Silverstripe Forms allow malicious HTML or JavaScript to be inserted
through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting)
on some forms built with user input (Request data). This can lead to phishing attempts
to obtain a user's credentials or other sensitive user input.
There is no known attack vector for extracting user-session information or credentials automatically,
it required a user to fall for the phishing attempt.
XSS can also be used to modify the presentation of content in malicious ways.
See https://github.com/silverstripe/silverstripe-framework/issues/9232.
Also simplifies composer instructions a bit:
- Removes composer update --no-dev references, that's a bit of an edge case that people can just discover on getcomposer.org if they need it
- Changed example from the unused and oudated silverstripe/forum to silverstripe/blog
- Updated example versions to 4.x
- Remove "updating composer" section, it now tells you if its out of date
- Remove ss-auto-git-ignore module reference. The module hasn't been updated in ages, and it's much less necessary now that all relevant modules are on composer
- Add .env example config to getting started docs, I didn't realise it was stripped from the default --prefer-dist composer install
* Remove installer
* Remove exposed install files
* Replace Dev/Install classes still in use
* Update changelog
* FIX make the grid field actions consistent to what they look like on pages
Resolves https://github.com/silverstripe/silverstripe-admin/issues/904
* Docs changes
* Remove overly specific PHP RNG instructions (that's just built into PHP7 through random_bytes now, which will throw if no suitable RNG is available)
* Remove PHP 5 RNG requirements, since we don't support that PHP release any mre
* Remove verbose explanation of PHP 5.6 support
* Remove conflicting instructions for PHP memory limits
* Remove version numbers from supporetd databases other than MySQL, it's up to the community modules to define that
* Remove Oracle support (code is nine years old!)
* Make "community supported" status clearer on databases, people can draw their own conclusions as open source users on Github
* Remove IIS version number, I think we should just stick to "needs web.config" and not give the impression that this is actively tested
* Remove mention of OSes for web servers, that's kind of irrelevant in today's hosting world (containers, PaaS, etc)
* Shorten install instructions in favour of a "quickstart" and point to lessons instead
* Remove mention of archive download option, we really shouldn't promote this - composer is the de-facto standard
* Add generic descriptions of the hosting environment considerations without going too much into specifics
* Remove Apache version number, we don't test on different versions, and really mostly rely on mod_rewrite working properly. Laravel does the same (doesn't claim specific Apache version support)
* DOCS File migration changes for 4.4.0
See https://github.com/silverstripe/silverstripe-versioned/issues/177
* Update docs/en/02_Developer_Guides/14_Files/03_File_Security.md
Co-Authored-By: chillu <ingo@silverstripe.com>
* Corrected statements on archived/versioned files
* Corrected statement on filesystem paths of protected vs. public
* Update docs/en/02_Developer_Guides/14_Files/03_File_Security.md
Co-Authored-By: chillu <ingo@silverstripe.com>
* Clarify redirect behaviour
* NEW Make resources dir configurable.
* Removing reference to old `resources` and updating doc #8519
* Rrtarget to 4.4 release.
* DOC Reference SS_RESOURCES_DIR in Environment doc.
* API Add a Resources method to SilverStripe\Core\Manifest\Module to read the resources-dir from composer.json
* Clean up reference to SS_RESOURCES_DIR env var
* Set default resources-dir
* Update test to use RESOURCES_DIR const in expected resource url method
* Correcting typos
Co-Authored-By: maxime-rainville <maxime@rainville.me>
* MINOR Correctubg minor typos
* DOCS Document the intricacies of exposing static assets.
* API Revert addition of Extensible::flush_extra_methods_cache() and change to ExtensionTestState
This reverts the changes from #8465 and #8505 that relate to ExtensionTestState and the
tracking of extra methods between unit tests. The existing test from #8465 testing
overloaded Extensions after extra_methods are populated has been updated to show that you
must re-add the extension to flush the extra_methods cache if you need this behaviour.
* Revert change to InjectorTest::testExtendedExtensions
* Revert "Add failing test to show that overloaded extensions are broken in Extensible"
This reverts commit 55e79ffdfd.
* DOCS Add docs for extending extensions, and upgrade guide note to 4.3 to avoid using PHP config to do so
This change also renders a portion of DBSchemaManager irrelevant, that
destructively “fixes” old values. This is in keeping with the
non-destructive principle of dev/build, and some suggestions to move
away from enum fields altogether.
Fixes https://github.com/silverstripe/silverstripe-framework/issues/1387
* NEW: Add Hierarchy::prepopulate_numchildren_cache()
API: Hierarchy::stageChildren() customisations must be applied to the base class and not include record-specific behaviour.
Adds the ability to prepopulate the cache for Hierarchy::numChildren()
in a batch.
Note that this optimisation means that stageChildren() is not called on
each record in order to calculate numChildren(). This means that the
structure of the stageChildren() query must be the same for all records
and the behaviour cannot be customised only for a subclass of the base
data class. For example, apply your customisations to SiteTree and not
a subclass.
This is an useful part of optimising the query count on tree generation.
See https://github.com/silverstripe/silverstripe-framework/issues/8379
* NEW: Add Hierarchy::prepopulateTreeDataCache()
This provides a more extensible way of preopulating caches for optimised
tree generation.
Fixes https://github.com/silverstripe/silverstripe-framework/issues/8391
They're already present in the new upgrading guide
Folded upgrading "list of changes" into 4.0.0 guide
They duplicate each other, and create confusion in the upgrading
doc because there's *both* an "overview" of changes at the top,
and "important changes" at the bottom - why are they at the bottom when they're important?
Added "skip" and "continue" anchor links
[ci skip]
