Hosting SilverStripe


SilverStripe is an open source content management application and PHP development framework. Initially released in 2000, and open source since 2006, SilverStripe has received numerous industry awards including Best Open Source Project in the 2010 New Zealand Open Source Awards.

1 click installation SilverStripe

1 click installation

Easy update SilverStripe

Easy update

Backup and restoration SilverStripe

Backup and restoration


Content Management
Current version
Last update
28 June 2022
English + 53 others

System Requirements

Installation size
80.00 MB
open source
What's new
28 June - 80MBSecurity
  • CVE-2022-28803 - Stored XSS in link tags added via XHR Severity: Medium
  • CVE-2022-25238 - Stored XSS via HTML fields Severity: Medium
  • CVE-2021-41559 - Quadratic blowup in Convert::xml2array() Severity: Medium
  • CVE-2022-24444 - Hybridsessions does not expire session id on logout Severity: Medium
  • CVE-2022-29858 - Unpublished, protected files can be published via shortcode Severity: Medium

What's New
  • Adding support for PHP 8.1: The Silverstripe CMS recipe now officially supports PHP 8.1.
  • Dropping support for PHP 7.3: In accordance with our PHP support policy, Silverstripe CMS Recipe 4.11.0 drops support for PHP 7.3.
  • GraphQL 4 major release: Silverstripe CMS Recipe 4.11.0 defaults to installing silverstripe/graphql version 4, which has just had a stable release. Previous releases installed version 3.
  • Upload and use WebP images in the CMS
  • Preview any DataObject in any admin section
  • Meta generator tag now shows framework version number
  • Allow-plugins configuration option in Composer versions 2.2.0 and up
  • Users will recieve an email if their password is changed

Read more:

4.10.0 (major version)
25 January - 80MBOverview
  • Regression test and Security audit
  • PHPUnit 9.5 and PHP 8.0 official support
  • Dropping support for PHP 7.1 and PHP 7.2
  • Dropping support for Microsoft Internet Explorer

Read more:

4.6.0 (major version)
14 July 2020 - 80MBOverview
  • MySQL tables are auto-converted from MyISAM to InnoDB
  • Editing files directly in the insert-media modal
  • MIME Type validation now a core module
  • Solr no longer indexes draft/restricted content
  • Simplify customisation of ModelAdmin
  • Login forms module ships with installer

Read more:

4.5.1 (security release)
20 April 2020 - 80MBSecurity
  • 2020-02-12 d515e5e XSS through non-scalar FormField attributes (Serge Latyntcev) - See cve-2019-19325
  • 2020-02-03 ad1b00ec7 XSS through non-scalar FormField attributes (Serge Latyntcev) - See cve-2019-19325

Features and Enhancements
  • 2020-01-14 63b24d7 Add new block icon set for open source use (Sacha Judd)

  • 2020-02-16 b1576a8 ensure canView check is run on returned items (#8) (Steve Boyd)
  • 2020-02-13 62a68f4 Add back missing edit-write icon (Sacha Judd)
  • 2020-02-11 f7d09b1 Update core requirements to 4.5 series (Garion Herman)
  • 2020-02-10 bddb5ad Update core requirement to 4.5 series (Garion Herman)
  • 2020-02-10 62de5181 Update core requirements to 4.5 series (Garion Herman)
  • 2020-02-10 7436e11d Update core requirements to 4.5 series (Garion Herman)
  • 2020-02-10 2742d74 Update CMS requirement to 4.5 series (Garion Herman)
  • 2020-02-10 664e6c99 Update core requirements to 4.5 series (Garion Herman)
  • 2020-02-10 ad5858a Update core requirements to 4.5 series (Garion Herman)
  • 2020-02-10 5053663 Update core requirements to 4.5 series (Garion Herman)
  • 2020-02-10 93d1acc Update framework requirement to 4.5 series (Garion Herman)
  • 2020-02-05 5dec950 do not render ImageSizePresentList react component for remote files (Steve Boyd)
  • 2020-02-04 ca36a47bb Update ORM DBField types to use Injector in scaffoldFormField() (mnuguid)
  • 2020-01-23 9750538a Update URLSegment field on enter key, rather than saving page (Garion Herman)
  • 2020-01-23 aa31b3d Adjust diff styling to improve accessibility (Garion Herman)
  • 2020-01-23 dd8c2ce temp images not being deleted if error is thrown (bergice)
  • 2020-01-23 76f1abc Changed revert button title when revert is possible. (bergice)
  • 2020-01-22 82a76b93 Fix alert showing for unrelated elements (bergice)
  • 2020-01-07 089053b Make discard confirmations show up when navigating away from editing files (bergice)
  • 2019-12-16 8edf14d VersionedFilesMigrator auto-generated .htaccess directives (Serge Latyntcev)
  • 2019-12-15 fbc37fb Default WasDraft to true when migrating versioned DataObject (#240) (Maxime Rainville)
  • 2019-12-11 e229a98 Fixes #352 with guard for Folder query result (Russell Michell)
  • 2019-12-09 be5234d Reference the correct filters for endswith and startswith (Maxime Rainville)
  • 2019-11-26 04c377f Fix phpcs install, phpunit name (Serge Latyntcev)
  • 2019-11-24 f78b7a5 Update build script to copy images to dist folder (Maxime Rainville)
  • 2019-11-22 af55826 Fix missing dist images (Damian Mooyman)
  • 2019-11-15 64654ec Retrieve file by filename (Maxime Rainville)
  • 2019-11-14 4372544 Fix linting issue in VersionedFilesMigrationTask and VersionedFilesMigrator (Maxime Rainville)
  • 2019-11-04 d32b280 Resolve issue where dev/build does not refresh static content (Damian Mooyman)

Read more:

display more versions
4.5.0 (major version)
17 January 2020 - 80MB
  • PHP 7.1 is the lowest supported version
  • Apache >=2.4 is now recommended
  • Installer UI has been removed and offered as a separate module.
  • Generic login form styling is now available as an optional module
  • Removed use_gzip option on HtmlEditorField which used to compress the rich text editor dependency. No longer required since compression is performed as part of the CMS build automatically. See #832

Read more:

4.4.4 (major version)
28 November 2019 - 80MB4.4.4

  • 2019-09-23 8b7063a8e Fix access escalation for CMS users with limited access through permission cache pollution (Serge Latyntcev) - See cve-2019-12617
  • 2019-09-16 eccfa9b10 Session fixation in "change password" form (Serge Latyntcev) - See cve-2019-12203
  • 2019-08-20 f98a59de install.php warning does not account for public dir (Aaron Carlino) - See cve-2019-12204
  • 2019-08-17 8c7a719 Broken access control on files due to session grant (Aaron Carlino) - See cve-2019-14273
  • 2019-05-21 73e0cc6 Fix incorrect access control vulnerability with unwritten files in protected folders (Robbie Averill) - See cve-2019-12245

Features and Enhancements
  • 2019-09-18 1308911 Add task to remove/protect _versions folders (Aaron Carlino)

  • 2019-09-24 3659f2888 Add 'legal empty attributes' to allow empty alt values on i
 (#9257) (Guy Marriott)
  • 2019-09-23 0d27f32cc Add 'legal empty attributes' to allow empty alt values on imgs (Garion Herman)
  • 2019-09-23 fc536fa Update Apache .htaccess for new access directives (Dylan Wagstaff)
  • 2019-09-20 ea363fc Correctly process all non-insert form actions normally in the media dialog (#1005) (Damian Mooyman)
  • 2019-09-16 6a1c6ecec Fix administrators not being able to see files that are restricted to groups (bergice)
  • 2019-09-10 591b88a9b Allow infinite loop when calling DataObject::writeComponent() recursively (Maxime Rainville)
  • 2019-09-03 b0a6973 Remove Default DropzoneJS Timeout of 30s (#985) (Joe Harvey)
  • 2019-09-02 9f19a9b make the actions consistent on the grid field items to what they look like on pages (#242) (Andre Kiste)
  • 2019-08-29 194ec84 content block editing breaking when editing using IE11 by adding Event constructor polyfill (bergice)
  • 2019-08-29 77ba8391c Byte Order Marks (BOM) are now stripped when importing CSV files (Robbie Averill)
  • 2019-08-28 73f43c6f4 Remove placeholder text on new group form (Maxime Rainville)
  • 2019-08-27 2f8d847a1 make the grid field actions consistent to what they look like on pages (bergice)
  • 2019-08-26 d2a07b104 Remove error when exporting a column that is not displayed in a GridField (Will Rossiter)
  • 2019-08-26 314a906 Fix the jstree styles so that the selected states are more visible (bergice)
  • 2019-08-26 8b22e3b Update LegacyThumbnailMigrationHelper to carry on if it hits a fileID it can't parse (Maxime Rainville)
  • 2019-08-23 5845ac6 Prevent breadcrumb item styles from bleeding into non-react (Maxime Rainville)
  • 2019-08-23 94d6c80 enter to submit form not working on Add new page (bergice)
  • 2019-08-22 841c855 Ensure dataobjects are unpublished during the delete mutation (Guy Marriott)
  • 2019-08-22 4cb4d46 react-select clears input on search. Monkey patch, needs upgrade (Aaron Carlino)
  • 2019-08-18 ab4ccb8 Update LegacyFileIDHelper to understand pre-SS33 variant FileID (Maxime Rainville)
  • 2019-08-13 1c548cb jstree state when saving a page by retaining the open/closed state and selected node state. (bergice)
  • 2019-07-29 0abfed3e0 Skip md5-ing the whole contents of a stream for etags (Guy Marriott)
  • 2019-04-12 7592db91 VirtualPage missing methods from target page (fixes #2408) (Loz Calver)


  • Optional migration to hash-less public asset URLs
  • Optional migration of legacy thumbnail locations
  • Security patch for CVE-2019-12246
  • Correct PHP types are now returned from database queries
  • Upgrade to React 16 in CMS
  • Server Requirements have been refined: MySQL 5.5 end of life reached in December 2018, thus SilverStripe 4.4 requires MySQL 5.6+.
  • SilverStripe 4.3 and prior still support MySQL 5.5 for their own lifetime.
  • The name of the directory where vendor module resources are exposed can now be configured by defining a extra.resources-dir key in your composer.json file. If the key is not set, it will automatically default to resources. New projects will be preset to _resources. This will avoid potential conflict with SiteTree URL Segments.
  • dev/build is now non-destructive for all Enums, not just ClassNames. This means your data won't be lost if you're switching between versions, but watch out for code that breaks when it sees an unrecognised value!
  • Removed File.migrate_legacy_file config option. Migration tasks now need to run via dev/tasks/, running them as part of dev/build is no longer supported
  • Added navigation and new record actions to grid field detail forms. Inspired by @unclecheese's "better buttons".


