Versions:

3.0.7

Overview

Security: XSS in form validation errors (SS-2013-008)

See announcement

Security: XSS in CMS "Pages" section (SS-2013-009)

See announcement

API: Form validation message no longer allow HTML

Due to cross-site scripting concerns when user data is used for form messages, it is no longer possible to use HTML in Form->sessionMessage(), and consequently in the FormField->validate() API.

Changelog

Bugfixes

  • 2013-09-24 114fb59 Auto-escape titles in TreeDropdownField (Ingo Schommer)
  • 2013-09-24 e170f4c Escaping in "dependent pages" (SS-2013-009) (Ingo Schommer)
  • 2013-09-20 b383a07 Fixing tabindex added to CreditCardField when tabindex is NULL (Sean Harvey)
  • 2013-09-20 c453ea3 Fixing tabindex added to CreditCardField when tabindex is NULL (Sean Harvey)