You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: en/02_Developer_Guides/01_Templates/11_Partial_Template_Caching.md
+5
Original file line number
Diff line number
Diff line change
@@ -9,6 +9,11 @@ icon: tags
9
9
Partial template caching is a feature that allows caching of rendered portions of templates. Cached content
10
10
is fetched from a [cache backend](../performance/caching), instead of being regenerated for every request.
11
11
12
+
> [!WARNING]
13
+
> Accidental caching of sensitive data can lead to security vulnerabilities. Notable examples include user-specific data, CSRF tokens, and form submissions.
14
+
> Templates can include other templates and call methods on objects, so it's not always obvious when sensitive data is cached further down in the hierarchy.
15
+
> Ensure that you are aware of the potential data that is being cached and that it is safe to cache.
Copy file name to clipboardExpand all lines: en/02_Developer_Guides/03_Forms/04_Form_Security.md
+6
Original file line number
Diff line number
Diff line change
@@ -88,6 +88,12 @@ forms that have validators or security tokens (all of them by default) applied t
88
88
(and browsers) will not cache these pages.
89
89
See [Performance: HTTP Cache Headers](/developer_guides/performance/http_cache_headers/).
90
90
91
+
## Data disclosure through template caching
92
+
93
+
Forms can also be cached by the Silverstripe template caching system when the rendered `<form>` HTML tag is contained within a `<% cached %>` block. This can lead to the same data disclosure issues as HTTP caching if a form response containing user data is cached and served to another user.
94
+
95
+
Templates can include other templates, as well as call methods on objects. This means it's not always obvious when using a `<% cached %>` block that a `<form>` further down in the hierarchy is being cached. Because of this you need to be mindful when using a `<% cached %>` block in your templates about the potential content that is being cached.
Copy file name to clipboardExpand all lines: en/08_Changelogs/5.4.0.md
+18-7
Original file line number
Diff line number
Diff line change
@@ -305,13 +305,13 @@ The exception was made for the following reasons:
305
305
- [`LeftAndMain::Modals()`](api:SilverStripe\Admin\LeftAndMain::Modals()) has been deprecated. It will be removed without equivalent functionality to replace it.
306
306
- [`ModalController::getController()`](api:SilverStripe\Admin\ModalController::getController()) has been deprecated. It will be removed without equivalent functionality to replace it.
307
307
- [`ModalController::getName()`](api:SilverStripe\Admin\ModalController::getName()) has been deprecated. It will be removed without equivalent functionality to replace it.
308
-
- [`CampaignAdminExtension`](api:SilverStripe\AssetAdmin\Extensions\CampaignAdminExtension) has been deprecated. It will be removed without equivalent functionality to replace it.
309
-
- [`CMSPageEditController::addtocampaign()`](api:SilverStripe\CMS\Controllers\CMSPageEditController::addtocampaign()) has been deprecated. It will be removed without equivalent functionality to replace it.
310
-
- [`CMSPageEditController::AddToCampaignForm()`](api:SilverStripe\CMS\Controllers\CMSPageEditController::AddToCampaignForm()) has been deprecated. It will be removed without equivalent functionality to replace it.
311
-
- [`CMSPageEditController::getAddToCampaignForm()`](api:SilverStripe\CMS\Controllers\CMSPageEditController::getAddToCampaignForm()) has been deprecated. It will be removed without equivalent functionality to replace it.
312
-
- [`AssetAdmin::addtocampaign()`](api:SilverStripe\AssetAdmin\Controller\AssetAdmin::addtocampaign()) has been deprecated. It will be removed without equivalent functionality to replace it.
313
-
- [`AssetAdmin::AddToCampaignForm()`](api:SilverStripe\AssetAdmin\Controller\AssetAdmin::AddToCampaignForm()) has been deprecated. It will be removed without equivalent functionality to replace it.
314
-
- [`AssetAdmin::getAddToCampaignForm()`](api:SilverStripe\AssetAdmin\Controller\AssetAdmin::getAddToCampaignForm()) has been deprecated. It will be removed without equivalent functionality to replace it.
308
+
- [`CampaignAdminExtension`](api:SilverStripe\AssetAdmin\Extensions\CampaignAdminExtension) has been deprecated. It will be replaced with `SilverStripe\CampaignAdmin\Extensions\FileFormFactoryExtension`.
309
+
- [`CMSPageEditController::addtocampaign()`](api:SilverStripe\CMS\Controllers\CMSPageEditController::addtocampaign()) has been deprecated. It will be moved to `SilverStripe\CampaignAdmin\Extensions\AddToCampaignExtension`.
310
+
- [`CMSPageEditController::AddToCampaignForm()`](api:SilverStripe\CMS\Controllers\CMSPageEditController::AddToCampaignForm()) has been deprecated. It will be moved to `SilverStripe\CampaignAdmin\Extensions\AddToCampaignExtension`.
311
+
- [`CMSPageEditController::getAddToCampaignForm()`](api:SilverStripe\CMS\Controllers\CMSPageEditController::getAddToCampaignForm()) has been deprecated. It will be moved to `SilverStripe\CampaignAdmin\Extensions\AddToCampaignExtension`.
312
+
- [`AssetAdmin::addtocampaign()`](api:SilverStripe\AssetAdmin\Controller\AssetAdmin::addtocampaign()) has been deprecated. It will be moved to `SilverStripe\CampaignAdmin\Extensions\AddToCampaignExtension`.
