Version 3 end of life
This version of Silverstripe CMS will not recieve any additional bug fixes or documentation updates. Go to documentation for the most recent stable version.

3.1.16

Upgrading

FormField validation messages generated by the Validator class will now be automatically XML encoded before being rendered alongside an invalid field.

If a validation message in a custom Validator instance should be rendered as literal HTML, then the $message parameter for Validator::validationError should be passed as an instance of HTMLText

For example:

:::php
class MyCustomValidator extends Validator {
	public function php($data) { 
		$this->validationError(
			'EmailAddress',
			DBField::create_field('HTMLText', "Invalid email. Please sign up at <a href='signup'>this page</a>")
		);
	}
}

Change Log

Security

  • 2015-11-11 245e0aa Fix FormField error messages not being encoded safely (Damian Mooyman) - See ss-2015-026
  • 2015-11-09 53b3bc7 Dont expose class on error (Hamish Friedlander) - See ss-2015-025
  • 2015-11-01 ac4342d XML escape RSSFeed $link parameter (Ingo Schommer) - See ss-2015-022
  • 2015-10-28 97f21fd Fix rewrite hash links XSS (Damian Mooyman) - See ss-2015-021

Bugfixes

  • 2015-10-20 b857bdf Fix duplicate files being included in case of flush (Damian Mooyman)
  • 2015-10-08 ff6c0a3 (v3.1) for #1294 to workaround ErrorPage fatal errors (and undefined var) when publishing. (Patrick Nelson)