Version 3 end of life
This version of Silverstripe CMS will not recieve any additional bug fixes or documentation updates. Go to documentation for the most recent stable version.



This security release resolves some XSS and an XML vulnerability in the Framework.


If your code relies on Convert::xml2array there are some important things to consider with regards to certain vulnerabilities. In this release additional options have been added to this method to assist users in guarding against these risks, although each option has been turned off by default.

Please refer to on details of some of the specific reasons behind the need for these changes and how you can guard against them in your code.

Specifically this method has these two new parameters:

  • The $disableDoctypes parameter has been added to disallow parsing of XML content containing a header, which may potentially contain unguarded or recursive entity definitions.
  • The $disableExternals parameter allows XML parsing to ignore any externally referenced dependency within the file, ensuring that injected XML is unable to invoke data from potentially hazardous sources.



  • 2015-03-18 b34c236 Fix joins on tables containing "select" being mistaken for sub-selects Fix PHPDoc on SQLQuery::addFrom and SQLQuery::setFrom Fixes #3965 (Damian Mooyman)
  • 2015-03-11 a61c08d Security::$default_message_set Config value unusable (Loz Calver)
  • 2015-03-10 9651889 Fix yaml generation to conform to version 1.1, accepted by transifex (Damian Mooyman)
  • 2015-02-25 f5f41b2 Ensuring custom CMS validator uses Object->hasMethod() to respect extension decorator pattern. (Patrick Nelson)
  • 2015-01-13 9da7e90 . Missing translation entity (Elvinas L.)