Commit Graph

10 Commits

Author SHA1 Message Date
Damian Mooyman
a0ede56c0e Reformat for psr-2 2015-11-23 16:53:45 +13:00
Elliot Sawyer
205754854c Sanitise domain name field to prevent XSS attack on the CMS
PWC identified an issue with the subsites module that would allow someone with authenticated access to attack other CMS users, such as "stealing the session ID and hijacking an authenticated user's session".
I can't imagine a case where HTML would ever be allowed in the subdomain of a website, so it's a good practice to strip it out anyway.

Steps to reproduce the original issue:
1. Enter a subsite name and mark as the default site.
2. Add a new domain named <script>alert(2)</script> and mark it as primary
3. Switch to the new subsite.
4. Make a new Page. This will execute a javascript alert containing "2".

MINOR update documentation for onBeforeWrite()
MINOR add @property attributes into docblock
2014-07-16 15:43:05 +12:00
Stig Lindqvist
ff7328ea94 Adding docblocks to SubsiteDomain 2013-11-15 09:50:21 +13:00
Stig Lindqvist
b7f1c66de7 Make SubsiteDomain#getCMSFields extendable 2013-11-15 09:50:15 +13:00
Ingo Schommer
5ff3b691d7 More globalisation 2013-10-30 13:44:06 +01:00
Sean Harvey
8ffeeb1ee6 Fixing declaration of statics to private for 3.1+ compatibility 2013-05-06 22:21:09 +12:00
Sean Harvey
fbddc076b8 Remove underscore from label 2013-04-30 17:53:09 +12:00
UndefinedOffset
ef4d539a12 BUG: Merged patch from kmayo how ever re-added some of the removed fields since they really should appear on the Main Content tab instead of the Metadata tab.
Fixed a few missed strict errors

Applied patch from kmayo to fix issues with SubsiteAdminTest.php

Fixed issue causing the url segments of subsites created from a template to add -2 to the end

Fixed undefined method TotalItems() on datalist for the SubsiteTest

Fixed failure on SubsiteTest because DataObject::get_one() now returns boolean false instead of null when no result is found

Fixed failure on SubsitesVirtualPageTest caused by Versioned::get_one_by_stage() returning null instead of false

Fixed failure caused by the contact-us page existing on subsite 2

Merged another patch from kmayo

Force main site to be on, for some reason it gets hidden in some cases i.e. refreshing the cms while editing a page
2012-07-16 11:21:54 +12:00
UndefinedOffset
598b0253f5 BUG: Coding convention updates 2012-07-16 11:21:30 +12:00
Ed
2ef72b374c BUG: Modifying the module to work with SS 3.0
Replaced deprecated DataObjectDecorator with DataExtension

Fixed hard crashes in the cms

Updated to support new LeftAndMain template structure

Made the subsites model admin functional

Moved the LeftAndMain_Menu template up a directory so it overrides the core

Fixed some errors caused by changes to the framework

Re-organized the code folder

Fixed permission issue causing to default to first subsite regardless if it is the default or not

Fixed crashes on the subsite virtual page when creating/editing

Removed toDropdownMap() calls replacing with map()

Fixed the URLSegment field on subsites

Fixed error when detecting subsite for a domain

Improved styles on the subsite dropdown

Updated LeftAndMain_Subsites.js to work with jQuery entwine

Started porting the SubsitesTreeDropdownField.js to use jQuery entwine and work with the new TreeDropdownField.js

Fixed issue causing crash when viewing a page who is linked to by a subsite virtual page

Removed unused methods on SubsitesTreeDropdownField.js

Re-added classes that were moved

Fixed hard crash after saving caused by the many_many definition on SiteTreeSubsites

Replaced deprecated DataObjectSet creation with ArrayList

Compatibility fixes with SS 3.0 beta 2

Fixed crash in cms caused by no parameter being passed to the SubsiteReportWrapper constructor

Proper fix for report wrapper

Removed table list field in favor of a basic grid field

Fixed updateCMSFields() for file subsites

Migrated translations to yml

Fixed issue causing the current page to not get cleared when changing subsites in the cms

Fixed virtual page icon

Fixed language files issue
2012-07-16 11:18:38 +12:00