param SCRIPT_FILENAME $document_root/framework/main.php;
-		fastcgi_param SCRIPT_NAME /framework/main.php;
-		fastcgi_param QUERY_STRING url=$uri&$args;
-		
-		fastcgi_pass unix:/var/run/php5-fpm.sock;
-		fastcgi_index index.php;
-		fastcgi_buffer_size 32k;
-		fastcgi_buffers 4 32k;
-		fastcgi_busy_buffers_size 64k;
-	}
-
-
-Here is the include file `htaccess`:
-
-	# Don't serve up any .htaccess files
-	location ~ /\.ht {
-		deny all;
-	}
+		root /path/to/ss/folder;
 	
-	# Deny access to silverstripe-cache
-	location ~ ^/silverstripe-cache {
-		deny all;
-	}
+		server_name site.com www.site.com;
 	
-	# Don't execute scripts in the assets
-	location ^~ /assets/ {
-		try_files $uri $uri/ =404;
-	}
+		location / {
+			try_files $uri /framework/main.php?url=$uri&$query_string;
+		}
 	
-	# Block access to yaml files
-	location ~ \.yml$ {
-		deny all;
-	}
+		error_page 404 /assets/error-404.html;
+		error_page 500 /assets/error-500.html;
 	
-	# cms & framework .htaccess rules
-	location ~ ^/(cms|framework|mysite)/.*\.(php|php[345]|phtml|inc)$ {
-		deny all;
-	}
-	location ~ ^/(cms|framework)/silverstripe_version$ {
-		deny all;
-	}
-	location ~ ^/framework/.*(main|static-main|rpc|tiny_mce_gzip)\.php$ {
-		allow all;
+		location ^~ /assets/ {
+			sendfile on;
+			try_files $uri =404;
+		}
+	
+		location ~ /framework/.*(main|rpc|tiny_mce_gzip)\.php$ {
+			fastcgi_keep_conn on;
+			fastcgi_pass   127.0.0.1:9000;
+			fastcgi_index  index.php;
+			fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
+			include        fastcgi_params;
+		}
+	
+		location ~ /(mysite|framework|cms)/.*\.(php|php3|php4|php5|phtml|inc)$ {
+			deny all;
+		}
+	
+		location ~ /\.. {
+			deny all;
+		}
+	
+		location ~ \.ss$ {
+			satisfy any;
+			allow 127.0.0.1;
+			deny all;
+		}
+	
+		location ~ web\.config$ {
+			deny all;
+		}
+	
+		location ~ \.ya?ml$ {
+			deny all;
+		}
+	
+		location ^~ /vendor/ {
+			deny all;
+		}
+	
+		location ~* /silverstripe-cache/ {
+			deny all;
+		}
+	
+		location ~* composer\.(json|lock)$ {
+			deny all;
+		}
+	
+		location ~* /(cms|framework)/silverstripe_version$ {
+			deny all;
+		}
+	
+		location ~ \.php$ {
+	                fastcgi_keep_conn on;
+	                fastcgi_pass   127.0.0.1:9000;
+	                fastcgi_index  index.php;
+	                fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
+	                include        fastcgi_params;
+		}
 	}
 
-Here is the optional include file `ssl`:
-
-	listen 443 ssl;
-	ssl_certificate server.crt;
-	ssl_certificate_key server.key;
-	ssl_session_timeout 5m;
-	ssl_protocols SSLv3 TLSv1;
-	ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
-
-The above configuration sets up a virtual host `example.com` with
-rewrite rules suited for SilverStripe. The location block named
-`@silverstripe` passes all php scripts to the FastCGI-wrapper via a Unix
-socket. This example is from a site running Ubuntu with the php5-fpm
-package.
+The above configuration sets up a virtual host `site.com` with
+rewrite rules suited for SilverStripe. The location block for php files
+passes all php scripts to the FastCGI-wrapper via a TCP socket.
 
 Now you can proceed with the SilverStripe installation normally.