Silverstripe Forms allow malicious HTML or JavaScript to be inserted
through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting)
on some forms built with user input (Request data). This can lead to phishing attempts
to obtain a user's credentials or other sensitive user input.
There is no known attack vector for extracting user-session information or credentials automatically,
it required a user to fall for the phishing attempt.
XSS can also be used to modify the presentation of content in malicious ways.
When constructing a FormField, an IDE would previously tell you the `$title` needs to be string (or null). Let's make it more clear that a ViewableData instance (such as `HTMLValue::create($title)`) is also accepted. This should help people more quickly find a solution to put html in labels.
it's not very likely to happen (it did in my case :-) ) but if the value is an array, sprintf will fail (because raw2att accepts array, but sprintf doesn't). i suggest to json encode any array data to ensure it's safely included in the html. Or we should throw proper exceptions to make sure invalid values do not result in a php error.
Prevent html errors when FormField::create_tag('meta') is called from $MetaTags() so
```
<meta name="generator" content="SilverStripe - http://silverstripe.org"></meta>
```
becomes
```
<meta name="generator" content="SilverStripe - http://silverstripe.org" />
```
Add all void elements to list
API Substitute Zend_Locale with Locale / NumberFormatter
API Substitute Zend_Date with IntlDateFormatter
API Added DBTIme::Nice12, FormatFromSettings
API Added Short() method to DBDate / DBTime / DBDatetime
API Add Date::getTimestamp()
API Added setSubmittedValue api for FormField
API Add second arg to base FormField::setValue()
API Major refactor of i18n into component data parts
API Implement Resettable interface to reset objects between tests
ENHANCEMENT Changed DBField::create_field return type to `static` to support better type hinting
ENHANCEMENT i18nTextCollector supports __CLASS__
Loz Calver
Viktor Szépe
Guy Sartorelli
Steve Boyd
Tyler
Loz Calver
Maxime Rainville
Sam Minnee
Nicolaas
William Desportes
Robbie Averill
Daniel Hensby
Serge Latyntcev
JorisDebonnet
Nicholas Sorokin
Robbie Averill
shoosah
Will Rossiter
Thomas Portelange
Damian Mooyman
Andrew Aitken-Fincham
Saophalkun Ponlu
Daniel Hensby
Ralph Slooten
Christopher Joe
Ingo Schommer
Colin Tucker