Silverstripe Forms allow malicious HTML or JavaScript to be inserted
through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting)
on some forms built with user input (Request data). This can lead to phishing attempts
to obtain a user's credentials or other sensitive user input.
There is no known attack vector for extracting user-session information or credentials automatically,
it required a user to fall for the phishing attempt.
XSS can also be used to modify the presentation of content in malicious ways.
* Add `getFieldMap` method to retrieve a list of all fields for any given class
* Add `TagsToShortcodeTask` to upgrading guide
Adding after the file migration part as this is where it makes the most sense to run it.
* `getFieldMap` accepts an array
* Move to `DataObjectSchema`
* Add `HTMLVarchar` to documentation
Minor refactoring
* Add test for checking that `subclassesfor` works without the base class
Add test `DataObjectSchema::getFieldMap` returns the correct array
* Remove cms dependency
Currently the email documentation provides an example of how to use the SMTP adapter in SwiftMailer, but this example hardcodes the password in the config file which is a security issue. It is possible to reference environment variables instead, so we should document and encourage this.
* DOCS File migration changes for 4.4.0
See https://github.com/silverstripe/silverstripe-versioned/issues/177
* Update docs/en/02_Developer_Guides/14_Files/03_File_Security.md
Co-Authored-By: chillu <ingo@silverstripe.com>
* Corrected statements on archived/versioned files
* Corrected statement on filesystem paths of protected vs. public
* Update docs/en/02_Developer_Guides/14_Files/03_File_Security.md
Co-Authored-By: chillu <ingo@silverstripe.com>
* Clarify redirect behaviour
The upgrading docs reference webconfig.php, which is incorrect and has never existed. I presume the docs mean to reference web.config, which is the IIS configuration file.
I've also fixed a couple of minor spelling mistakes and mentioned Apache for htaccess and IIS for web.config so people know what they're for.
[ci skip]
Following the example will give the following error;
```[Emergency] Uncaught Error: Class {my namespace}\Permission not found```
Added the missing class