This document contains information for an outdated version (3.0) and may not be maintained any more. If some of your projects still use this version, consider upgrading as soon as possible.
- Security: Cross-site scripting (XSS) on text transformations in templates
- Security: Cross-site scripting (XSS) related to page titles in the CMS
Upgrading Notes ##
Security: Cross-site scripting (XSS) on text transformations in templates
The default casting for
Varchar database field classes usually auto-escapes
field values when they are inserted into a template. For some text transformations
on those fields, this wasn't correctly applied. The following methods are affected:
If you have used any of these transformations with untrusted values (e.g. from a user-submitted form), please consider updating. More info about SilverStripe's casting logic is available in the "security" documentation.
Security: Cross-site scripting (XSS) related to page titles in the CMS
The page title data wasn't escaped correctly in the
as well as the updated page title in the CMS tree after saving.
- 2012-01-31 0085876 Casting return values on text helper methods in StringField, Text, Varchar (Ingo Schommer)
- 2012-01-31 252e187 SECURITY Escape links for SilverStripeNavigatorItem (Ingo Schommer)
- 2012-01-31 5fe7091 SECURITY Sanitize messages passed to generated JS calls in FormResponse::status_message(), e.g. to avoid XSS on 'Successfully published <page title>' messages (Ingo Schommer)
- 2011-09-24 d0af084 Fixes tag syntax (should end with %>, not >%) (simonwelsh)
- 2011-06-09 aa74811 CZ translation for tinymce_ssbuttons plugin (Ladislav Kubes)