Version 3 end of life
This version of Silverstripe CMS will not recieve any additional bug fixes or documentation updates. Go to documentation for the most recent stable version.



This release includes several security fixes to prevent HTTP Hostname injection, as well as a fix for flush or isDev querystring parameters to be set via unauthenticated requests.

Users upgrading from 3.1.12 or below should read the security documentation on securing their site.


  • 2015-05-22 a978b89 Fix handling of empty parameter token (Damian Mooyman) - See ss-2015-014
  • 2015-05-25 75137db Ensure only trusted proxy servers have control over certain HTTP headers (Damian Mooyman) - See ss-2015-013
  • 2015-05-25 22a35e4 Fix malformed urls redirecting to external sites (Damian Mooyman) - See ss-2015-012
  • 2015-05-22 79cfa2b Bug fix sqlquery select (Damian Mooyman) - See ss-2015-011


  • 2015-04-24 242de4e Added Youtube's short URL. (Michael Strong)
  • 2015-05-28 9c8fa51 Allow users to specify allowed hosts (Marcus Nyeholt)
  • 2015-05-07 828ad6e Modifications to GridFieldExportButton to allow ArrayList use in SS_Report (Will Rossiter)
  • 2015-04-30 be10d90 count breaks when having clause defined (Aram Balakjian)
  • 2015-04-27 120b983 X-Reload & X-ControllerURL didn't support absolute URLs (fixes #4119) (Loz Calver)
  • 2015-04-25 bfd8b66 for #4104, minor revision of error messages in ListboxField (more intuitive). (Patrick Nelson)
  • 2015-04-23 5ae0ca1 #4100 Setup the ability to overload the ShortcodeParser class and ensuring its methods/properties are extensible via the "static" keyword. (Patrick Nelson)
  • 2015-04-23 c2fd18e use config for Security::$login_url (Daniel Hensby)
  • 2015-04-23 19423e9 Fix tinymce errors crashing CMS When removing a tinymce field, internal third party errors should be caught and ignored gracefully rather than breaking the whole CMS. (Damian Mooyman)
  • 2015-04-20 8e24511 Fix users with all cms section access not able to edit files Fixes #4078 (Damian Mooyman)
  • 2015-04-14 8caaae6 Fix accordion sometimes displaying scrollbars (Damian Mooyman)
  • 2015-03-31 a71f5f9 Use SearchForm::create to instantiate SearchForm (Daniel Hensby)
  • 2015-03-26 636cddb export and print buttons outside button row (Naomi Guyer)
  • 2015-03-26 a7d3f89 Check for existence of HTTP_USER_AGENT to avoid E_NOTICE error. (Sean Harvey)
  • 2015-03-25 8d6cd15 Fix some database errors during dev/build where an auth token exists for the current user Fixes #3660 (Damian Mooyman)
  • 2015-03-23 aba0b70 GridFieldDetailForm::setItemEditFormCalback broke chaining (Daniel Hensby)
  • 2015-03-23 72bb9a2 Debug::text no longer incorrecty returns "ViewableData_debugger" (Daniel Hensby)
  • 2015-03-16 f2b1fa9 broken link in docs to how_tos/extend_cms_interface (Jeremy Shipman)
  • 2015-02-24 6c92a86 Fix CMSMainTest attempting to render page on Security permission error (Damian Mooyman)