Skip to content

Commit

Permalink
Merge branch '5.3' into 5
Browse files Browse the repository at this point in the history
  • Loading branch information
github-actions[bot] committed Sep 11, 2024
2 parents 06ea3ad + d7aa637 commit 347495a
Show file tree
Hide file tree
Showing 3 changed files with 1,186 additions and 3 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ on:
branches:
- '3'
- '4.13'
- '5.2'
- '5.3'
jobs:
build:
name: build-docs
Expand Down
38 changes: 36 additions & 2 deletions en/08_Changelogs/5.3.0.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ title: 5.3.0 (unreleased)

## Overview

- [Security considerations](#security-considerations)
- [Features and enhancements](#features-and-enhancements)
- [High-level API for converting files](#file-converter)
- [Improve customisability of rendered images](#image-rendering)
Expand All @@ -14,9 +15,21 @@ title: 5.3.0 (unreleased)
- [Support for `JOIN` in SQL `UPDATE`](#sql-update-join)
- [Autologin token regeneration changes](#autologin-token-regeneration)
- [Other new features](#other-new-features)
- [API changes](#api-changes)
- [API changes](#api-changes)
- [Bug fixes](#bug-fixes)

## Security considerations {#security-considerations}

Three security fixes that were previously released in the July security release are mentioned in the [Silverstripe CMS security patches July 2024](https://www.silverstripe.org/blog/silverstripe-cms-security-patches-july-2024/) blog post are listed below.

Review the individual vulnerability disclosure for more detailed descriptions of each security fix. We highly encourage upgrading your project to include the latest security patches.

We have provided a severity rating of the vulnerabilities below based on the CVSS score. Note that the impact of each vulnerability could vary based on the specifics of each project. You can [read the severity rating definitions in the Silverstripe CMS release process](/contributing/release_process/#severity-rating).

- [CVE-2024-29885 - Reports are still accessible even when canView is set to false](https://www.silverstripe.org/download/security-releases/cve-2024-29885) Severity: Medium
- [CVE-2024-32981 - XSS Vulnerability with text/html base64-encoded payload](https://www.silverstripe.org/download/security-releases/cve-2024-32981) Severity: Medium
- [SS-2024-001 - TinyMCE allows svg files linked in object tags](https://www.silverstripe.org/download/security-releases/ss-2024-001) Severity: Medium

## Features and enhancements

### Changes to `TinyMCEConfig` {#changes-to-tinymce}
Expand Down Expand Up @@ -106,6 +119,27 @@ class MyParent extends DataObject
}
```

```php
namespace App\Model;

use SilverStripe\Forms\FormField;
use SilverStripe\ORM\DataObject;

class MyChild extends DataObject
{
// ...

public function scaffoldFormFieldForHasOne(
string $fieldName,
?string $fieldTitle,
string $relationName,
DataObject $ownerRecord
): FormField {
return /* instantiate some FormField here */;
}
}
```

This means modules can pre-define the form field that should be used for their custom models, which reduces the amount of boilerplate code developers need to include in their `getCMSFields()` implementations.

For more information see [scaffolding for relations](/developer_guides/model/scaffolding/#scaffolding-for-relations).
Expand Down Expand Up @@ -159,7 +193,7 @@ From 6.0 onwards, tokens will never be regenerated during session renewal, and t
## API changes

- Passing a non-array `$fields` argument to both [`FieldList::addFieldsToTab()`](api:SilverStripe\Forms\FieldList::addFieldsToTab()) and [`FieldList::removeFieldsFromTab()`](api:SilverStripe\Forms\FieldList::removeFieldsFromTab()) has been deprecated.
- The [`BaseElement::getDescription()`](api:DNADesign\Elemental\Models\BaseElement::getDescription()) method has been deprecated. To update the description of elemental blocks, use the [`description`](api:DNADesign\Elemental\Models\BaseElement->description) configuration property and the localisation API.
- The [`BaseElement::getDescription()`](api:DNADesign\Elemental\Models\BaseElement::getDescription()) method has been deprecated. To update or get the CMS description of elemental blocks, use the [`description`](api:DNADesign\Elemental\Models\BaseElement->description) configuration property and the localisation API.
- The [`RememberLoginHash::renew()`](api:SilverStripe\Security\RememberLoginHash::renew()) method has been deprecated without replacement, since the associated behaviour will be removed in 6.0.
- The `onAfterRenewToken` extension point within this method will likely be replaced with a new extension point in 6.0.
- The [`RememberLoginHash.replace_token_during_session_renewal`](api:SilverStripe\Security\RememberLoginHash->replace_token_during_session_renewal) configuration property has been added to allow disabling token regeneration during session renewal. This property will be removed in 6.0.
Expand Down
Loading

0 comments on commit 347495a

Please sign in to comment.