313
+
- [`AssetAdmin::AddToCampaignForm()`](api:SilverStripe\AssetAdmin\Controller\AssetAdmin::AddToCampaignForm()) has been deprecated. It will be moved to `SilverStripe\CampaignAdmin\Extensions\AddToCampaignExtension`.
314
+
- [`AssetAdmin::getAddToCampaignForm()`](api:SilverStripe\AssetAdmin\Controller\AssetAdmin::getAddToCampaignForm()) has been deprecated. It will be moved to `SilverStripe\CampaignAdmin\Extensions\AddToCampaignExtension`.
315
315
- [`ModalController::EditorExternalLink()`](api:SilverStripe\Admin\ModalController::EditorExternalLink()) has been deprecated. It will be replaced with `SilverStripe\Admin\ModalController::linkModalForm()`.
316
316
- [`ModalController::EditorEmailLink()`](api:SilverStripe\Admin\ModalController::EditorEmailLink()) has been deprecated. It will be replaced with `SilverStripe\Admin\ModalController::linkModalForm()`.
317
317
- [`RemoteFileModalExtension::getRequest()`](api:SilverStripe\AssetAdmin\Extensions\RemoteFileModalExtension::getRequest()) has been deprecated. Use `RemoteFileModalExtension::getOwner()->getRequest()` instead.
@@ -411,6 +411,17 @@ The exception was made for the following reasons:
411
411
- [`CMSSiteTreeFilter::mapIDs()`](api:SilverStripe\CMS\Controllers\CMSSiteTreeFilter::mapIDs()) has been deprecated. It will be removed without equivalent functionality to replace it.
412
412
- [`ElementSiteTreeFilterSearch`](api:DNADesign\Elemental\Controllers\ElementSiteTreeFilterSearch) has been deprecated. It will be replaced with `DNADesign\Elemental\ORM\Search\ElementalSiteTreeSearchContext`.
413
413
- [`ElementalCMSMainExtension`](api:DNADesign\Elemental\Extensions\ElementalCMSMainExtension) has been deprecated. It will be removed without equivalent functionality to replace it.
414
+
- The [`HTMLEditorField.fixed_row_height`](api:SilverStripe\Forms\HTMLEditor\HTMLEditorField->fixed_row_height) configuration property has been deprecated. It will be replaced with `SilverStripe\Forms\HTMLEditor\HTMLEditorConfig.fixed_row_height`.
415
+
- [`HTMLEditorSanitiser::patternToRegex()`](api:SilverStripe\Forms\HTMLEditor\HTMLEditorSanitiser::patternToRegex()) has been deprecated. It will be replaced with `SilverStripe\Forms\HTMLEditor\HTMLEditorRuleSet::patternToRegex()`.
416
+
- [`HTMLEditorSanitiser::addValidElements()`](api:SilverStripe\Forms\HTMLEditor\HTMLEditorSanitiser::addValidElements()) has been deprecated. It will be replaced with `SilverStripe\Forms\HTMLEditor\HTMLEditorRuleSet`.
417
+
- [`HTMLEditorSanitiser::getRuleForElement()`](api:SilverStripe\Forms\HTMLEditor\HTMLEditorSanitiser::getRuleForElement()) has been deprecated. It will be replaced with `SilverStripe\Forms\HTMLEditor\HTMLEditorRuleSet::getRuleForElement()`.
418
+
- [`HTMLEditorSanitiser::getRuleForAttribute()`](api:SilverStripe\Forms\HTMLEditor\HTMLEditorSanitiser::getRuleForAttribute()) has been deprecated. It will be replaced with logic in `SilverStripe\Forms\HTMLEditor\HTMLEditorElementRule`.
419
+
- [`HTMLEditorSanitiser::elementMatchesRule()`](api:SilverStripe\Forms\HTMLEditor\HTMLEditorSanitiser::elementMatchesRule()) has been deprecated. It will be replaced with `SilverStripe\Forms\HTMLEditor\HTMLEditorRuleSet::isElementAllowed()`.
420
+
- [`HTMLEditorSanitiser::attributeMatchesRule()`](api:SilverStripe\Forms\HTMLEditor\HTMLEditorSanitiser::attributeMatchesRule()) has been deprecated. It will be replaced with `SilverStripe\Forms\HTMLEditor\HTMLEditorElementRule::isAttributeAllowed()`.
421
+
- [`TinyMCECombinedGenerator`](api:SilverStripe\Forms\HTMLEditor\TinyMCECombinedGenerator) has been deprecated. It will be replaced with `SilverStripe\TinyMCE\TinyMCECombinedGenerator`.
422
+
- [`TinyMCEConfig`](api:SilverStripe\Forms\HTMLEditor\TinyMCEConfig) has been deprecated. It will be replaced with `SilverStripe\TinyMCE\TinyMCEConfig`.
423
+
- [`TinyMCEScriptGenerator`](api:SilverStripe\Forms\HTMLEditor\TinyMCEScriptGenerator) has been deprecated. It will be replaced with `SilverStripe\TinyMCE\TinyMCEScriptGenerator`.
424
+
- [`FixtureContext::iSelectValueInAnchorDropdown()`](api:SilverStripe\CMS\Tests\Behaviour\FixtureContext::iSelectValueInAnchorDropdown()) has been deprecated. It will be replaced with `SilverStripe\CMS\Tests\Behaviour\AnchorContext::iSelectValueInAnchorDropdown()`.
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments