This document contains information about a future release and not the current stable version (4). Be aware that information on this page may change and API's may not be stable for production use.

2.4.7 (2012-02-01)


  • Security: Cross-site scripting (XSS) on text transformations in templates
  • Security: Cross-site scripting (XSS) related to page titles in the CMS

    Upgrading Notes

Security: Cross-site scripting (XSS) on text transformations in templates

The default casting for Text and Varchar database field classes usually auto-escapes field values when they are inserted into a template. For some text transformations on those fields, this wasn't correctly applied. The following methods are affected:

  • AbsoluteLinks(),
  • BigSummary(),
  • ContextSummary(),
  • EscapeXML(),
  • FirstParagraph(),
  • FirstSentence(),
  • Initial(),
  • LimitCharacters(),
  • LimitSentences(),
  • LimitWordCount(),
  • LimitWordCountXML(),
  • Lower()
  • LowerCase()
  • NoHTML(),
  • Summary(),
  • Upper()
  • UpperCase()
  • URL()

    If you have used any of these transformations with untrusted values (e.g. from a user-submitted form), please consider updating. More info about SilverStripe's casting logic is available in the "security" documentation.

The page title data wasn't escaped correctly in the SilverStripeNavigator as well as the updated page title in the CMS tree after saving.



  • 2012-01-31 0085876 Casting return values on text helper methods in StringField, Text, Varchar (Ingo Schommer)


  • 2012-01-31 252e187 SECURITY Escape links for SilverStripeNavigatorItem (Ingo Schommer)
  • 2012-01-31 5fe7091 SECURITY Sanitize messages passed to generated JS calls in FormResponse::status_message(), e.g. to avoid XSS on 'Successfully published <page title>' messages (Ingo Schommer)
  • 2011-09-24 d0af084 Fixes tag syntax (should end with %>, not >%) (simonwelsh)
  • 2011-06-09 aa74811 CZ translation for tinymce_ssbuttons plugin (Ladislav Kubes)

Was this article helpful?