silverstripe-framework/security
Ingo Schommer 0bae1826bb FIX Opt-out pf form message escaping (fixes #2796)
This fixes a limitation introduced through http://www.silverstripe.org/ss-2013-008-xss-in-numericfield-validation/.
Form messages used to accept HTML, now they’re escaped by default, effectively removing the ability
to pass in HTML and take care of escaping manually.

We pass through HTML to message in core through the CTF system, so this needs to be fixed.
It’s an alternative fix to https://github.com/silverstripe/silverstripe-framework/pull/2803.
2014-08-22 09:08:55 +12:00
..
Authenticator.php Merged changes from 2.3 branch 2009-02-01 23:49:53 +00:00
BasicAuth.php MINOR Checking for class_exists() before SapphireTest::is_running_tests() to avoid including the whole testing framework, and triggering PHPUnit to run a performance-intensive directory traversal for coverage file blacklists (from r114332) 2011-02-02 14:20:03 +13:00
ChangePasswordForm.php BUGFIX Avoid potential referer leaking in Security->changepassword() form by storing Member->AutoLoginHash in session instead of 'h' GET parameter (from r114758) 2011-02-02 14:20:05 +13:00
Group.php FIX Privilege escalation through Group hierarchy setting (SS-2013-003) 2013-09-12 15:38:56 +02:00
GroupCsvBulkLoader.php ENHANCEMENT Added GroupCsvBulkLoader class to facilitate group imports with permission codes and hierarchy (merged from r94252) 2011-02-02 14:18:30 +13:00
LoginAttempt.php Merged from branches/2.3 2009-04-29 00:07:39 +00:00
LoginForm.php Merged from branches/nzct-trunk. Use 'svn log -c <changeset> -g' for full commit message. Merge includes stability fixes and minor refactor of TableListField and ComplexTableField. 2008-10-08 02:00:12 +00:00
Member.php API Hash autologin tokens before storing in the database. 2012-11-09 12:03:55 +01:00
MemberAuthenticator.php Failed login message translation fallback 2013-09-16 15:33:42 +12:00
MemberCsvBulkLoader.php ENHANCEMENT MemberCsvBulkLoader for easy member import with group associations (merged from r94251) 2011-02-02 14:18:30 +13:00
MemberLoginForm.php FIX Opt-out pf form message escaping (fixes #2796) 2014-08-22 09:08:55 +12:00
MemberPassword.php ENHANCEMENT Pluggable password encryption through PasswordEncryptor class (#3665) (merged from r90949) 2011-02-02 14:17:36 +13:00
NZGovtPasswordValidator.php MINOR Unified @package PHPdoc (added where missing, removed duplicates) 2008-06-15 13:33:53 +00:00
PasswordEncryptor.php API Hash autologin tokens before storing in the database. 2012-11-09 12:03:55 +01:00
PasswordValidator.php MINOR Fixed hardcoded error message in PasswordValidator (fixes #5734) 2011-02-02 14:19:32 +13:00
Permission.php FIX Privilege escalation through Group hierarchy setting (SS-2013-003) 2013-09-12 15:38:56 +02:00
PermissionCheckboxSetField.php FIX Disallow permissions assign for APPLY_ROLES (SS-2013-005) 2013-09-12 15:38:59 +02:00
PermissionProvider.php MINOR Unified @package PHPdoc (added where missing, removed duplicates) 2008-06-15 13:33:53 +00:00
PermissionRole.php FIX Privilege escalation through APPLY_ROLES assignment (SS-2013-005) 2013-09-12 15:38:59 +02:00
PermissionRoleCode.php FIX Privilege escalation through APPLY_ROLES assignment (SS-2013-005) 2013-09-12 15:38:59 +02:00
RandomGenerator.php API Hash autologin tokens before storing in the database. 2012-11-09 12:03:55 +01:00
Security.php BUGFIX Keep Member.PasswordEncryption setting on empty passwords 2013-02-17 23:16:25 +01:00
SecurityToken.php API Hash autologin tokens before storing in the database. 2012-11-09 12:03:55 +01:00