silverstripe-framework/docs/en/04_Changelogs/rc/3.5.0-rc3.md

# 3.5.0-rc3

<!--- Changes below this line will be automatically regenerated -->

## Change Log

### Security

 * 2016-11-11 [4440b88](https://github.com/silverstripe/silverstripe-framework/commit/4440b887304fe80ca77366800457cbc2ac705654) Form@httpSubmission will no longer load submitted data to disabled or readonly fields (Daniel Hensby) - See [ss-2016-010](http://www.silverstripe.org/download/security-releases/ss-2016-010)
 * 2016-11-11 [61e4055](https://github.com/silverstripe/silverstripe-framework/commit/61e4055bdb13e37df6aa0d8edca0bf5d9345dc7e) Cast FormField values as Text to prevent readonly fields embeding rogue HTML (Daniel Hensby) - See [ss-2016-010](http://www.silverstripe.org/download/security-releases/ss-2016-010)
 * 2016-10-27 [17097a4](https://github.com/silverstripe/silverstripe-framework/commit/17097a4d11274b157eadf64f32708acef204d510) Properly escape backURL for template injection (Daniel Hensby) - See [ss-2016-016](http://www.silverstripe.org/download/security-releases/ss-2016-016)
 * 2016-07-14 [ca526b0](https://github.com/silverstripe/silverstripe-reports/commit/ca526b08c32ffe171368c1f6e456a8bfffa287d7) Missing ACL check on ReportAdmin (Daniel Hensby) - See [ss-2016-012](http://www.silverstripe.org/download/security-releases/ss-2016-012)
 * 2016-07-14 [04b4453](https://github.com/silverstripe/silverstripe-cms/commit/04b4453e041c2520d3658be1585146f79dca09d8) Missing ACL check on ReportAdmin (Daniel Hensby) - See [ss-2016-012](http://www.silverstripe.org/download/security-releases/ss-2016-012)

### API Changes

 * 2016-11-15 [f43a91a](https://github.com/silverstripe/silverstripe-framework/commit/f43a91a4f8d6d5b6bfdda0c67d8647c056f8d62e) Add FormField::canSubmitValue() (Damian Mooyman)

### Bugfixes

 * 2016-10-22 [bec5adf](https://github.com/silverstripe/silverstripe-framework/commit/bec5adf09b733904a4e8d0aa55bdc337489af533) Versioned sort by ID (Jonathon Menz)