mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
commit
debd81d380
@ -84,7 +84,7 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
|
|||||||
));
|
));
|
||||||
$columns->setFieldFormatting(array(
|
$columns->setFieldFormatting(array(
|
||||||
'Breadcrumbs' => function($val, $item) {
|
'Breadcrumbs' => function($val, $item) {
|
||||||
return $item->getBreadcrumbs(' > ');
|
return Convert::raw2xml($item->getBreadcrumbs(' > '));
|
||||||
}
|
}
|
||||||
));
|
));
|
||||||
|
|
||||||
|
21
docs/en/changelogs/rc/3.1.0-rc3.md
Normal file
21
docs/en/changelogs/rc/3.1.0-rc3.md
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
# 3.1.0-rc3
|
||||||
|
|
||||||
|
## Overview
|
||||||
|
|
||||||
|
### Security: XSS in CMS "Security" section (SS-2013-007)
|
||||||
|
|
||||||
|
See [announcement](http://www.silverstripe.org/ss-2013-007-xss-in-cms-security-section/)
|
||||||
|
|
||||||
|
### Security: XSS in form validation errors (SS-2013-008)
|
||||||
|
|
||||||
|
See [announcement](http://www.silverstripe.org/ss-2013-008-xss-in-numericfield-validation/)
|
||||||
|
|
||||||
|
### Security: XSS in CMS "Pages" section (SS-2013-009)
|
||||||
|
|
||||||
|
See [announcement](http://www.silverstripe.org/ss-2013-009-xss-in-cms-pages-section/)
|
||||||
|
|
||||||
|
### API: Form validation message no longer allow HTML
|
||||||
|
|
||||||
|
Due to cross-site scripting concerns when user data is used for form messages,
|
||||||
|
it is no longer possible to use HTML in `Form->sessionMessage()`, and consequently
|
||||||
|
in the `FormField->validate()` API.
|
@ -155,6 +155,10 @@ class Form extends RequestHandler {
|
|||||||
'forTemplate',
|
'forTemplate',
|
||||||
);
|
);
|
||||||
|
|
||||||
|
private static $casting = array(
|
||||||
|
'Message' => 'Text'
|
||||||
|
);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Create a new form, with the given fields an action buttons.
|
* Create a new form, with the given fields an action buttons.
|
||||||
*
|
*
|
||||||
@ -491,7 +495,7 @@ class Form extends RequestHandler {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Add an error message to a field on this form. It will be saved into the session
|
* Add a plain text error message to a field on this form. It will be saved into the session
|
||||||
* and used the next time this form is displayed.
|
* and used the next time this form is displayed.
|
||||||
*/
|
*/
|
||||||
public function addErrorMessage($fieldName, $message, $messageType) {
|
public function addErrorMessage($fieldName, $message, $messageType) {
|
||||||
|
@ -93,6 +93,10 @@ class FormField extends RequestHandler {
|
|||||||
*/
|
*/
|
||||||
protected $attributes = array();
|
protected $attributes = array();
|
||||||
|
|
||||||
|
private static $casting = array(
|
||||||
|
'Message' => 'Text'
|
||||||
|
);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Takes a fieldname and converts camelcase to spaced
|
* Takes a fieldname and converts camelcase to spaced
|
||||||
* words. Also resolves combined fieldnames with dot syntax
|
* words. Also resolves combined fieldnames with dot syntax
|
||||||
|
@ -269,9 +269,23 @@ class TreeDropdownField extends FormField {
|
|||||||
$obj->markToExpose($this->objectForKey($value));
|
$obj->markToExpose($this->objectForKey($value));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
$eval = '"<li id=\"selector-' . $this->getName() . '-{$child->' . $this->keyField . '}\" data-id=\"$child->'
|
|
||||||
. $this->keyField . '\" class=\"class-$child->class"'
|
$self = $this;
|
||||||
. ' . $child->markingClasses() . "\"><a rel=\"$child->ID\">" . $child->' . $this->labelField . ' . "</a>"';
|
$escapeLabelField = ($obj->escapeTypeForField($this->labelField) != 'xml');
|
||||||
|
$titleFn = function(&$child) use(&$self, $escapeLabelField) {
|
||||||
|
$keyField = $self->keyField;
|
||||||
|
$labelField = $self->labelField;
|
||||||
|
return sprintf(
|
||||||
|
'<li id="selector-%s-%s" data-id="%s" class="class-%s %s"><a rel="%d">%s</a>',
|
||||||
|
Convert::raw2xml($self->getName()),
|
||||||
|
Convert::raw2xml($child->$keyField),
|
||||||
|
Convert::raw2xml($child->$keyField),
|
||||||
|
Convert::raw2xml($child->class),
|
||||||
|
Convert::raw2xml($child->markingClasses()),
|
||||||
|
(int)$child->ID,
|
||||||
|
$escapeLabelField ? Convert::raw2xml($child->$labelField) : $child->$labelField
|
||||||
|
);
|
||||||
|
};
|
||||||
|
|
||||||
// Limit the amount of nodes shown for performance reasons.
|
// Limit the amount of nodes shown for performance reasons.
|
||||||
// Skip the check if we're filtering the tree, since its not clear how many children will
|
// Skip the check if we're filtering the tree, since its not clear how many children will
|
||||||
@ -294,7 +308,7 @@ class TreeDropdownField extends FormField {
|
|||||||
if($isSubTree) {
|
if($isSubTree) {
|
||||||
$html = $obj->getChildrenAsUL(
|
$html = $obj->getChildrenAsUL(
|
||||||
"",
|
"",
|
||||||
$eval,
|
$titleFn,
|
||||||
null,
|
null,
|
||||||
true,
|
true,
|
||||||
$this->childrenMethod,
|
$this->childrenMethod,
|
||||||
@ -307,7 +321,7 @@ class TreeDropdownField extends FormField {
|
|||||||
} else {
|
} else {
|
||||||
$html = $obj->getChildrenAsUL(
|
$html = $obj->getChildrenAsUL(
|
||||||
'class="tree"',
|
'class="tree"',
|
||||||
$eval,
|
$titleFn,
|
||||||
null,
|
null,
|
||||||
true,
|
true,
|
||||||
$this->childrenMethod,
|
$this->childrenMethod,
|
||||||
|
@ -95,10 +95,15 @@ class GridFieldDataColumns implements GridField_ColumnProvider {
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Specify custom formatting for fields, e.g. to render a link instead of pure text.
|
* Specify custom formatting for fields, e.g. to render a link instead of pure text.
|
||||||
|
*
|
||||||
* Caution: Make sure to escape special php-characters like in a normal php-statement.
|
* Caution: Make sure to escape special php-characters like in a normal php-statement.
|
||||||
* Example: "myFieldName" => '<a href=\"custom-admin/$ID\">$ID</a>'.
|
* Example: "myFieldName" => '<a href=\"custom-admin/$ID\">$ID</a>'.
|
||||||
|
*
|
||||||
* Alternatively, pass a anonymous function, which takes two parameters:
|
* Alternatively, pass a anonymous function, which takes two parameters:
|
||||||
* The value and the original list item.
|
* The value and the original list item.
|
||||||
|
*
|
||||||
|
* Formatting is applied after field casting, so if you're modifying the string
|
||||||
|
* to include further data through custom formatting, ensure it's correctly escaped.
|
||||||
*
|
*
|
||||||
* @param array $formatting
|
* @param array $formatting
|
||||||
*/
|
*/
|
||||||
|
Loading…
Reference in New Issue
Block a user