  • DataList::column() now returns all values and not just "distinct" values from a column as per the API docs
  • DataList, ArrayList and UnsavedRalationList all have columnUnique() method for fetching distinct column values
  • Take care with stageChildren() overrides. Hierarchy::numChildren() results will only make use of stageChildren() customisations that are applied to the base class and don't include record-specific behaviour.
  • New React-based search UI for the CMS, Asset-Admin, GridFields and ModelAdmins.
  • A new GridFieldLazyLoader component can be added to GridField. This will delay the fetching of data until the user access the container Tab of the GridField.
  • SilverStripe\VersionedAdmin\Controllers\CMSPageHistoryViewerController is now the default CMS history controller and SilverStripe\CMS\Controllers\CMSPageHistoryController has been deprecated.
  • PHPUnit tests no longer auto-flush, requiring manual flush parameters when changing YAML config or certain PHP code


  • Disable session-based stage setting in Versioned (see #1578)
  • Deprecated FunctionalTest::useDraftSite(). You should use querystring args instead for setting stage.


  • Support for public webroot folder public/
  • Better support for cross-platform filesystem path manipulation


  • Capture changes on keyup with debounce
  • debounce change events in changetracker - to reduce change event load build up with every keystroke

Bug Fixes
  • Fix issue with DebugView failing on class name of existing class
  • Fix critical issue with incorrectly saved session data
  • Fix issue with non-asset-admin users encountering errors embedding files
  • Ensure CMS authors can all see draft files by default
  • Fix typo in error message
  • entwine+react in case they rely on the redux store
  • TreeMultiselectField in Entwine sections
  • Allow cleanup marker regex to handle self closing HTML5 tags
  • remove uploaded items when executing or removing search
  • 'Error code' dropdown was misplaced


  • Add DBFile::Link() alias for DBFile::getURL() so that it matches File::Link()
  • add test for a --no-dev build

Bug Fixes
  • ed Rfc3339 implementation of Date and Datetime
  • Badge component test: convert to Component and add truthy test
  • Allow absolute URLs be use as resources
  • Remove dependency on Doctrine module breaking with --prefer-dist
  • Fix cors breaking if referer header is present
  • Better upload error message
  • Fix invalid name generation on windows
  • Non-required fields failing when empty
  • booting and store initialisation so that initial state is not triggered too early in the process
  • remove onDrillDown prop from td element
  • Fix double casting in login authenticator name
  • Make GridFieldConfig less susceptible to error when versioned isn't installed
  • Add bootstrap styles to url segment field
  • ing string concat CS issues
  • HTTPResponse::removeHeader incorrectly converts header name to lowercase
  • Prevent basic-auth from disallowing logout
  • Forms run through FormHandler rather than Controllers now have access to current Request
  • Prevent GridField autocomplete triggering change tracker
  • Allow extension instances to be overridden by injector
  • Fix incorrect ORM usage when saving siteconfig
  • , adding a missing return statement.
  • Provide expected argument to onBefore/AfterPublish hooks
  • Implement correct subsites namespace in File extension
  • Remove classmap for folder that doesn't have classes
  • Update input-group-addon-bg variable
  • Allow HTML 5 input tags in FunctionalTest form submissions
  • Fix basic auth in PHP-CGI
  • travis OS build version so that behat will function
  • issue when deleting a recently uploaded files
  • mouse multi-section prevent buttons from working
  • Require branch alias for silverstripe/serve to ensure SS4 compatibility
  • Ensure testLeftAndMainSubclasses test runs some assertions
  • Allow Requirements::block to handle module resource paths
  • Ensure last GridField column when non sortable has its title displayed
  • Use PHP 5.3 array syntax
  • Do database migrations before default records
  • Fix incorrect merge of associative / non-associative summary fields
  • server error responses not displaying in UI
  • Less restrictive arguments for image resize
  • Allow the current controller as well as injectable HTTPRequest objects
  • Use Injector to retrieve the current session
  • UploadField to be injectable
  • TreeDropdownField layout
  • travis build
  • literal linting
  • Only show table_name warning on dev/build
  • Don't warn on table name for classes without tables
  • Remove unused Behat tests from 3.6 branch
  • Use baseDataClass for allVersions as with other methods
  • Update meber passwordencryption to default on password change
  • issue where there's no error for duplicate name
  • don't try and switch out of context of the tab system


  • Prevent disclosure of sensitive information via LoginAttempt
  • Ensure xls formulae are safely sanitised on output
  • Prevent install.php from disclosing system passwords
  • SQL injection in full text search

API Changes
  • Remove MemberExtension, functionality is replaced by framework update

  • added loadComponent fix for asset-admin entwine components
  • Add ViewableData::getViewerTemplates()
  • Use recipes for test configuration
  • Promote portugese
  • Hide Image_Backend construction behind image manipulations to improve performance
  • Disable force_resample by default
  • Don't request unused width / height from graphql
  • Raise warning if DBField::create_field() would behave unpredictably and improve PHPDoc
  • Ensure that non-writable assets files are notified during install

Bug Fixes
  • VirtualPage not using target page's template
  • Fix unit tests
  • db autodiscover comment on loading behavior.
  • Remove some unnecessary ClassInfo calls in DataObjectSchema
  • Ensure that all tinymce_lang mappings are valid
  • Fix broken scrutinizer
  • Fix typo in Menu.scss
  • Restore BackURL preservation on log out
  • Issue where logging out from the CMS presents you with a login form with no BackURL
  • Support self::class text collection
  • Added warning for auto-generated table_name for non-test classes
  • deprecated usage of getMock in unit tests
  • Allow lowercase and uppercase delcaration of legacy Int class
  • Fix regressions in asset resize behaviour change
  • Fix _configure_database.php being ignored
  • Fix added module fluid-prefix so module config will not require the full path to match
  • Fix change in resampled config setting
  • Ensure changetracker safely defers to other init scripts
  • Fix parameter order
  • Fix for buttons in change tracking and gridfield reloading
  • Fix allowed children types now load properly
  • fix ignore no-change-track marked fields in changetracker
  • Fix postgres / PDO support
  • HTTP::get_mime_type with uppercase filenames.
  • for #7606: Ensure the object we're handling is actually an Image instance before calling methods specific to that class
  • Restore missing '(Choose Page)' text in link insert modal
  • Fix DBEnum ignoring empty defaults
  • ManyMany link table joined with LEFT JOIN
  • page header center aligns when site tree is closed
  • fix show empty string title when relevant - rather than null when no options
  • Fix don't treat zero-date as invalid
  • Prevent .htaccess operations from users in the same group failing
  • Fix shortcodes not being parsed
  • unsaved change dialog display just after creating a record
  • fix missing chosen sprites added to dist folder
  • Fixes SapphireTest masking userland coding errors.
  • Don't redirect in force_redirect() in CLI
  • Remove whitespace around download link title
  • Make sure plain parts are rendered when re-rendering emails
  • Fix buttons in upload field to be proper button types
  • Fix ContextSummary behaviour with UTF8 chars
  • Fix react-select does not return the true value when the option is missing
  • Fix native upload dialog appearing in entwine sections and added a canUpload condition for UploadField
  • Remove usage of deprecated each()
  • Remove usage of deprecated each() and use a helper method instead
  • ed array/object mismatch bug in PaginatedList
  • Fix usability issue, can tab to the upload field item even when it doesn't do anything by default
  • Helpful warning when phpunit bootstrap appears misconfigured
  • Use self::inst() for Injector/Config nest methods
  • Fix wrong mouse cursor for description text in upload field area
  • stop bothering people with pop-ups
  • revert to this button after archiving
  • UploadField overwriteWarning isn't working in AssetAdmin
  • Dont use var_export for cache key generation as it fails on circular references
  • TreeDropdownField showing broken page icons
  • Files without extensions
  • Fixes #7116 Improves server requirements docs viz: OpCaches.


This version introduces many breaking changes, which in most projects can be managed through a combination of automatic upgrade processes as well as manual code review.

