mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
56 lines
2.2 KiB
Markdown
56 lines
2.2 KiB
Markdown
# 2.4.7 (2012-02-01)
|
|
|
|
## Overview
|
|
|
|
* Security: Cross-site scripting (XSS) on text transformations in templates
|
|
* Security: Cross-site scripting (XSS) related to page titles in the CMS
|
|
|
|
## Upgrading Notes ##
|
|
|
|
### Security: Cross-site scripting (XSS) on text transformations in templates
|
|
|
|
The default casting for `Text` and `Varchar` database field classes usually auto-escapes
|
|
field values when they are inserted into a template. For some text transformations
|
|
on those fields, this wasn't correctly applied. The following methods are affected:
|
|
|
|
* `AbsoluteLinks()`,
|
|
* `BigSummary()`,
|
|
* `ContextSummary()`,
|
|
* `EscapeXML()`,
|
|
* `FirstParagraph()`,
|
|
* `FirstSentence()`,
|
|
* `Initial()`,
|
|
* `LimitCharacters()`,
|
|
* `LimitSentences()`,
|
|
* `LimitWordCount()`,
|
|
* `LimitWordCountXML()`,
|
|
* `Lower()`
|
|
* `LowerCase()`
|
|
* `NoHTML()`,
|
|
* `Summary()`,
|
|
* `Upper()`
|
|
* `UpperCase()`
|
|
* `URL()`
|
|
|
|
If you have used any of these transformations with untrusted values
|
|
(e.g. from a user-submitted form), please consider updating.
|
|
More info about SilverStripe's casting logic is available in the "[security](/developer_guides/security)" documentation.
|
|
|
|
### Security: Cross-site scripting (XSS) related to page titles in the CMS
|
|
|
|
The page title data wasn't escaped correctly in the `SilverStripeNavigator`
|
|
as well as the updated page title in the CMS tree after saving.
|
|
|
|
## Changelog ##
|
|
|
|
### Bugfixes
|
|
|
|
* 2012-01-31 [0085876](https://github.com/silverstripe/sapphire/commit/0085876) Casting return values on text helper methods in StringField, Text, Varchar (Ingo Schommer)
|
|
|
|
### Other
|
|
|
|
* 2012-01-31 [252e187](https://github.com/silverstripe/sapphire/commit/252e187) SECURITY Escape links for SilverStripeNavigatorItem (Ingo Schommer)
|
|
* 2012-01-31 [5fe7091](https://github.com/silverstripe/sapphire/commit/5fe7091) SECURITY Sanitize messages passed to generated JS calls in FormResponse::status_message(), e.g. to avoid XSS on 'Successfully published <page title>' messages (Ingo Schommer)
|
|
* 2011-09-24 [d0af084](https://github.com/silverstripe/sapphire/commit/d0af084) Fixes tag syntax (should end with %>, not >%) (simonwelsh)
|
|
* 2011-06-09 [aa74811](https://github.com/silverstripe/silverstripe-cms/commit/aa74811) CZ translation for tinymce_ssbuttons plugin (Ladislav Kubes)
|