Permalink
Browse files

MINOR Updated changelog

  • Loading branch information...
1 parent 8e3ce75 commit 6a6aee4b1784691ee57a7c48a030069c78b078ca @chillu chillu committed Jan 31, 2012
Showing with 79 additions and 1 deletion.
  1. +21 −0 docs/en/changelogs/2.3.13.md
  2. +55 −0 docs/en/changelogs/2.4.7.md
  3. +3 −1 docs/en/changelogs/index.md
View
21 docs/en/changelogs/2.3.13.md
@@ -0,0 +1,21 @@
+# 2.3.13 (2012-02-01)
+
+## Overview
+
+ * Security: Cross-site scripting on text transformations in templates
+ * Security: Cross-site scripting (XSS) related to page titles in the CMS
+
+## Upgrading Notes ##
+
+See [2.4.7](2.4.7).
+
+## Changelog ##
+
+### Bugfixes
+
+ * 2012-01-31 [15e9e05](https://github.com/silverstripe/sapphire/commit/15e9e05) Casting return values on text helper methods in StringField, Text, Varchar (Ingo Schommer)
+ * 2009-05-26 [acf9e01](https://github.com/silverstripe/sapphire/commit/acf9e01) Don't break CMS tree if HTML gets into MenuTitle (Sam Minnee)
+
+### Other
+
+ * 2012-01-31 [475e077](https://github.com/silverstripe/sapphire/commit/475e077) SECURITY Sanitize messages passed to generated JS calls in FormResponse::status_message(), e.g. to avoid XSS on 'Successfully published <page title>' messages (Ingo Schommer)
View
55 docs/en/changelogs/2.4.7.md
@@ -0,0 +1,55 @@
+# 2.4.7 (2012-02-01)
+
+## Overview
+
+ * Security: Cross-site scripting (XSS) on text transformations in templates
+ * Security: Cross-site scripting (XSS) related to page titles in the CMS
+
+## Upgrading Notes ##
+
+### Security: Cross-site scripting (XSS) on text transformations in templates
+
+The default casting for `Text` and `Varchar` database field classes usually auto-escapes
+field values when they are inserted into a template. For some text transformations
+on those fields, this wasn't correctly applied. The following methods are affected:
+
+ * `AbsoluteLinks()`,
+ * `BigSummary()`,
+ * `ContextSummary()`,
+ * `EscapeXML()`,
+ * `FirstParagraph()`,
+ * `FirstSentence()`,
+ * `Initial()`,
+ * `LimitCharacters()`,
+ * `LimitSentences()`,
+ * `LimitWordCount()`,
+ * `LimitWordCountXML()`,
+ * `Lower()`
+ * `LowerCase()`
+ * `NoHTML()`,
+ * `Summary()`,
+ * `Upper()`
+ * `UpperCase()`
+ * `URL()`
+
+ If you have used any of these transformations with untrusted values
+ (e.g. from a user-submitted form), please consider updating.
+ More info about SilverStripe's casting logic is available in the "[security](../topics/security)" documentation.
+
+### Security: Cross-site scripting (XSS) related to page titles in the CMS
+
+The page title data wasn't escaped correctly in the `SilverStripeNavigator`
+as well as the updated page title in the CMS tree after saving.
+
+## Changelog ##
+
+### Bugfixes
+
+ * 2012-01-31 [0085876](https://github.com/silverstripe/sapphire/commit/0085876) Casting return values on text helper methods in StringField, Text, Varchar (Ingo Schommer)
+
+### Other
+
+ * 2012-01-31 [252e187](https://github.com/silverstripe/sapphire/commit/252e187) SECURITY Escape links for SilverStripeNavigatorItem (Ingo Schommer)
+ * 2012-01-31 [5fe7091](https://github.com/silverstripe/sapphire/commit/5fe7091) SECURITY Sanitize messages passed to generated JS calls in FormResponse::status_message(), e.g. to avoid XSS on 'Successfully published <page title>' messages (Ingo Schommer)
+ * 2011-09-24 [d0af084](https://github.com/silverstripe/sapphire/commit/d0af084) Fixes tag syntax (should end with %>, not >%) (simonwelsh)
+ * 2011-06-09 [aa74811](https://github.com/silverstripe/silverstripe-cms/commit/aa74811) CZ translation for tinymce_ssbuttons plugin (Ladislav Kubes)
View
4 docs/en/changelogs/index.md
@@ -10,15 +10,17 @@ For information on how to upgrade to newer versions consult the [upgrading](/ins
## Stable Releases
* [3.0.0](3.0.0) - unreleased
+ * [2.4.7](2.4.7) - 1 February 2012
* [2.4.6](2.4.6) - 18 October 2011
* [2.4.5](2.4.5) - 2 February 2011
* [2.4.4](2.4.4) - 21 December 2010
* [2.4.3](2.4.3) - 11 November 2010
* [2.4.2](2.4.2) - 22 September 2010
* [2.4.1](2.4.1) - 23 July 2010
* [2.4.0](2.4.0)
+ * [2.3.13](2.3.13) - 1 February 2012
+ * [2.3.12](2.3.12) - 17 October 2011
* [2.3.11](2.3.11) - 2 February 2011
- * [2.3.11](2.3.11) - 18 October 2011
* [2.3.10](2.3.10) - 21 December 2010
* [2.3.9](2.3.9) - 11 November 2010
* [2.3.8](2.3.8) - 23 July 2010

0 comments on commit 6a6aee4

Please sign in to comment.