  • Minimum version dependencies have increased; PHP 5.5 and Internet Explorer 11 (or other modern browser) is required.
  • All code earlier marked as deprecated for 4.0 has now been removed (check our deprecation process)
  • All code has been migrated to follow the PSR-2 coding standard. Most significantly, all SilverStripe classes are now namespaced, and some have been renamed. This has major implications for arrangement of templates, as well as other references to classes via string literals or configuration. Automatic upgrading tools have been developed to cope with the bulk of these changes (see upgrading notes).
  • Object class has been replaced with traits (details).
  • Asset storage has been abstracted, and a new concept of DBFile references via database column references now exists in addition to references via the existing File dataobject. File security and protected files are now a core feature (details)
  • A new front-end development process has been developed for the construction of javascript based components, prominently featuring ReactJS to develop highly functional CMS content areas. A new standard form schema API has been developed to allow back-end PHP constructed forms to scaffold themselves within ReactJS powered sections.
  • CMS CSS has been re-developed using Bootstrap v4 as a base (blog post)
  • Asset admin has been replaced with a purely ReactJS powered upgrade, and split out module called asset-admin.
  • Versioning is now a much more powerful feature, with the addition of campaigns to allow batches of related or inter-dependent objects to be published as a single "changeset" (details).
  • Dependencies between versioned objects can be declared using the new ownership API, so that developers can ensure that relational consistency is maintained during publishing (details) This new system can be managed via the new "Campaigns" CMS section (blog post)
  • Template variable casting (e.g. $Title) is enforced by default, which will ensure safe HTML encode unless explicitly opted out (details)
  • Themes are now configured to cascade, where you can specify a list of themes, and have the template engine search programatically through a prioritised list when resolving template and CSS file paths.
  • Removed module path constants (e.g. FRAMEWORK_PATH) and support for hardcoded file paths (e.g. mysite/css/styles.css) (details)
  • Replaced Zend_Translate with symfony/translation (details)
  • Replaced Zend_Cache and the Cache API with a PSR-16 implementation (symfony/cache) (details)
  • _ss_environment.php files have been removed in favour of .env and "real" environment variables (details).
  • Behat support updated to v3 ( details)
  • The GDBackend and ImagickBackend classes have been replaced by a unified InterventionBackend which uses the intervention/image library to power manipualations.
  • Dependencies can managed via recipe-plugin. See recipe-core and recipe-cms as examples.
  • Authentication has been upgraded to a modular approach using re-usable interfaces and easier to hook in to LoginHandlers (details).
  • Core modules are installed in the vendor/ folder by default (other modules can opt-in, see guide)
  • Renamed constant for temp folder from TEMP_FOLDER to TEMP_PATH for naming consistency with other path variables and constants

Read more:

3.6.2 (major version)
18 October 2017 - 80MBWARNING
Any customisations made to SilverStripe's core or modules will likely be broken by upgrading to this version.

  • 41270fc Only allow HTTP(S) links for external redirector pages (Daniel Hensby) - See ss-2017-003
  • 447ce0f Lock out users who dont exist in the DB (Daniel Hensby) - See ss-2017-002
  • 61cf72c Unescaped fields in CMSPageHistroyController::compare() (Daniel Hensby) - See ss-2017-004

API Changes
  • f1b99b6 Enable theming of GroupedDropdownField (Damian Mooyman)
  • 3583f1f Convert::raw2json can be passed an optional bitmask of JSON constants as options (Robbie Averill)

Features and Enhancements
  • 1a65188 Make page urls bookmarkable (Damian Mooyman)
  • 40bf945 PHP 7 compatibility (Loz Calver)
  • 88f90bf Merge pull request #6499 from SilbinaryWolf/feat-decoratorsetlist (Damian Mooyman)
  • 52cad6c Added ImagickBackend::crop() for compatibility with GDBackend (UndefinedOffset)
  • b4ba606 HTMLEditorField default alignment setting (Damian Mooyman)
  • 24dc342 HTMLEditorField default alignment setting (Jonathon Menz)
  • 776d2fb Allow setting of unlimited row counts on GridFieldPaginator (Daniel Hensby)

  • 5116476 Issue where CMS SiteTree can result in infinite recursion if parent and child relation is swapped (Daniel Hensby)
  • 1ff6f3f ing doArchive (John Milmine)
  • 000a5f7 Fix page history / settings forms (Damian Mooyman)
  • 7e77753 intl test (Daniel Hensby)
  • 41eddfc ing cms page history controller to use new page id param (Tim Kung)
  • 80e8967 Fix VirtualPage::init() content-modification check. (Sam Minnee)
  • 2ddb616 Correct case of CopyContentFrom method (Daniel Hensby)
  • ec15c71 Add __isset to VirtualPage for PHP7 support. (Daniel Hensby)
  • ae0fe75 non-numeric warnings in GDBackend/ImagickBackend (Loz Calver)
  • f101697 File::ini2bytes() in PHP 7 (Loz Calver)
  • e22cd4d TabSet attempting to access undeclared property (Loz Calver)
  • f083a06 Fix ViewableData::__isset() for getXXX() getters. (Sam Minnee)
  • e5f51b1 Relax PHP version requirement. (Sam Minnee)
  • 454646c invalid closure param in ShortcodeParserTest (Loz Calver)
  • 82f62c8 illegal string offset in spyc component (Loz Calver)
  • b3d3788 many_many_extraFields breaks _SortColumn0 ordering (fixes #6730) (Loz Calver)
  • cc749d3 Give DatetimeField its own template (which is extensible) (Robbie Averill)
  • 22ad39e Fix SSViewerTest in PHP7 (Sam Minnee)
  • f224849 Don't use SplFixedArray in PHP 7. (Sam Minnee)
  • cca7e96 Correct PHP4-style constructors in SimpleTest. (Sam Minnee)

Read more:

3.5.3 (major version)
23 March 2017 - 75MBBugfixes
  • 2017-02-08 1f3d46b #6606 the JS SiteTree lib depends on whitespace (Daniel Hensby)
  • 2017-01-30 10d9f90 to allow ASSETS_DIR to be a subdirectory (Brendan Halley)
  • 2016-11-21 682e607 Correct response code generated from error pages (Damian Mooyman)

3.5 Release Summary
  • 2016-06-10 19b9413 Use injector for MemberLoginForm fields (Daniel Hensby)
  • 2016-05-15 c401d9d added hide_from_cms_tree and hide_from_hierarchy (John Milmine)
  • 2015-02-11 dae2295 Allow the paddedresize to take another hex value to specify a transparency on the padded color (Nick)
  • 2016-11-15 f43a91a Add FormField::canSubmitValue() (Damian Mooyman)
  • 2016-11-07 ffd9938 ShortcodeParser getter and extension points (Jonathon Menz)
  • 2016-09-15 b87c668 support dblib (#5996) (Damian Mooyman)
  • 2016-09-05 c6457c5 Allow has_many fixtures to be declared with array format as well as many_many (#5944) (Damian Mooyman)
  • 2016-07-15 d08ab6a Allow X-Frame-Options to be configured (Damian Mooyman)
  • 2016-06-20 e810a99 Add optimistic_connect to SS_Database (Damian Mooyman)

Read more:

23 March 2017 - 75MBBugfixes
  • 2017-02-08 1f3d46b #6606 the JS SiteTree lib depends on whitespace (Daniel Hensby)
  • 2017-01-30 10d9f90 to allow ASSETS_DIR to be a subdirectory (Brendan Halley)

Read more:

3.4.1 (security release)
7 September 2016 - 75MBSecurity
  • 2016-08-02 b0ba201 Fix value / title escaping in CheckboxSetField and OptionsetField (Damian Mooyman) - See ss-2016-015
  • 2016-07-25 d1163d8 Autologin cookies are ignored if autologin is disabled (Daniel Hensby) - See ss-2016-014
  • 2016-07-22 8bbf1ca Uncasted member name (Daniel Hensby) - See ss-2016-013
  • 2016-07-15 08384bb Reset Member::Salt on password change (Daniel Hensby) - See ss-2016-008
  • 2016-07-14 782c18f ChangePasswordForm does not check $member->canLogin before login (Daniel Hensby) - See ss-2016-011
  • 2016-07-14 c1525c8 Missing ACL check on ReportAdmin (Daniel Hensby) - See ss-2016-012
  • 2016-05-03 41be95c Encode user supplied URL for embeding into page (Daniel Hensby) - See ss-2016-007

  • 2016-08-15 ac26816 Fix regression in url concatenation #4967 (Damian Mooyman)
  • 2016-08-15 ef85618 Fix regression in FormField casting (Damian Mooyman)
  • 2016-08-02 af3412a fix to grid field loading wrong current page id when using multiple tabs (John Milmine)
  • 2016-08-02 cd80d50 Fix unset config options returning isset() = true (Damian Mooyman)
  • 2016-08-01 7d0b8e6 Fix permission checking code not correctly handling escaped SQL identifiers (Damian Mooyman)
  • 2016-07-28 6c37532 Gridfield delete action back link (#5848) (Jono Menz)
  • 2016-07-28 c965133 Direct edit file by URL (Jonathon Menz)
  • 2016-07-25 3306deb Fix link concatenation in SilverStripeNavigator (#1560) (Damian Mooyman)
  • 2016-07-25 9c7c7f6 Fix regression in missing require_js from #4259 (Damian Mooyman)
  • 2016-07-22 82e5431 do not show HiddenClass pages in allowed children (#1555) (Robbie Averill)
  • 2016-07-20 319d6d2 Fix doclink (#5827) (Damian Mooyman)
  • 2016-07-19 10e06dc Fixes #1054 By preventing errors in the CMS only. (Russell Michell)
  • 2016-07-15 b3fea37 Fixes support for "inline" form actions (fixes #2534) (Loz Calver)
  • 2016-07-12 24efc7e Fix sorting ArrayList with sql-like syntax (Damian Mooyman)
  • 2016-07-12 8123c43 Fix getAbsoluteLiveLink() concatenation (Damian Mooyman)
  • 2016-07-12 87477a1 Fix incorrect url manipulation (Damian Mooyman)
  • 2016-07-07 4aa1fc2 Changed form fields that call renderWith in Field() to call parent::Field() instead (#5783) (Ed Chipman)
  • 2016-07-07 27cea80 SS_ConfigStaticManifest_Parser failed to handle ::class syntax (fixes #5701) (#5781) (Loz Calver)
  • 2016-07-04 0b7dab3 Fix missing icons (Damian Mooyman)
  • 2016-07-01 39238d9 falsey attribute values in shortcodes now work (Daniel Hensby)
  • 2016-06-30 2cdfe6c Use RAW for DBField template helpers (Daniel Hensby)
  • 2016-06-30 b0f237b Use RAW instead of Value for parsing shortcodes (Daniel Hensby)
  • 2016-06-13 f0d4951 for #5683: Address security warning in CMS when attempting to access contents (Back-porting fix from PR #5163) (Patrick Nelson)
  • 2016-06-08 bf00810 Fix buttonClicked() error (Damian Mooyman)
  • 2016-06-06 946495b Regression with (fixes #5656) (Loz Calver)
  • 2016-05-31 eba89b9 OldPageRedirector no longer loops infinitely if 404 thrown on existing page (Daniel Hensby)
  • 2016-05-31 341f49c Fixed lookup of next closest visible field for focus restoring (fixes #5618) (UndefinedOffset)
  • 2016-05-27 f1a0aef fix CMS_ACCESS permission being ignored if in incorrect order in array (Damian Mooyman)
  • 2016-05-21 decd7e5 Fix getFinalisedQuery not including all queried columns (Damian Mooyman)
  • 2016-05-20 8382685 #5557 Tests with no DB requirements wont create test DB (Daniel Hensby)
  • 2016-04-19 43dcde5 Hierarchy was incorrectly unexpanding nodes that had been previously expanded (madmatt)
  • 2016-01-22 4bd66b9 for #4909: Ensure RSSFeed_Entry is instantiated using the injector. (Patrick Nelson)
  • 2015-04-21 a7100e9 Object::parse_class_spec failed to parse associative arrays (Loz Calver)

