Daniel Hensby
8015919932
Be defensive with token availability
2015-08-27 17:58:43 +01:00
Daniel Hensby
899eb0b235
FIX Use complete fieldlist for extracting data
2015-08-27 17:58:19 +01:00
Daniel Hensby
2b9ccda06b
Fixing doc block issues
2015-06-14 12:49:37 +01:00
Stig Lindqvist
95860e9229
Update and fix PHP docblocks, document spelling mistakes and strip trailing whitespace on Form.php
2015-06-12 10:28:32 +12:00
Damian Mooyman
0a8f328947
Fix merge / test regressions
2015-05-28 16:59:05 +12:00
Damian Mooyman
22a35e48a9
BUG Fix malformed urls redirecting to external sites
2015-05-28 10:12:18 +12:00
Damian Mooyman
53c40a94fa
API Enable re-authentication within the CMS if a user session is lost
...
BUG Resolve issue with error redirection being ignored within CMS
BUG Fix issue with invalid securityID being re-emitted on failure
2014-10-14 15:19:48 +13:00
Sean Harvey
0e07f1a7f5
Merge remote-tracking branch 'origin/3.0' into 3.1
2014-08-22 17:50:36 +12:00
Ingo Schommer
1661213e5b
FIX Opt-out pf form message escaping ( fixes #2796 )
...
This fixes a limitation introduced through http://www.silverstripe.org/ss-2013-008-xss-in-numericfield-validation/ .
Form messages used to accept HTML, now they’re escaped by default, effectively removing the ability
to pass in HTML and take care of escaping manually.
We pass through HTML to message in core through the CTF system, so this needs to be fixed.
It’s an alternative fix to https://github.com/silverstripe/silverstripe-framework/pull/2803 .
2014-08-22 16:59:34 +12:00
Phill Price
b2455f2d20
Update Form.php
...
tiny typo
2014-06-10 13:50:28 +01:00
Simon Welsh
310e90d412
Merge pull request #2751 from axyr/patch-1
...
formHtmlContent() uses missing FormEncType() call
2014-03-15 21:12:44 +13:00
Damian Mooyman
0cbad41d3b
Rewrote usages of error suppression operator
2014-03-05 15:48:55 +13:00
Damian Mooyman
6d5d3d8cb7
Rewrote usages of error suppression operator
2014-03-05 14:22:19 +13:00
Will Rossiter
c74137e679
FIX: getMessageFromSession returning null on first access
2014-02-28 21:24:16 +13:00
Loz Calver
058219c0ee
NEW: Forms with invalid/expired SecurityIDs are repopulated ( fixes #1891 )
2014-02-09 10:19:24 +00:00
Martijn
180bae826a
formHtmlContent() uses missing FormEncType() call
...
it needs to call $this->getEncType() instead..
2014-01-02 10:44:00 +01:00
Loz Calver
3172c7732e
Allow setting of specific form actions that do not require validation
...
Move validation exemptions into CMSForm
Also fix buttonClicked() to skip CompositeField
Whitespace
Adding unit tests
2013-10-04 10:30:20 +01:00
Ingo Schommer
2e3511bc5f
Merge remote-tracking branch 'origin/3.0' into 3.1
...
Conflicts:
docs/en/changelogs/3.0.6.md
forms/Form.php
forms/FormField.php
forms/TreeDropdownField.php
2013-09-27 18:50:47 +02:00
Ingo Schommer
debd81d380
Merge pull request #2453 from chillu/pulls/escape-3.1.0
...
Escaping 3.1
2013-09-25 16:02:45 -07:00
Ingo Schommer
c243418597
API Escape form validation messages (SS-2013-008)
2013-09-24 21:54:31 +02:00
Ingo Schommer
2b7a2a289e
API Escape form validation messages (SS-2013-008)
2013-09-24 21:41:21 +02:00
Ingo Schommer
48021e9fd3
Merge pull request #2166 from dhensby/patch-2
...
FormFields now allow setting of extra CSSClasses en masse
2013-09-24 11:50:01 -07:00
Ingo Schommer
1bb993b0b3
Form errors in LeftAndMain response negotiation
...
The session key for form errors changed from "Form_EditForm" to "CMSForm_EditForm",
causing a mismatch. See https://github.com/silverstripe/silverstripe-framework/pull/2084/files#r6338249 for discussion
2013-09-18 14:30:37 +02:00
Daniel Hensby
336ddf1a55
FormFields now allow setting of extra CSSClasses en masse
...
Each CSS class passed in to `addExtraClass` or `removeExtraClass` will be set as their own key in the `extraClasses` array
Also make `Form` consistent with `FormField`
2013-06-29 13:27:26 +01:00
Ingo Schommer
09b31c642f
Allow Form->forTemplate() URL access ( fixes #788 )
...
Need to specifically whitelist URL-accessible actions now.
Used in "Insert Link" form in HtmlEditorField.
Regression from 1edf45fbed
2013-06-25 16:33:00 +02:00
Ingo Schommer
fb784af738
API Enforce $allowed_actions in RequestHandler->checkAccessAction()
...
