Try the beta version of the new SilverStripe documentation

For the next 2 weeks you can use the new documentation website and give us your feedback.

close

This document contains information about a future release and not the current stable version (3.1).

Be aware that information on this page may change and API's may not be stable for production use.

3.0.7

Overview

Security: XSS in form validation errors (SS-2013-008)

See announcement

Security: XSS in CMS "Pages" section (SS-2013-009)

See announcement

API: Form validation message no longer allow HTML

Due to cross-site scripting concerns when user data is used for form messages, it is no longer possible to use HTML in Form->sessionMessage(), and consequently in the FormField->validate() API.

Changelog

Bugfixes

  • 2013-09-24 114fb59 Auto-escape titles in TreeDropdownField (Ingo Schommer)
  • 2013-09-24 e170f4c Escaping in "dependent pages" (SS-2013-009) (Ingo Schommer)
  • 2013-09-20 b383a07 Fixing tabindex added to CreditCardField when tabindex is NULL (Sean Harvey)
  • 2013-09-20 c453ea3 Fixing tabindex added to CreditCardField when tabindex is NULL (Sean Harvey)

Comments

Comment policy: Please use comments for tips and corrections about the described functionality.
Comments are moderated, we reserve the right to remove comments that are inappropriate or are no longer relevant. Use the Silverstripe Forum to ask questions.

blog comments powered by Disqus