Silverstripe Forms allow malicious HTML or JavaScript to be inserted
through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting)
on some forms built with user input (Request data). This can lead to phishing attempts
to obtain a user's credentials or other sensitive user input.
There is no known attack vector for extracting user-session information or credentials automatically,
it required a user to fall for the phishing attempt.
XSS can also be used to modify the presentation of content in malicious ways.
In-memory caches are typically more resource constrained (number of items and storage space).
Give cache consumers an opt-out if they are expecting to create large caches with long lifetimes.
Use case: https://github.com/silverstripe/silverstripe-assets/pull/282
* Add `getFieldMap` method to retrieve a list of all fields for any given class
* Add `TagsToShortcodeTask` to upgrading guide
Adding after the file migration part as this is where it makes the most sense to run it.
* `getFieldMap` accepts an array
* Move to `DataObjectSchema`
* Add `HTMLVarchar` to documentation
Minor refactoring
* Add test for checking that `subclassesfor` works without the base class
Add test `DataObjectSchema::getFieldMap` returns the correct array
* Remove cms dependency
* NEW Make resources dir configurable.
* Removing reference to old `resources` and updating doc #8519
* Rrtarget to 4.4 release.
* DOC Reference SS_RESOURCES_DIR in Environment doc.
* API Add a Resources method to SilverStripe\Core\Manifest\Module to read the resources-dir from composer.json
* Clean up reference to SS_RESOURCES_DIR env var
* Set default resources-dir
* Update test to use RESOURCES_DIR const in expected resource url method
* Correcting typos
Co-Authored-By: maxime-rainville <maxime@rainville.me>
* MINOR Correctubg minor typos
* DOCS Document the intricacies of exposing static assets.
Check to ensure `self::$extra_methods[$class][$method]` exists before trying to retrieve its value. Silences warnings generated by updating a controller's failover.
Without this change vendor/silverstripe/framework/vendor/silverstripe/config
will be pick up by the manifest, which is inappropriate.
Although this doesn’t happen often, it can occur if you have run
“composer install” within vendor/silverstripe/framework, which can be
done either accidentally or (in my case) as part of running the
framework tests isolated from the rest of your project (which is closer
to the execution model on Travis)
Note that the presence of the ‘nestedvendor.txt’ file tests that this
works without any explicit changes to the PHP of the tests, since it’s
merely confirming that such a file is *not* picked up.
* API Revert addition of Extensible::flush_extra_methods_cache() and change to ExtensionTestState
This reverts the changes from #8465 and #8505 that relate to ExtensionTestState and the
tracking of extra methods between unit tests. The existing test from #8465 testing
overloaded Extensions after extra_methods are populated has been updated to show that you
must re-add the extension to flush the extra_methods cache if you need this behaviour.
* Revert change to InjectorTest::testExtendedExtensions
* Revert "Add failing test to show that overloaded extensions are broken in Extensible"
This reverts commit 55e79ffdfd.
* DOCS Add docs for extending extensions, and upgrade guide note to 4.3 to avoid using PHP config to do so