Read more:

3.4.0 (major version)
13 June 2016 - 75MBAPI Changes
  • 2016-05-18 c55777c Enable friendly error HTTP code by default for new projects (Damian Mooyman)
  • 2016-05-18 757cfae Enable Debug.friendly_error_httpcode to correctly set HTTP status code for errors (Damian Mooyman)
  • 2016-05-12 7041c59 Enable requirements to persist between flushes (Damian Mooyman)
  • 2016-04-19 43b0052 Remove artifact datalist overrides from UnsavedRelationList (Damian Mooyman)
  • 2016-03-07 634e86f Include File.ParentID in fulltext search results (Damian Mooyman)
  • 2015-12-13 62f183d before/afterExtend now support parameters passed by reference (Damian Mooyman)
  • 2015-11-25 3842971 refactor into individually overridable components (Damian Mooyman)
  • 2015-08-28 f6fe142 Making ArrayList (and others) more consistent with DataList (Daniel Hensby)

Features and Enhancements
  • 2016-03-27 1e7281a Add onBeforeRender() hook to GridField (Loz Calver)
  • 2016-03-15 2923787 consistent file icons (Jonathon Menz)
  • 2016-02-23 375bbf9 and fix for issue #3186 (Tyler Kidd)
  • 2016-02-22 01c8d38 Passing $tmpFile to extension. (Taras Yemtsov)
  • 2015-12-22 c9ba0e4 Add ViewableData::setFailover() to refresh detected methods when changing failover (Loz Calver)

  • 2016-05-18 62bd26d Fix suppression of display_errors in ErrorControlChain (Damian Mooyman)
  • 2016-05-17 8ed25ae Fix DataObject::isChanged() detecting non saveable changes (#5545) (Damian Mooyman)
  • 2016-05-17 8947bb0 Fix filtersOnId ignoring WHERE "ID" IN () (#5546) (Damian Mooyman)
  • 2016-05-17 829f59e Fix link dialog box layout in CMS (Damian Mooyman)
  • 2016-05-16 79d0590 Fix singleton('DBLocale') (Damian Mooyman)
  • 2016-05-13 4d1ddf0 Prevent session hijackers from resetting a user password (Damian Mooyman)
  • 2016-05-10 3738d88 Empty FROM clause (Daniel Hensby)
  • 2016-05-10 d1df67d SQLSelect count methods now cast to int (fixes #5498) (Loz Calver)
  • 2016-05-05 cc7a2ae Add framework/admin tests (#118) (Daniel Hensby)
  • 2016-05-02 096f30e Fix GridFieldAddExistingAutocompleter (Damian Mooyman)
  • 2016-04-28 6934083 for #5410 to help focus errors occurring on tabs within GridField controlled DataObjects (et al). (Patrick Nelson)
  • 2016-04-21 fa5b8b8 Fix error when modals are displayed (Damian Mooyman)
  • 2016-04-21 b4f466f Correct framework/module dependencies for cms (Damian Mooyman)
  • 2016-04-21 ae268ae #5363 Add .JSON option for templates (Robbie Averill)
  • 2016-03-29 7907d20 changing all cases of filesize spelling to file size (Tim Kung)
  • 2016-03-17 96c586b only output $CleartextPassword if it has a value (Christopher Darling)
  • 2016-02-12 a34f17f for #5028: Ensure empty YML configs don't break when merging them in (i.e. make sure it's traversable before foreach'ing over it). (Patrick Nelson)
  • 2016-01-26 b1b403c Borders on CMS Actions (Daniel Hensby)
  • 2016-01-26 c5fc9dd CMS actions alignment (Daniel Hensby)
  • 2016-01-12 a7110be OptionsetField uses aria-required (Torleif West)
  • 2016-01-11 122784b OptionsetField input has required #4901 (torleif)
  • 2016-01-11 288c8a8 OptionsetField returns valid HTML #4901 (torleif)
  • 2016-01-06 bf6337c Changes needed to respond to whitespace changes. (Sam Minnee)
  • 2016-01-06 4aa5053 Fixes needed to adapt to whitespace changes. (Sam Minnee)
  • 2015-12-22 24660af Parameters passed to includes overwrite all scopes (fixes #2617) (Loz Calver)
  • 2015-11-04 fb43e59 Setting hide_ancestor=true causes a random page type to be hidden (Loz Calver)
  • 2015-10-07 7a81372 castingHelper failed to find many_many_extraFields data (fixes #4661) (Loz Calver)
  • 2015-08-04 e94c0fa extraClass() method to match parent method (Florian Thoma)
  • 2014-10-29 61a9b2a GridFieldPaginator now prevents viewing pages with no results (fixes #3192) (Loz Calver)

Read more:

18 November 2015 - 75MBSecurity
  • 2015-11-12 b61d6dc HtmlEditorField_Toolbar#viewfile not whitelisting URLs (Hamish Friedlander) - See ss-2015-027
  • 2015-11-11 bc1b289 Fix FormField error messages not being encoded safely (Damian Mooyman) - See ss-2015-026
  • 2015-11-09 f290d86 Dont expose class on error (Hamish Friedlander) - See ss-2015-025
  • 2015-11-01 4f55b6a XML escape RSSFeed $link parameter (Ingo Schommer) - See ss-2015-022
  • 2015-10-28 132e9b3 Fix rewrite hash links XSS (Damian Mooyman) - See ss-2015-021

  • 2015-11-10 732e705 Correct behaviour for empty filter array (as per 3.1) (Damian Mooyman)
  • 2015-11-09 414ea3d prevent UploadField edit form generation for Folders (Damian Mooyman)
  • 2015-11-05 c6c650f Ensure CMSMainTest uses correct siteconfig (Damian Mooyman)
  • 2015-11-02 0272e44 Prevent dev/build continually regenerating Number field type (Damian Mooyman)
  • 2015-10-30 2813f94 Ensure that filters on any fixed field are scoped to the base data table (Damian Mooyman)
  • 2015-10-30 38ca963 Add missing CMSSecurity route (Damian Mooyman)
  • 2015-10-29 daa86d3 Fix regression from #4396 in test fixtures (Damian Mooyman)
  • 2015-10-28 db16248 Fix broken InlineFormAction (Damian Mooyman)
  • 2015-10-27 293d847 for #4712: Dropping in some PHP documentation on return types for dynamically generated image methods. (Patrick Nelson)
  • 2015-10-20 b857bdf Fix duplicate files being included in case of flush (Damian Mooyman)
  • 2015-10-19 c364158 only use sethasemptydefault if exists. (Cam Findlay)
  • 2015-10-08 ff6c0a3 (v3.1) for #1294 to workaround ErrorPage fatal errors (and undefined var) when publishing. (Patrick Nelson)
  • 2015-10-08 785f850 for #1294 to workaround ErrorPage fatal errors (and undefined var) when publishing. (Patrick Nelson)
  • 2015-10-01 75dc391 for #586 and possible fix for #736 and relates to #2449: Don't perform validation upon deletion, since it isn't necessary. Cleaned up type hint. (Patrick Nelson)
  • 2015-09-17 e64d73c Fix ClassInfo::table_for_object_field (Damian Mooyman)
  • 2015-08-05 2901664 . FulltextFilter requires table identifiers in match query (Elvinas L.)
  • 2015-07-12 f192a6e #4392: Ensure headers are checked first before being clobbered by globally maintained state. Also ensuring tests utilize separate responses for isolation. (Patrick Nelson)

Read more:

3.2.0 (major version)
16 October 2015 - 75MBMajor changes
  • Minimum PHP version raised to 5.3.3
  • Introduction of new parameterised ORM
  • Default support for PDO
  • Moved SS_Report and ReportAdmin out to a separate module. If you're using composer or downloading a release, this module should be included for you. Otherwise, you'll need to include the module yourself (
  • Moved SiteConfig also out to its own module. This will be included by default if you include the CMS module. (
  • Implementation of new "Archive" concept for page removal, which supercedes "delete from draft". Where deletion removed pages only from draft, archiving removes from both draft and live simultaneously.
  • Most of the Image manipulation methods have been renamed

Deprecated classes/methods
  • DataList::getRange() removed. Use limit() instead.
  • SQLMap removed. Call map() on a DataList or use SS_Map directly instead.
  • SQLQuery methods select(), limit(), orderby(), groupby(), having(), from(), leftjoin(), innerjoin(), where() and whereAny() removed. Use set*() and add*() methods instead.