See discussion at https://groups.google.com/forum/?fromgroups#!topic/silverstripe-dev/Dodomh9QZjk
Fixes an access issue where all public methods on FormField were allowed,
and not checked for $allowed_actions. Before this patch you could e.g.
call FormField->Value() on the first field by using action_Value.
Removes the following assertion because it only worked due to RequestHandlingTest_AllowedControllerExtension
*not* having $allowed_extensions declared: "Actions on magic methods are only accessible if explicitly allowed on the controller."
2013-06-24 14:50:40 +02:00
Ingo Schommer
63eb9518d2
Consistent Form setters (returning $this on setHTMLID())
2013-06-13 07:51:08 +02:00
Ingo Schommer
bfff11eb9c
API New CMSForm class to allow validation responses in CMS ( fixes #1777 )
...
Thanks to @willmorgan for getting this discussion started
(see https://github.com/silverstripe/sapphire/pull/1814 ).
2013-06-13 07:51:05 +02:00
uniun
5596442081
FIX: Form::set_current_action() never gets called.
2013-05-24 11:25:36 +03:00
Ingo Schommer
14c59be85e
API Form::setStrictFormMethodCheck() and strict argument to setFormMethod()
...
Thanks to @sminnee for getting this started
2013-05-08 10:25:13 +02:00
Will Morgan
9732a7fb3b
Fixing typo on Validator exception message
2013-04-24 18:50:40 +02:00
uniun
4d70daa9e2
BUG: HiddenFields and VisibleFields should always return extraFields
...
HiddenFields() and VisibleFields() should always return extraFields, e.g. HiddenFields doesn't return SecurityID if it is called before Fields().
2013-04-17 20:31:17 +02:00
Ingo Schommer
3334eafcb1
API Marked statics private, use Config API instead ( #8317 )
...
See "Static configuration properties are now immutable, you must use Config API." in the 3.1 change log for details.
2013-03-24 17:20:53 +01:00
Ingo Schommer
0a9f3b75a9
Fixed deprecated usage of <% control %>
2013-03-19 12:58:14 +01:00
Ingo Schommer
25af4adce2
Merge tag '3.0.5' into 3.0
2013-02-20 02:21:41 +01:00
Ingo Schommer
16d0c188ee
BUG Find Form actions in CompositeFields for access checks
...
This bug was introduced with the new nested CMS actions
around December 2012, but wasn't noticed until now
because checkAccessAction() would wrongly return TRUE
before the dataFieldByName() check was reached.
2013-02-19 15:48:29 +01:00
Graeme Smith
a1114b8fcb
MINOR: Correct exception message in constructor
2013-02-18 15:01:48 +00:00
Ingo Schommer
14dcc82e76
BUG Find Form actions in CompositeFields for access checks
...
This bug was introduced with the new nested CMS actions
around December 2012, but wasn't noticed until now
because checkAccessAction() would wrongly return TRUE
before the dataFieldByName() check was reached.
2013-02-18 15:30:36 +01:00
Ingo Schommer
92458d9f43
Fixed line lengths
2013-02-18 14:41:49 +01:00
Ingo Schommer
634c91c6ff
Merge remote-tracking branch 'origin/3.0' into 3.1
...
Conflicts:
email/Mailer.php
2013-01-30 12:46:24 +01:00
Sam Minnee
9a2ba483df
BUGFIX: Made CSRF-error wording friendlier.
2013-01-29 18:03:49 +01:00
Simon Welsh
3439e30ac1
Corrects indentation and line length
2013-01-24 19:56:02 +13:00
Ingo Schommer
37f4d2e21f
Merge remote-tracking branch 'origin/3.0' into 3.1
2013-01-21 11:15:17 +01:00
Ingo Schommer
c11b3918fc
Merge remote-tracking branch 'origin/3.0' into 3.1
...
Conflicts:
admin/css/screen.css
admin/scss/_style.scss
core/PaginatedList.php
email/Mailer.php
2013-01-21 11:14:57 +01:00
Ingo Schommer
5d37d55f35
BUG Form session message clearing regression
...
Regression originally from 729bcc95
, but made visible by 014f541a8
2013-01-21 11:11:21 +01:00
Ingo Schommer
014f541a89
BUG Regression in Form->clearMessage() ( fixes #8186 )
...
See 729bcc9
2013-01-15 14:25:07 +01:00
Ingo Schommer
e7e6c45aee
Merge pull request #1082 from sminnee/form-improvements
...
Form improvements
2013-01-11 02:29:14 -08:00
Hamish Friedlander
2916f2043c
NEW: Improve HTTP caching logic to automatically disable caching for requests that use the session.
...
This improvement makes it easier to set a side-wide default cache time without needing to worry about CSRF-protected forms, etc.
2013-01-08 17:47:05 +13:00
Sam Minnee
729bcc95db
BUGFIX: Don't clear form messages unless forTemplate() is actually called.
...
BUGFIX: Clear session-stored form data as well as form error message.
2013-01-08 17:45:17 +13:00
Ingo Schommer
644cc79ebb
API Removed methods previously deprecated in 3.0
2012-12-14 01:16:47 +01:00