# 2.4.7 (2012-02-01) ## Overview * Security: Cross-site scripting (XSS) on text transformations in templates * Security: Cross-site scripting (XSS) related to page titles in the CMS ## Upgrading Notes ## ### Security: Cross-site scripting (XSS) on text transformations in templates The default casting for `Text` and `Varchar` database field classes usually auto-escapes field values when they are inserted into a template. For some text transformations on those fields, this wasn't correctly applied. The following methods are affected: * `AbsoluteLinks()`, * `BigSummary()`, * `ContextSummary()`, * `EscapeXML()`, * `FirstParagraph()`, * `FirstSentence()`, * `Initial()`, * `LimitCharacters()`, * `LimitSentences()`, * `LimitWordCount()`, * `LimitWordCountXML()`, * `Lower()` * `LowerCase()` * `NoHTML()`, * `Summary()`, * `Upper()` * `UpperCase()` * `URL()` If you have used any of these transformations with untrusted values (e.g. from a user-submitted form), please consider updating. More info about SilverStripe's casting logic is available in the "[security](/developer_guides/security)" documentation. ### Security: Cross-site scripting (XSS) related to page titles in the CMS The page title data wasn't escaped correctly in the `SilverStripeNavigator` as well as the updated page title in the CMS tree after saving. ## Changelog ## ### Bugfixes * 2012-01-31 [0085876](https://github.com/silverstripe/sapphire/commit/0085876) Casting return values on text helper methods in StringField, Text, Varchar (Ingo Schommer) ### Other * 2012-01-31 [252e187](https://github.com/silverstripe/sapphire/commit/252e187) SECURITY Escape links for SilverStripeNavigatorItem (Ingo Schommer) * 2012-01-31 [5fe7091](https://github.com/silverstripe/sapphire/commit/5fe7091) SECURITY Sanitize messages passed to generated JS calls in FormResponse::status_message(), e.g. to avoid XSS on 'Successfully published <page title>' messages (Ingo Schommer) * 2011-09-24 [d0af084](https://github.com/silverstripe/sapphire/commit/d0af084) Fixes tag syntax (should end with %>, not >%) (simonwelsh) * 2011-06-09 [aa74811](https://github.com/silverstripe/silverstripe-cms/commit/aa74811) CZ translation for tinymce_ssbuttons plugin (Ladislav Kubes)