DOC Document security patches

en/08_Changelogs/5.4.0.md

@@ -6,16 +6,37 @@ title: 5.4.0 (unreleased)
 
 ## Overview
 
+- [Security considerations](#security-considerations)
 - [Features and enhancements](#features-and-enhancements)
+  - [New `XssSanitiser` class](#new-xsssanitiser-class)
   - [Option to change `ClassName` column from enum to varchar](#classname-varchar)
   - [Reports quality of life updates](#reports-quality-of-life-updates)
   - [New `class_description` configuration on `DataObject`](#class-description)
+  - [`oEmbed` sandboxing](#oembed-sandboxing)
   - [Other new features](#other-new-features)
 - [API changes](#api-changes)
 - [Bug fixes](#bug-fixes)
 
+## Security considerations {#security-considerations}
+
+Three security fixes that were previously released in the January security release are mentioned in the [Silverstripe CMS security patches January 2025 blog post](https://www.silverstripe.org/blog/silverstripe-cms-security-patches-january-2025) are listed below.
+
+Review the individual vulnerability disclosure for more detailed descriptions of each security fix. We highly encourage upgrading your project to include the latest security patches.
+
+We have provided a severity rating of the vulnerabilities below based on the CVSS score. Note that the impact of each vulnerability could vary based on the specifics of each project. You can [read the severity rating definitions in the Silverstripe CMS release process](/contributing/release_process/#severity-rating).
+
+- [CVE-2024-47605 - XSS via insert media remote file oembed](https://www.silverstripe.org/download/security-releases/cve-2024-47605) Severity: Medium
+- [CVE-2024-53277 - XSS in form messages](https://www.silverstripe.org/download/security-releases/cve-2024-53277) Severity: Medium
+- [SS-2024-002 - Reflected Cross Site Scripting (XSS) in error message](https://www.silverstripe.org/download/security-releases/ss-2024-002) Severity: None
+
 ## Features and enhancements
 
+### New `XssSanitiser` class
+
+By far the most common type of security vulnerability that gets reported to us is XSS vulnerabilities. In many cases we can remove the vulnerability vector by disallowing HTML altogether, or by removing HTML specifically from user-provided input. Sometimes we need to allow HTML content from the user, such as in the WYSIWYG editor in the CMS - and in those cases we can mitigate XSS vulnerabilities by removing specific XSS attack vectors from the HTML content.
+
+To help with this, we've added a new [`XssSanitiser`](api:SilverStripe\Core\XssSanitiser) class, which removes some known XSS attack vectors from HTML content. Note that this should be used only in scenarios where the HTML content can't be completely removed, and should not be considered a complete protection against all XSS attack vectors but rather as simply one of many tools in your security tool box.
+
 ### Option to change `ClassName` column from enum to varchar {#classname-varchar}
 
 On websites with very large database tables it can take a long time to run `dev/build`, which can be a problem when deploying changes to production. This is because the `ClassName` column is an `enum` type which requires an a `ALTER TABLE` query to be run affecting every row whenever there is a new valid value for the column. For a very rough benchmark, running an `ALTER TABLE` query on a database table of 10 million records took 28.52 seconds on a mid-range 2023 laptop, though this time will vary depending on the database and hardware being used.
@@ -58,6 +79,28 @@ As a part of this change, the [`SiteTree.description`](api:SilverStripe\CMS\Mode
 
 The `SilverStripe\CMS\Model\SiteTree.DESCRIPTION` localisation key (along with the `.DESCRIPTION` suffix for any `SiteTree` subclass) will stop being used in a future major release. Use `SilverStripe\CMS\Model\SiteTree.CLASS_DESCRIPTION` instead.
 
+### `oEmbed` sandboxing
+
+As part of the fix for the security vulnerability `CVE-2024-47605` we have added a new feature to sandbox returned oEmbed HTML content in an `iframe` tag.
+
+You can explicitly declare domains which should be excluded from sandboxing if you find it is interfering with embeds from specific domains. For example if a YouTube embed was not rendering correctly as a result of the sandboxing you could use this YAML configuration:
+
+```yml
+SilverStripe\View\Shortcodes\EmbedShortcodeProvider:
+  domains_excluded_from_sandboxing:
+    - 'youtube.com'
+```
+
+Do not include the protocol (i.e. don't include `https://` or `http://`).
+
+You can also change the attributes of the iframe itself with this YAML configuration:
+
+```yml
+SilverStripe\View\Shortcodes\EmbedShortcodeProvider:
+  sandboxed_iframe_attributes:
+    allow: 'fullscreen'
+```
+
 ### Other new features
 
 - A new [`BaseKernel::getBooted()`](api:SilverStripe\Core\BaseKernel::getBooted()) method has been added for checking whether the kernel has been booted yet or not.