New and changed API
  • Implementation of a parameterised query framework eliminating the need to manually escape variables for use in SQL queries. This has been integrated into nearly every level of the database ORM.
  • Refactor of database connectivity classes into separate components linked together through dependency injection
  • Refactor of SQLQuery into separate objects for each query type: SQLSelect, SQLDelete, SQLUpdate and SQLInsert
  • PDO is now a standard connector, and is available for all database interfaces
  • DataObject::doValidate() method visibility added to access DataObject::validate externally
  • NumericField now uses HTML5 "number" type instead of "text"
  • UploadField "Select from files" shows files in all folders by default
  • UploadField won't display an overwrite warning unless Upload::replaceFile is true
  • HtmlEditorField no longer substitutes for indented text
  • ClassInfo::dataClassesFor now returns classes which should have tables, regardless of whether those tables actually exist.
  • SS_Filterable, SS_Limitable and SS_Sortable now explicitly extend SS_List
  • Convert::html2raw no longer wraps text by default and can decode single quotes.
  • Mailer no longer calls xml2raw on all email subject line, and now must be passed in via plain text.
  • ErrorControlChain now supports reload on exceptions
  • FormField::validate now requires an instance of Validator
  • API: Removed URL routing by controller name
  • Security: The multiple authenticator login page should now be styled manually - i.e. without the default jQuery UI layout. A new template, is available.
  • Security: This controller's templates can be customised by overriding the getTemplatesFor function.
  • Deprecation::set_enabled() or SS_DEPRECATION_ENABLED can now be used to enable or disable deprecation notices. Deprecation notices are no longer displayed on test.
  • API: Form and FormField ID attributes rewritten.
  • SearchForm::getSearchQuery no longer pre-escapes search keywords and must be cast in your template
  • Helper function DB::placeholders can be used to generate a comma separated list of placeholders useful for creating "WHERE ... IN (?,...)" SQL fragments
  • Implemented Convert::symbol2sql to safely encode database and table names and identifiers. E.g. Convert::symbol2sql('table.column') => '"table"."column"';
  • Convert::raw2sql may now quote the escaped value, as well as safely escape it, according to the current database adaptor's preference.
  • DB class has been updated and many static methods have been renamed to conform to coding convention. Renamed API: affectedRows -> affected_rows; checkAndRepairTable -> check_and_repair_table; createDatabase -> create_database; createField -> create_field; createTable -> create_table; dontRequireField -> dont_require_field; dontRequireTable -> dont_require_table; fieldList -> field_list; getConn -> get_conn; getGeneratedID -> get_generated_id; isActive -> is_active; requireField -> require_field; requireIndex -> require_index; requireTable -> require_table; setConn -> set_conn; tableList -> table_list. Deprecated API: getConnect (Was placeholder for PDO connection string building code, but is made redundant after the PDOConnector being fully abstracted). New API: build_sql - Hook into new SQL generation code; get_connector (Nothing to do with getConnect); get_schema; placeholders; prepared_query
  • SS_Database class has been updated and many functions have been deprecated, or refactored into the various other database classes. Most of the database management classes remain in the database controller, due to individual databases (changing, creating of, etc) varying quite a lot from API to API, but schema updates within a database itself is managed by an attached DBSchemaManager. Refactored into DBSchemaManager: createTable; alterTable; renameTable; createField; renameField; fieldList; tableList; hasTable; enumValuesForField; beginSchemaUpdate and endSchemaUpdate -> Use schemaUpdate with a callback; cancelSchemaUpdate; isSchemaUpdating; doesSchemaNeedUpdating; transCreateTable; transAlterTable; transCreateField; transCreateField; transCreateIndex; transAlterField; transAlterIndex; requireTable; dontRequireTable; requireIndex; hasField; dontRequireField; Refactored into DBQueryBuilder; sqlQueryToString. Deprecated: getConnect - Was intended for use with PDO, but was never implemented, and is now redundant, now that there is a stand-alone PDOConnector; prepStringForDB - Use quoteString instead; dropDatabase - Use dropSelectedDatabase; createDatabase - Use selectDatabase with the second parameter set to true instead; allDatabaseNames - Use databaseList instead; currentDatabase - Use getSelectedDatabase instead; addslashes - Use escapeString instead.
  • LogErrorEmailFormatter now better displays SQL queries in errors by respecting line breaks
  • Installer has been majorly upgraded to handle the new database configuration options and additional PDO functionality.
  • Created SS_DatabaseException to emit database errors. Query information such as SQL and any relevant parameters may be used by error handling user code that catches this exception.
  • The SQLConditionGroup interface has been created to represent dynamically evaluated SQL conditions. This may be used to wrap a class that generates a custom SQL clause(s) to be evaluated at the time of execution.
  • DataObject constants CHANGE_NONE, CHANGE_STRICT, and CHANGE_VALUE have been created to provide more verbosity to field modification detection. This replaces the use of various magic numbers with the same meaning.
  • create_table_options now uses constants as API specific filters rather than strings. This is in order to promote better referencing of elements across the codebase. See FulltextSearchable->enable for example.
  • $FromEnd iterator variable now available in templates.
  • Support for multiple HtmlEditorConfigs on the same page.
  • Object::singleton() method for better type-friendly singleton generation
  • New Image methods CropWidth and CropHeight added
  • 'Max' versions of Image methods introduced to prevent up-sampling
  • Update Image method names in PHP code and templates: SetRatioSize -> Fit; CroppedImage -> Fill; PaddedImage -> Pad; SetSize -> Pad; SetWidth -> ScaleWidth; SetHeight -> ScaleHeight

  • Reduced database regeneration chances on subsequent rebuilds after the initial dev/build
  • Elimination of various SQL injection vulnerability points
  • DataObject::writeComponents() now called correctly during DataObject::write()
  • Fixed missing theme declaration in installer
  • Fixed incorrect use of non-existing exception classes (e.g. HTTPResponse_exception)
  • GridState fixed to distinguish between check for missing values, and creation of nested state values, in order to prevent non-empty values being returned for missing keys. This was breaking DataObject::get_by_id by passing in an object for the ID.
  • Fixed order of File fulltext searchable fields to use same order as actual fields. This is required to prevent unnecessary rebuild of MS SQL databases when fulltext searching is enabled.
  • In the past E_RECOVERABLE_ERROR would be ignored, and now correctly appear as warnings.

Read more:

21 September 2015 - 75MBBugfixes
  • 2015-09-17 e64d73c Fix ClassInfo::table_for_object_field (Damian Mooyman)
  • 2015-09-09 06cc185 UploadField error when attempting to attach non-existent file IDs (Loz Calver)
  • 2015-09-07 96d20bc Fix missing framework/admin/tests (Damian Mooyman)

Read more:

3.1.14 (security release)
14 September 2015 - 75MBSecurity
  • 2015-09-07 d8fd64c Fix XSS in install.php (Damian Mooyman) - See ss-2015-016
  • 2015-09-07 7192932 Fix insecure returnURL in DatabaseAdmin (Damian Mooyman) - See ss-2015-015
  • 2015-09-07 7367cf5 Prevent possible Privilege escalation (Damian Mooyman) - See ss-2015-020

API Changes
  • 2015-01-28 782c4cb Enable single-column fulltext filter search as fallback (Damian Mooyman)

  • 2015-09-07 45b22c7 Fix missing framework/admin/tests (Damian Mooyman)
  • 2015-08-27 899eb0b Use complete fieldlist for extracting data (Daniel Hensby)
  • 2015-08-26 2d4b743 Members can access their own profiles in CMS (Daniel Hensby)
  • 2015-08-26 0943b3b Recursion errors when sorting objects with circular dependencies (fixes #4464) (Loz Calver)
  • 2015-08-20 fc212e0 Fix illegalExtensions breaking tests. (Damian Mooyman)
  • 2015-08-18 8b638f5 Using undefined var in ModelAdmin (Loz Calver)
  • 2015-07-26 5f5ce8a Disable cache to prevent caching of build target (Damian Mooyman)
  • 2015-07-16 a3201d6 $callerClass is undefined (Christopher Darling)
  • 2015-07-08 c7bd504 Fix cookie errors when running in CLI (Damian Mooyman)
  • 2015-07-07 5ace490 Fix issue when SS_ALLOWED_HOSTS is run in CLI (Damian Mooyman)
  • 2015-07-05 a556b48 Fix of multiple i18nTextCollector issues: #3797, #3798, #3417 (Damian Mooyman)
  • 2015-07-01 6fabd01 Fix potential XSS injection (Damian Mooyman)
  • 2015-06-26 d78d325 RedirectorPage_Controller shouldn't attempt redirection if the response is finished (fixes #1230) (Loz Calver)
  • 2015-06-18 f7f92b3 Invalid comment syntax for web.config (Daniel Hensby)
  • 2015-06-16 6169bf2 No longer caching has_one after ID change (Daniel Hensby)
  • 2015-06-11 6be0488 TreeDropdownField doesnt change label on unselect (Daniel Hensby)
  • 2015-05-28 0319f78 Incorrect env setting in 3.1.13 (Damian Mooyman)
  • 2015-05-22 e0710ae Fix DirectorTest failing when run with sake (Damian Mooyman)
  • 2015-05-20 94f6a13 Fixed setting LastEdited for DataObject with class ancestry (Gregory Smirnov)
  • 2015-05-20 869e69a Clicking icon in site tree link fails (Jonathon Menz)
  • 2015-05-20 f9bdf61 Fixed handling of numbers in certain locales (Gregory Smirnov)
  • 2015-05-19 dbe2ad4 Folder expansion icons (Jonathon Menz)
  • 2015-05-19 a56d08b TreeDropdownField Folder expansion (Jonathon Menz)
  • 2015-05-16 c6bcfea FieldList::changeFieldOrder() leftovers discarded (Jonathon Menz)
  • 2015-05-04 1cca37c File::getFileType() was case sensitive (fixes #3631) (Loz Calver)
  • 2015-04-01 7ff131d Fix default casted (boolean)false evaluating to true in templates (Damian Mooyman)
  • 2014-12-31 71a14c3 Prevent url= querystring argument override (Damian Mooyman)
  • 2014-10-25 28be51c Config state leaking between unit tests (Loz Calver)
  • 2014-09-20 bbc1cb8 #3458 iframe transport multi file upload FIX #3343, FIX #3148 (Thierry François)
  • 2014-05-25 40c5b8b FulltextFilter did not work and was not usable (micmania1)
  • 2014-03-24 fd755a7 ChangePasswordForm validation message should render HTML correctly. (Sean Harvey)

Read more:

3.1.13 (security release)
1 June 2015 - 75MBThis release includes several security fixes to prevent HTTP Hostname injection, as well as a fix for flush or isDev querystring parameters to be set via unauthenticated requests.

