silverstripe-framework/docs/en/04_Changelogs/2.4.7.md
2016-01-14 23:59:53 +13:00

56 lines
2.2 KiB
Markdown

# 2.4.7 (2012-02-01)
## Overview
* Security: Cross-site scripting (XSS) on text transformations in templates
* Security: Cross-site scripting (XSS) related to page titles in the CMS
## Upgrading Notes ##
### Security: Cross-site scripting (XSS) on text transformations in templates
The default casting for `Text` and `Varchar` database field classes usually auto-escapes
field values when they are inserted into a template. For some text transformations
on those fields, this wasn't correctly applied. The following methods are affected:
* `AbsoluteLinks()`,
* `BigSummary()`,
* `ContextSummary()`,
* `EscapeXML()`,
* `FirstParagraph()`,
* `FirstSentence()`,
* `Initial()`,
* `LimitCharacters()`,
* `LimitSentences()`,
* `LimitWordCount()`,
* `LimitWordCountXML()`,
* `Lower()`
* `LowerCase()`
* `NoHTML()`,
* `Summary()`,
* `Upper()`
* `UpperCase()`
* `URL()`
If you have used any of these transformations with untrusted values
(e.g. from a user-submitted form), please consider updating.
More info about SilverStripe's casting logic is available in the "[security](/developer_guides/security)" documentation.
### Security: Cross-site scripting (XSS) related to page titles in the CMS
The page title data wasn't escaped correctly in the `SilverStripeNavigator`
as well as the updated page title in the CMS tree after saving.
## Changelog ##
### Bugfixes
* 2012-01-31 [0085876](https://github.com/silverstripe/sapphire/commit/0085876) Casting return values on text helper methods in StringField, Text, Varchar (Ingo Schommer)
### Other
* 2012-01-31 [252e187](https://github.com/silverstripe/sapphire/commit/252e187) SECURITY Escape links for SilverStripeNavigatorItem (Ingo Schommer)
* 2012-01-31 [5fe7091](https://github.com/silverstripe/sapphire/commit/5fe7091) SECURITY Sanitize messages passed to generated JS calls in FormResponse::status_message(), e.g. to avoid XSS on 'Successfully published <page title>' messages (Ingo Schommer)
* 2011-09-24 [d0af084](https://github.com/silverstripe/sapphire/commit/d0af084) Fixes tag syntax (should end with %>, not >%) (simonwelsh)
* 2011-06-09 [aa74811](https://github.com/silverstripe/silverstripe-cms/commit/aa74811) CZ translation for tinymce_ssbuttons plugin (Ladislav Kubes)