Versions:

This document contains information for an outdated version and may not be maintained any more. If some of your projects still use this version, consider upgrading as soon as possible.

3.2.1

Upgrading

FormField validation messages generated by the Validator class will now be automatically XML encoded before being rendered alongside an invalid field.

If a validation message in a custom Validator instance should be rendered as literal HTML, then the $message parameter for Validator::validationError should be passed as an instance of HTMLText

For example:

class MyCustomValidator extends Validator {
    public function php($data) { 
        $this->validationError(
            'EmailAddress',
            DBField::create_field('HTMLText', "Invalid email. Please sign up at <a href='signup'>this page</a>")
        );
    }
}

Change Log

Security

  • 2015-11-12 b61d6dc HtmlEditorField_Toolbar#viewfile not whitelisting URLs (Hamish Friedlander) - See ss-2015-027
  • 2015-11-11 bc1b289 Fix FormField error messages not being encoded safely (Damian Mooyman) - See ss-2015-026
  • 2015-11-09 f290d86 Dont expose class on error (Hamish Friedlander) - See ss-2015-025
  • 2015-11-01 4f55b6a XML escape RSSFeed $link parameter (Ingo Schommer) - See ss-2015-022
  • 2015-10-28 132e9b3 Fix rewrite hash links XSS (Damian Mooyman) - See ss-2015-021

Bugfixes

  • 2015-11-10 732e705 Correct behaviour for empty filter array (as per 3.1) (Damian Mooyman)
  • 2015-11-09 414ea3d prevent UploadField edit form generation for Folders (Damian Mooyman)
  • 2015-11-05 c6c650f Ensure CMSMainTest uses correct siteconfig (Damian Mooyman)
  • 2015-11-02 0272e44 Prevent dev/build continually regenerating Number field type (Damian Mooyman)
  • 2015-10-30 2813f94 Ensure that filters on any fixed field are scoped to the base data table (Damian Mooyman)
  • 2015-10-30 38ca963 Add missing CMSSecurity route (Damian Mooyman)
  • 2015-10-29 daa86d3 Fix regression from #4396 in test fixtures (Damian Mooyman)
  • 2015-10-28 db16248 Fix broken InlineFormAction (Damian Mooyman)
  • 2015-10-27 293d847 for #4712: Dropping in some PHP documentation on return types for dynamically generated image methods. (Patrick Nelson)
  • 2015-10-20 b857bdf Fix duplicate files being included in case of flush (Damian Mooyman)
  • 2015-10-19 c364158 only use sethasemptydefault if exists. (Cam Findlay)
  • 2015-10-08 ff6c0a3 (v3.1) for #1294 to workaround ErrorPage fatal errors (and undefined var) when publishing. (Patrick Nelson)
  • 2015-10-08 785f850 for #1294 to workaround ErrorPage fatal errors (and undefined var) when publishing. (Patrick Nelson)
  • 2015-10-01 75dc391 for #586 and possible fix for #736 and relates to #2449: Don't perform validation upon deletion, since it isn't necessary. Cleaned up type hint. (Patrick Nelson)
  • 2015-09-17 e64d73c Fix ClassInfo::table_for_object_field (Damian Mooyman)
  • 2015-08-05 2901664 . FulltextFilter requires table identifiers in match query (Elvinas L.)
  • 2015-07-12 f192a6e #4392: Ensure headers are checked first before being clobbered by globally maintained state. Also ensuring tests utilize separate responses for isolation. (Patrick Nelson)

Was this article helpful?