  • 2015-05-22 a978b89 Fix handling of empty parameter token (Damian Mooyman) - See ss-2015-014
  • 2015-05-25 75137db Ensure only trusted proxy servers have control over certain HTTP headers (Damian Mooyman) - See ss-2015-013
  • 2015-05-25 22a35e4 Fix malformed urls redirecting to external sites (Damian Mooyman) - See ss-2015-012
  • 2015-05-22 79cfa2b Bug fix sqlquery select (Damian Mooyman) - See ss-2015-011

  • 2015-04-24 242de4e Added Youtube's short URL. (Michael Strong)
  • 2015-05-28 9c8fa51 Allow users to specify allowed hosts (Marcus Nyeholt)
  • 2015-05-07 828ad6e Modifications to GridFieldExportButton to allow ArrayList use in SS_Report (Will Rossiter)
  • 2015-04-30 be10d90 count breaks when having clause defined (Aram Balakjian)
  • 2015-04-27 120b983 X-Reload & X-ControllerURL didn't support absolute URLs (fixes #4119) (Loz Calver)
  • 2015-04-25 bfd8b66 for #4104, minor revision of error messages in ListboxField (more intuitive). (Patrick Nelson)
  • 2015-04-23 5ae0ca1 #4100 Setup the ability to overload the ShortcodeParser class and ensuring its methods/properties are extensible via the "static" keyword. (Patrick Nelson)
  • 2015-04-23 c2fd18e use config for Security::$login_url (Daniel Hensby)
  • 2015-04-23 19423e9 Fix tinymce errors crashing CMS When removing a tinymce field, internal third party errors should be caught and ignored gracefully rather than breaking the whole CMS. (Damian Mooyman)
  • 2015-04-20 8e24511 Fix users with all cms section access not able to edit files Fixes #4078 (Damian Mooyman)
  • 2015-04-14 8caaae6 Fix accordion sometimes displaying scrollbars (Damian Mooyman)
  • 2015-03-31 a71f5f9 Use SearchForm::create to instantiate SearchForm (Daniel Hensby)
  • 2015-03-26 636cddb export and print buttons outside button row (Naomi Guyer)
  • 2015-03-26 a7d3f89 Check for existence of HTTP_USER_AGENT to avoid E_NOTICE error. (Sean Harvey)
  • 2015-03-25 8d6cd15 Fix some database errors during dev/build where an auth token exists for the current user Fixes #3660 (Damian Mooyman)
  • 2015-03-23 aba0b70 GridFieldDetailForm::setItemEditFormCalback broke chaining (Daniel Hensby)
  • 2015-03-23 72bb9a2 Debug::text no longer incorrecty returns "ViewableData_debugger" (Daniel Hensby)
  • 2015-03-16 f2b1fa9 broken link in docs to how_tos/extend_cms_interface (Jeremy Shipman)
  • 2015-02-24 6c92a86 Fix CMSMainTest attempting to render page on Security permission error (Damian Mooyman)

Read more:

3.1.12 (security release)
20 March 2015 - 75MBThis security release resolves some XSS and an XML vulnerability in the Framework.

If your code relies on Convert::xml2array there are some important things to consider with regards to certain vulnerabilities. In this release additional options have been added to this method to assist users in guarding against these risks, although each option has been turned off by default.

  • 2015-03-20 ee9bddb Fix SS-2015-010 (Damian Mooyman) - See announcement ss-2015-010
  • 2015-03-20 7f983c2 Fix SS-2014-017 (Damian Mooyman) - See announcement ss-2014-017
  • 2015-03-20 604c328 Fixed XSS vulnerability relating to rewrite_hash (Christopher Pitt) - See announcements ss-2014-015, ss-2015-009

  • 2015-03-18 b34c236 Fix joins on tables containing "select" being mistaken for sub-selects Fix PHPDoc on SQLQuery::addFrom and SQLQuery::setFrom Fixes #3965 (Damian Mooyman)
  • 2015-03-11 a61c08d Security::$default_message_set Config value unusable (Loz Calver)
  • 2015-03-10 9651889 Fix yaml generation to conform to version 1.1, accepted by transifex (Damian Mooyman)
  • 2015-02-25 f5f41b2 Ensuring custom CMS validator uses Object->hasMethod() to respect extension decorator pattern. (Patrick Nelson)
  • 2015-01-13 9da7e90 . Missing translation entity (Elvinas L.)

Read more:

3.1.10 (security release)
18 February 2015 - 75MBSeveral medium and some low level security XSS (cross site scripting) vulnerabilites have been closed in this release.

  • 2015-02-10 1db08ba Fix FormAction title encoding (Damian Mooyman) - See announcement ss-2015-007
  • 2015-02-10 1db08ba Core CMS XSS Vulnerability Fixes (Damian Mooyman) - See announcements ss-2015-003, ss-2015-004, ss-2015-006
  • 2015-01-22 7733c43 Correctly sanitise Title (Michael Strong) - See announcement SS-2015-005
  • 2015-02-05 70e0d60 Fix developer output in redirection script (Damian Mooyman) - See announcement SS-2015-001

Features and Enhancements
  • 2015-01-22 2e4bf9a Update sake to reference new docs (Cam Findlay)

  • 2015-02-17 aa77e12 Fixed infinity loop when searching _ss_environment (Zauberfish)
  • 2015-02-12 047fe3a Include php version in default cache folder name Update CoreTest.php (JorisDebonnet)
  • 2015-02-08 a530085 External redirects shouldnt show in preview pane (Daniel Hensby)
  • 2015-02-06 d68435e SelectionGroup no longer shows empty FieldLists (Daniel Hensby)
  • 2015-02-06 a0f9535 issue where empty composite fields created a fieldlist with empty items (Daniel Hensby)
  • 2015-02-03 abd1e6b GridFieldExportButton should honour can method. (Will Rossiter)
  • 2015-01-22 eed7093 dev/build not flushing manifests if site is in a subfolder (Loz Calver)
  • 2015-01-19 77ebdc2 DataObject::db returned fields in incorrect order, with incorrect data types (Loz Calver)
  • 2015-01-15 32ce85d . Summary fields can't be translated (Elvinas L.)
  • 2015-01-13 2e6e8af insert media trims whitespace - fixes #845 (Emma O'Keefe)
  • 2015-01-13 2861e7c insert media trims whitespace fixes #845 (Emma O'Keefe)
  • 2015-01-09 ef237f6 Expands the CMS' centre-pane when collapsed and it's clicked. (Russell Michell)
  • 2014-10-24 9d78eb7 Fix BasicAuth not resetting failed login counts on authentication (Damian Mooyman)
  • 2014-10-16 e4ddb4b Ensure query string in X-Backurl is encoded (fixes #3563) (Loz Calver)
  • 2014-08-25 f823831 making minify javascript fail-safe (Igor Nadj)
  • 2014-04-03 5180452 Fixed handling of numbers in certain locales. Fixes #2161 (Damian Mooyman)

Read more:

3.1.9 (security release)
15 January 2015 - 75MBThis release includes an important security fix.

File permissions
  • This release makes an important change to File DataObject permissions in order to close a vulnerability in file modification privileges. By default the minimum necessary permission required by any user to modify files has been changed to CMS_ACCESS_AssetAdmin. If you need unauthenticated users, or users with other rights, to edit certain files, then you will need to customise this. An example use case is when you want to use UploadField on the frontend, where files could be uploaded by non-admin users, and your above logic will need to ensure that those users can edit their own files after they have uploaded it.

  • 2015-01-12 c49f164 Fix file and uploadfield permissions SS-2014-018.

Features and Enhancements
  • 2014-11-21 31b5a9d Allow CMS re-authentication to be completely disabled if necessary (Damian Mooyman)
  • 2014-12-10 fba6880 Additional extension points for Tiny MCE editing, for when images are regenerated and manipulating the HTML prior to a save (Gordon Anderson)
  • 2014-11-13 d7eb275 Make the record count in GridFieldFooter optional (Jeremy Shipman)

  • 2015-01-08 a02adf6 Uneccessary class replacement (Michael Strong)
  • 2014-12-18 5637431 The method 'name' does not exist on 'Form' (Elvinas L)
  • 2014-12-15 6582162 How to folder on forms (Cam Findlay)
  • 2014-12-11 b5c361a GD - check file exists before getimagesize (Will Morgan)
  • 2014-12-09 6bdd30c Fix gridfield storing duplicate data in session (Damian Mooyman)
  • 2014-12-09 3ac705f Feedback to name the fields section to "field types" to make it clearer what the section is about. (Cam Findlay)
  • 2014-12-09 e9fd03b use GFMD code blocks to fix code formatting consistency. (Cam Findlay)
  • 2014-11-25 01989aa Manifest flushing (Jonathon Menz)
  • 2014-11-24 7384d01 DataDifferencer was trying to compare fields, even if the fields didn't exist causing an error. (micmania1)
  • 2014-11-18 2bdfd65 Security::findAnAdministrator doesn't always find an admin (Damian Mooyman)
  • 2014-11-10 85b4ba1 DataObject::db() doesn't respect overloaded db types (fixes #3620) (Loz Calver)
  • 2014-10-03 9d888d5 Fixed SearchForm not calling getTemplate() in forTemplate() (Stephen McMahon)
  • 2014-09-02 1f4f5e6 Fix versioned Versioned is not writing Version to _version tables for subclasses of Version dataobjects which have their own DB fields - Fix disjoint of ID / RecordID (which should be the same) - Fix calculation of new record version - Fix use of empty vs !isset to check for existing version (Damian Mooyman)

Read more:

19 November 2014 - 75MB
  • 2014-11-18 d849264 Security::findAnAdministrator doesn't always find an admin (Damian Mooyman)

Read more:

17 November 2014 - 75MBAuthentication
  • 3.1.7 introduces a re-authentication feature, which allows user working in the CMS to quickly re-enter their password and continue working should their session expire. This occurs through a popup dialog, which asks the user for their current password to continue working. If using a custom Authenticator class to replace the default MemberAuthenticator, then by default this feature will be disabled. If multiple authenticators are used, only supported ones will be available within the CMS. In order to create a CMS supported version the Authenticator::supports_cms and Authenticator::get_cms_login_form methods should be overridden. See MemberAuthenticator for an example implementation. Check the documentation at the Authentication topic.

