tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 12:05:37 +00:00
Code Issues Projects Releases Wiki Activity
silverstripe-framework/security
History
Ingo Schommer 0bae1826bb FIX Opt-out pf form message escaping (fixes #2796) 
This fixes a limitation introduced through http://www.silverstripe.org/ss-2013-008-xss-in-numericfield-validation/.
Form messages used to accept HTML, now they’re escaped by default, effectively removing the ability
to pass in HTML and take care of escaping manually.

We pass through HTML to message in core through the CTF system, so this needs to be fixed.
It’s an alternative fix to https://github.com/silverstripe/silverstripe-framework/pull/2803.
2014-08-22 09:08:55 +12:00
..
Authenticator.php
Merged changes from 2.3 branch
2009-02-01 23:49:53 +00:00
BasicAuth.php
MINOR Checking for class_exists() before SapphireTest::is_running_tests() to avoid including the whole testing framework, and triggering PHPUnit to run a performance-intensive directory traversal for coverage file blacklists (from r114332)
2011-02-02 14:20:03 +13:00
ChangePasswordForm.php
BUGFIX Avoid potential referer leaking in Security->changepassword() form by storing Member->AutoLoginHash in session instead of 'h' GET parameter (from r114758)
2011-02-02 14:20:05 +13:00
Group.php
FIX Privilege escalation through Group hierarchy setting (SS-2013-003)
2013-09-12 15:38:56 +02:00
GroupCsvBulkLoader.php
ENHANCEMENT Added GroupCsvBulkLoader class to facilitate group imports with permission codes and hierarchy (merged from r94252)
2011-02-02 14:18:30 +13:00
LoginAttempt.php
Merged from branches/2.3
2009-04-29 00:07:39 +00:00
LoginForm.php
Merged from branches/nzct-trunk. Use 'svn log -c <changeset> -g' for full commit message. Merge includes stability fixes and minor refactor of TableListField and ComplexTableField.
2008-10-08 02:00:12 +00:00
Member.php
API Hash autologin tokens before storing in the database.
2012-11-09 12:03:55 +01:00
MemberAuthenticator.php
Failed login message translation fallback
2013-09-16 15:33:42 +12:00
MemberCsvBulkLoader.php
ENHANCEMENT MemberCsvBulkLoader for easy member import with group associations (merged from r94251)
2011-02-02 14:18:30 +13:00
MemberLoginForm.php
FIX Opt-out pf form message escaping (fixes #2796)
2014-08-22 09:08:55 +12:00
MemberPassword.php
ENHANCEMENT Pluggable password encryption through PasswordEncryptor class (#3665) (merged from r90949)
2011-02-02 14:17:36 +13:00
NZGovtPasswordValidator.php
MINOR Unified @package PHPdoc (added where missing, removed duplicates)
2008-06-15 13:33:53 +00:00
PasswordEncryptor.php
API Hash autologin tokens before storing in the database.
2012-11-09 12:03:55 +01:00
PasswordValidator.php
MINOR Fixed hardcoded error message in PasswordValidator (fixes #5734)
2011-02-02 14:19:32 +13:00
Permission.php
FIX Privilege escalation through Group hierarchy setting (SS-2013-003)
2013-09-12 15:38:56 +02:00
PermissionCheckboxSetField.php
FIX Disallow permissions assign for APPLY_ROLES (SS-2013-005)
2013-09-12 15:38:59 +02:00
PermissionProvider.php
MINOR Unified @package PHPdoc (added where missing, removed duplicates)
2008-06-15 13:33:53 +00:00
PermissionRole.php
FIX Privilege escalation through APPLY_ROLES assignment (SS-2013-005)
2013-09-12 15:38:59 +02:00
PermissionRoleCode.php
FIX Privilege escalation through APPLY_ROLES assignment (SS-2013-005)
2013-09-12 15:38:59 +02:00
RandomGenerator.php
API Hash autologin tokens before storing in the database.
2012-11-09 12:03:55 +01:00
Security.php
BUGFIX Keep Member.PasswordEncryption setting on empty passwords
2013-02-17 23:16:25 +01:00
SecurityToken.php
API Hash autologin tokens before storing in the database.
2012-11-09 12:03:55 +01:00