FormField validation messages generated by the Validator class will now be automatically XML encoded before being rendered alongside an invalid field.

If a validation message in a custom Validator instance should be rendered as literal HTML, then the $message parameter for Validator::validationError should be passed as an instance of HTMLText

For example:

class MyCustomValidator extends Validator {
	public function php($data) { 
			DBField::create_field('HTMLText', "Invalid email. Please sign up at <a href='signup'>this page</a>")

Change Log


  • 2015-11-12 b61d6dc HtmlEditorField_Toolbar#viewfile not whitelisting URLs (Hamish Friedlander) - See ss-2015-027
  • 2015-11-11 bc1b289 Fix FormField error messages not being encoded safely (Damian Mooyman) - See ss-2015-026
  • 2015-11-09 f290d86 Dont expose class on error (Hamish Friedlander) - See ss-2015-025
  • 2015-11-01 4f55b6a XML escape RSSFeed $link parameter (Ingo Schommer) - See ss-2015-022
  • 2015-10-28 132e9b3 Fix rewrite hash links XSS (Damian Mooyman) - See ss-2015-021


  • 2015-11-10 732e705 Correct behaviour for empty filter array (as per 3.1) (Damian Mooyman)
  • 2015-11-09 414ea3d prevent UploadField edit form generation for Folders (Damian Mooyman)
  • 2015-11-05 c6c650f Ensure CMSMainTest uses correct siteconfig (Damian Mooyman)
  • 2015-11-02 0272e44 Prevent dev/build continually regenerating Number field type (Damian Mooyman)
  • 2015-10-30 2813f94 Ensure that filters on any fixed field are scoped to the base data table (Damian Mooyman)
  • 2015-10-30 38ca963 Add missing CMSSecurity route (Damian Mooyman)
  • 2015-10-29 daa86d3 Fix regression from #4396 in test fixtures (Damian Mooyman)
  • 2015-10-28 db16248 Fix broken InlineFormAction (Damian Mooyman)
  • 2015-10-27 293d847 for #4712: Dropping in some PHP documentation on return types for dynamically generated image methods. (Patrick Nelson)
  • 2015-10-20 b857bdf Fix duplicate files being included in case of flush (Damian Mooyman)
  • 2015-10-19 c364158 only use sethasemptydefault if exists. (Cam Findlay)
  • 2015-10-08 ff6c0a3 (v3.1) for #1294 to workaround ErrorPage fatal errors (and undefined var) when publishing. (Patrick Nelson)
  • 2015-10-08 785f850 for #1294 to workaround ErrorPage fatal errors (and undefined var) when publishing. (Patrick Nelson)
  • 2015-10-01 75dc391 for #586 and possible fix for #736 and relates to #2449: Don't perform validation upon deletion, since it isn't necessary. Cleaned up type hint. (Patrick Nelson)
  • 2015-09-17 e64d73c Fix ClassInfo::table_for_object_field (Damian Mooyman)
  • 2015-08-05 2901664 . FulltextFilter requires table identifiers in match query (Elvinas L.)
  • 2015-07-12 f192a6e #4392: Ensure headers are checked first before being clobbered by globally maintained state. Also ensuring tests utilize separate responses for isolation. (Patrick Nelson)