Default Admin
  • In this version the way that the default admin user is managed is slightly changed. Rather than defaulting to the first administrator user in the CMS, a user logging in as a default admin will always be assigned to a "Default Admin" user with admin privileges. In the past, this user would only be created if no other administrators existed.

  • 2014-07-05 c247dd5 Add default $lock_out_after_incorrect_logins value SS-2014-016.
  • 2014-10-24 5d27ea4 File attach handler is no longer accessible if attachment is disallowed or disabled SS-2014-014.

API Changes
  • 2014-10-06 53c40a9 Enable re-authentication within the CMS if a user session is lost BUG Resolve issue with error redirection being ignored within CMS BUG Fix issue with invalid securityID being re-emitted on failure (Damian Mooyman)
  • 2014-08-18 920978d Add ClassInfo::table_for_object_field (Will Rossiter)
  • 2014-06-01 8fb5e9c New JS sprintf and inject replacement functions (colymba)
  • 2013-12-05 b273f3b Updated aspect proxy service (Marcus Nyeholt)
  • 2013-12-05 b8f4576 Use injector to create database class (Marcus Nyeholt)

Features and Enhancements
  • 2014-08-16 2b316e7 Provide a consistent way of triggering flush (Sean Harvey)
  • 2014-08-13 62f4fdb Sanitise task name in runTask (Kirk Mayo)

  • 2014-11-03 56142b8 sprintf missing on exception in SilverStripeNavigator (Sean Harvey)
  • 2014-10-30 392ddef Image resizing breaks when one of the resized image dimensions is between 0 and 1. Solution: Round up to 1 instead of down to 0. Converted php errors to exceptions in the process. (Jeremy Shipman)
  • 2014-10-23 d6e1c51 Prevent JSON response showing when re-opening closed tab (fixes silverstripe/silverstripe-cms#1121) (Loz Calver)
  • 2014-10-21 478edfa Upload: File versioning with existing files reinsert oldFilePath = relativeFilePath in while loop (Devlin)
  • 2014-10-20 49cb38d Fix static call to protected instance method (Damian Mooyman)
  • 2014-10-20 8310135 Broken links on dependent pages tab (micmania1)
  • 2014-10-17 20af30e GridFieldExportButton exporting only Paginated list when using ArrayList as source (Stephen McMahon)
  • 2014-10-15 570f261 Tag-less cache backends error on flush (Loz Calver)
  • 2014-10-14 793784e Fix flushing of SSViewer cache via testing (Damian Mooyman)
  • 2014-10-09 bad9aa1 i18n support in LookupField (Milan Jelicanin)
  • 2014-10-07 48eb0e6 Deliberately clear partial cache blocks on flush (fixes #1383) (Loz Calver)
  • 2014-10-01 776f697 Text::BigSummary() fails with undefined $data when $plain = false (Sean Harvey)
  • 2014-09-03 fe42abc CSSContentParser fails if CLI tidy doesn't output anything. (Sean Harvey)
  • 2014-09-03 56d84d2 MySQLDatabase performs queries on wrong DB connection when using connection $name != 'default' (Damian Mooyman)
  • 2014-08-26 cf456d6 use @param $colName in column call (Gabrijel Gavranović)
  • 2014-08-26 7993875 Sorting a DataQuery over a relation. (Will Rossiter)
  • 2014-08-22 8063b34 Fixing Director::test() failing on BASE_URL prefixed URLs (Sean Harvey)
  • 2014-08-20 61c6dee Fixing plural_name messing up singular words ending in "e" (#3251) (Sean Harvey)
  • 2014-08-15 79c7276 Reapply fix for cms crashing due to History.js blindly appending slashes to end of url (Damian Mooyman)
  • 2014-08-14 5f1552b Custom label set in summary_fields config gets overridden (Sean Harvey)
  • 2014-08-14 7c2eee1 Fix 'undefined index 0' (Damian Mooyman)
  • 2014-08-11 69de7e3 Fix incorrect parsing of HTML content (Damian Mooyman)
  • 2014-08-08 fbc7e7c Fix issue with generating tree data for missing pages (Damian Mooyman)
  • 2014-07-28 02265dc Correctly paddedResize images in IMagickBackend. FIX: Compression quality setting now takes effect. (Jeremy Shipman)
  • 2014-07-28 47cc157 Keep ImagickBackend API consistent with Image_Backend interface and fix color formatting. (Jeremy Shipman)
  • 2014-07-28 bf3ad56 Image_Backend -> croppedResize function doesn't include a backgroundColor, therefore this shouldn't be assumed in ImageMagick->croppedResize (Jeremy Shipman)
  • 2014-06-27 19e0d5e declarations matching PHPUnit_Framework_Assert (Michael Parkhill)
  • 2014-03-12 96d0874 Fix issue with inheritance of Injector service configuration (Damian Mooyman)
  • 2014-01-31 1661213 Opt-out pf form message escaping (fixes #2796) (Ingo Schommer)

Read more:

24 August 2014 - 75MBAPI Changes
  • 2014-07-28 0e78e3f Let update interval of tinymce be changed or disabled (Damian Mooyman)
  • 2014-07-21 4453caf Let extensions control folder selector in HtmlEditorField_Toolbar (Damian Mooyman)
  • 2014-07-05 3c5e51a Debug::dump in CLI no longer generates HTML. Uses colours. API Column size is configurable in DebugView (Damian Mooyman)
  • 2014-05-22 ec325a3 Fix HTTPS proxy header detection (Ingo Schommer)

Features and Enhancements
  • 2014-08-13 5704ae2 Sanitise task name in runTask (Kirk Mayo)
  • 2014-07-28 482c23f Adding CMS sitetree filter to see the current 'live' site (Stig Lindqvist)
  • 2014-06-28 1d86fe4 allow force resampling on images (Stevie Mayhew)
  • 2014-07-28 ac95a87 Allow configuring Image backend via yaml. (Jeremy Shipman)

  • 2014-08-15 7e70b8d Reapply fix for cms crashing due to History.js blindly appending slashes to end of url (Damian Mooyman)
  • 2014-05-15 7277dc1 Fix sorting on main ReportAdmin grid ref: CWPBUG-133 (Damian Mooyman)
  • 2014-06-01 e535c35 New JS sprintf and inject replacement functions (colymba)
  • 2014-08-11 98907fb Fix incorrect parsing of HTML content (Damian Mooyman)
  • 2014-08-08 a369094 Fix issue with generating tree data for missing pages (Damian Mooyman)
  • 2014-08-06 53dbbb7 Fix CMSMain::getList to correctly respect filter result Fixes #1064 CMSSiteTreeFilter refactored to allow SS_List of filtered pages to be returned (Damian Mooyman)
  • 2014-08-06 1c48cb6 Fix search range for asset filter (Damian Mooyman)
  • 2014-06-27 f19b1ee declarations matching PHPUnit_Framework_Assert (Michael Parkhill)
  • 2014-08-04 b2dac64 Fixed escaping of name/value in options of form fields (Sean Harvey)
  • 2014-08-01 9281089 Return the promise instead of the whole deferred object. (Mateusz Uzdowski)
  • 2014-07-31 d8302a0 Add a synthetic event to workaround IE8 issues. (Mateusz Uzdowski)
  • 2014-07-30 31c9fb5 Fix the anchor selector to work for internal pages. (Mateusz Uzdowski)
  • 2014-07-29 baa2b69 Fixing incorrect error message on failed UploadField upload (Sean Harvey)
  • 2014-07-29 329dffd AssetUploadField hides "generic" file upload messages. (Sean Harvey)
  • 2014-07-28 62ed2d0 Fix periodic tinymce layout refresh (Damian Mooyman)
  • 2014-07-24 3eefd65 Narrowing site tree search to one date shows no pages (Stig Lindqvist)
  • 2014-07-20 333a2aa CMS tree filters doesn't count the correct number of children for deleted pages (Stig Lindqvist)
  • 2014-07-17 ac64d25 If user is logged out getHtmlEditorConfigForCMS() gets called on non object (Stig Lindqvist)
  • 2014-07-17 df6a8b6 #3282: Added ability to subselect with in left or inner join (Senorgeno)
  • 2014-07-14 b34aaca Fix several issues around onmatch/onunmatch entwines. (Mateusz Uzdowski)
  • 2014-07-03 c329f07 Fix incorrect common_languages config (Damian Mooyman)
  • 2014-07-01 d3c7e41 using isDev or isTest query string no longer triggers basic auth (Damian Mooyman)
  • 2014-07-01 a777266 ensure controller stack is updated when execution halted by an exception. (Will Rossiter)
  • 2014-06-28 2c741fe Add support for compositedbfield within many_many_extraFields (Will Rossiter)
  • 2014-06-16 3d71a22 ClassManifest errors if files contain duplicate class names (fixes #3210) (Loz Calver)
  • 2014-06-12 d516063 fix dependency injection stumbling over ViewableData's __isset (Damian Mooyman)
  • 2014-06-11 18b6870 Sanitise the PHP output. (Mateusz Uzdowski)
  • 2014-06-10 1e19485 Ensure that all child pages are deleted (regardless of ShowInMenu status) under enforce_strict_hierarchy. (Rodney Way)
  • 2014-05-30 b8d19ba Fix deleted pages redirecting the CMS Update behat tests for Mink 1.6 compatibility (Damian Mooyman)
  • 2014-05-22 f9e7d47 fix listview not working with IE9 (Igor)
  • 2014-05-20 4a34c36 Fix access to protected Session::current_session() Fixes #3144 (Damian Mooyman)
  • 2014-05-15 c24a2c2 ArrayList failing to respect the SS_Sortable interface ref: CWPBUG-133 (Damian Mooyman)
  • 2014-05-15 ee6e496 Fix grid field showing search without search component added ref: CWPBUG-133 (Damian Mooyman)
  • 2014-05-12 51c3346 Fix deprecated use of statics in test cases (Damian Mooyman)
  • 2014-05-10 d012b79 Prevent i18n clearing all SS_Caches (fixes #3122) (Loz Calver)
  • 2014-05-02 807755f TemplateManifest prevent cache collision (Will Morgan)

Read more:

3.1.5 (security release)
13 May 2014 - 75MBSecurity
  • 2014-04-16 bde16f0 Potential DoS exploit in TinyMCE - See announcement SS-2014-009
  • 2014-05-05 d9bc352 Injection / Filesystem vulnerability in generatesecuretoken - See announcement SS-2014-010
  • 2014-05-02 8e841cc Folder filename injection - See announcement SS-2014-011
  • 2014-05-05 df28ccb Upload fileexists vulnerability - See announcement SS-2014-013

API Changes
  • 2014-05-02 f9cb880 Error page support for Security controller errors (Damian Mooyman)
  • 2014-05-01 3162d0e Update ErrorPage to respect new HTTP Error codes (Damian Mooyman)
  • 2014-04-28 0285322 Ability to configure paging for assets / pages (Damian Mooyman)
  • 2014-04-22 d06d5c1 Injector supports nesting BUG Resolve issue with DirectorTest breaking RequestProcessor Injector::nest and Injector::unnest are introduced to better support sandboxing of testings. Injector and Config ::nest and ::unnest support chaining Test cases for both Injector::nest and Config::nest (Damian Mooyman)
  • 2014-04-17 a6017a0 HTTP 429 Allowed for use with rate limiting methods (Damian Mooyman)
  • 2014-04-11 892b440 Make default gridfield paging configurable Documentation improved (Damian Mooyman)
  • 2014-04-09 997077a Security.remember_username to disable login form autocompletion (Damian Mooyman)

Features and Enhancements
  • 2014-03-28 a502c9d Fixes #966. Ability to filter pages on page status. - New filters for statuses normally found through SiteTree::getStatusFlags(). - Refactored menu sorting. Now alphabetical, as it wasn't previously. (Russell Michell)
  • 2014-04-11 3765030 Filter by date created for files Added test cases Do not merge before (Damian Mooyman)

  • 2014-05-05 c5d5d10 Behat now uses explicit radio button behaviour (Damian Mooyman)
  • 2014-05-01 bd5abb6 parent::init is not called first (Michael Parkhill)
  • 2014-05-01 4fd3015 corrected link to CMS Alternating Button Page (James Pluck)
  • 2014-04-29 8673b11 Fix ImageTest Image test would erroneously reset the Image::$backend to null if the test was skipped, breaking subsequent test cases (Damian Mooyman)
  • 2014-04-29 89fbae2 Fix encoding of SiteTree.MetaTags (Damian Mooyman)
  • 2014-04-25 ff5f607 Docs for DataList::filter() (Daniel Hensby)
  • 2014-04-24 5e9ae57 Fix edge case IE8 / dev / ssl / download file crash Prevents issue at appearing on dev (Damian Mooyman)
  • 2014-04-17 bec8927 Allow PHPUnit installation with composer / Fix travis (Will Morgan)
  • 2014-04-16 396fd9a Broken file link tracking (fixes #996) (Loz Calver)
  • 2014-04-14 0b4f62d Fix jstree when duplicating subtrees (Damian Mooyman)
  • 2014-04-11 a261f22 Delete Character \x01 (Stevie Mayhew)
  • 2014-04-09 91034d1 HTMLText whitelist considers text nodes Minor improvement to #2853. If a list of whitelisted elements are specified, text nodes no longer evade the whitelist (Damian Mooyman)
  • 2014-04-09 a3c8a59 Fix data query not always joining necessary tables Fixes #2846 (Damian Mooyman)
  • 2014-04-08 a060784 - missing link url for composer (camfindlay)
  • 2014-04-07 3204ab5 Fix orphaned pages reporting they can be viewed (Damian Mooyman)
  • 2014-04-01 84d8022 Fix Date and SS_DateTime::FormatFromSettings This issue is caused by the odd default behaviour of Zend_Date, which attempts to parse yyyy-mm-dd format date and times as though they were yyyy-dd-mm. (Damian Mooyman)
  • 2014-03-12 b4a1aa4 Fixes #965. Allow user date-settings to show on GridField Page admin (Russell Michell)
  • 2014-03-04 ae573f8 Fix Versioned stage not persisting in Session. Fixes #962 BUG Disabled disruptive test case in DirectorTest API RequestProcessor and VersionedRequestFilter now both correctly implement RequestFilter Better PHPDoc on RequestFilter and implementations (Damian Mooyman)
  • 2013-06-20 f2c4a62 ConfirmedPasswordField used to expose existing hash (Hamish Friedlander)

Read more:

3.1.4 (security release)
8 April 2014 - 75MBSecurity
  • Fix issue with versioned dataobjects being cached between stages - See announcement SS-2014-007
  • Fix encoding of JS redirection script - See announcement SS-2014-006
  • Amends solution to SS-2014-006
  • Prevent SQLi when no URL filters are applied - See announcement SS-2014-004
  • Do now allow arbitary class creation in CMS - See announcement SS-2014-005

  • Versioned::augmentSQL() when the data query was null.
  • UploadField validation error and styles
  • Overriding of theme templates in project folder
  • Ensure TreeMultiSelectField doesn't populate menus with "unchanged".
  • #2503 Fixes performReadonlyTransformation for OptionSetField
  • Rewrite Member getCMSFields to ensure updateCMSFields is only run once
  • Ensure valid CSS classes for GridField header
  • Fix case where setFolder('/') would break UploadField::fileexists
  • Prevent unnecessary reconstruction of ClassName field after default records are generated
  • Fix DataObject::loadLazyFields discarding original query parameters
  • Upload: retrieve existing File if an object without an ID is given and replaceFile=true
  • Fix Date and SS_DateTime::FormatFromSettings

  • Add support for many_many_extraField in YAML
  • Allow vetoing forgot password requests

  • Rewrote usages of error suppression operator

Read more:

3.1.3 (security release)
2 March 2014 - 75MBOverview
  • Security: Require ADMIN for ?flush=1&isDev=1 (SS-2014-001)
  • Security: XSS in third party library (SWFUpload) (SS-2014-002)
  • Security: SiteTree.ExtraMeta allows JavaScript for malicious CMS authors (SS-2014-003)
  • Better loading performance when using multiple UploadField instances
  • Option for force_js_to_bottom on Requirements class (ignoring inline 'script' tags)
  • Added ListDecorator->filterByCallback() for more sophisticated filtering
  • New DataList filters: LessThanOrEqualFilter and GreaterThanOrEqualFilter
  • "Cancel" button on "Add Page" form
  • Better code hinting on magic properties (for IDE autocompletion)
  • Increased Behat test coverage (editing HTML content, managing page permissions)
  • Support for PHPUnit 3.8

Read more:

12 November 2013 - 75MBOverview
  • Default current Versioned "stage" to "Live" rather than "Stage"
  • UploadField marks CMS forms as changed
  • Treedropdownfield shows search by default
  • Disable discontinued Google Spellcheck in TinyMCE, default to browser spellcheck
  • CMS switches to correct tab on validation errors
  • CMS tree scrolls to selected node automatically
  • New translations: Te Reo/Maori, Arabic, Chinese/Mandarin

Read more:

7 October 2013 - 75MBOverview
  • Fixed regression with "Reports" section links
  • Complete translations into Chinese, Japanese and partially complete Te Reo Māori

  • 4a0f9d5 Issue with login form failing to login in certain situations. Fixes issue #2424 (Damian Mooyman)
  • fb9d7a5 ReportAdmin report links regression (Ingo Schommer)
  • 5c376a4 Without casting TreeTitle as HTMLText, unescape HTML appears in TreeDropdownField (unclecheese)

Read more:

3.1.0 (major version)
1 October 2013 - 75MBCMS
  • "Split view" editing with side-by-side preview of the edited website
  • Resizing of preview to common screen widths ("desktop", "tablet" and "smartphone")
  • Decluttered "Edit Page" buttons by moving minor actions into a "more options" panel
  • Auto-detect CMS changes and highlight the save button for better informancy
  • New context action "Show children as list" on tree for better management on large sites
  • CMS form fields now support help text through setDescription(), both inline and as tooltips
  • Removed SiteTree "MetaTitle" and "MetaKeywords" fields
  • More legible and simplified tab and menu styling in the CMS
  • Dropped support for Internet Explorer 7
  • Added support for Internet Explorer 10 (in "classic"/desktop mode)

  • Security: Require ADMIN for ?flush=1 (stop denial of service attacks) (#1692)
  • Static properties are immutable and private, you must use Config API
  • Statics in custom Page classes need to be "private"
  • $default_cast is now Text instead of HTMLText, to secure templates from XSS by default
  • Shortcodes are no longer supported in template files (still works in DB fields and through HTMLText casting)
  • DataList and ArrayList are now immutable, they'll return cloned instances on modification
  • Removed legacy table APIs (e.g. TableListField), use GridField instead
  • Deny URL access if Controller::$allowed_actions is undefined
  • Removed support for "*" rules in Controller::$allowed_actions
  • Removed support for overriding rules on parent classes through Controller::$allowed_actions
  • RestfulService verifies SSL peers by default
  • UploadField functions on new records
  • Editing of relation table data ($many_many_extraFields) in GridField
  • Optional integration with ImageMagick as a new image manipulation backend
  • Support for PHP 5.4's built-in webserver
  • Support for Composer dependency manager (also works with 3.0)
  • Added support for filtering incoming HTML from TinyMCE (disabled by default, see security)
  • Behaviour testing support through Behat, with CMS test coverage (see the SilverStripe Behat Extension for details)

Read more:

Our Web hostings are compatible with


Only the Web hosting

100% SSD Web Hosting
100 GB and +
Multi-site management
Advanced management of EV and DV SSL certificates
Anti-DDoS protection
10 GB of VOD

Learn more

from CHF 9.92 / month


The complete Web+Mail offer

100% SSD Web Hosting
100 GB and +
Multi-site management
Advanced management of EV and DV SSL certificates
Anti-DDoS protection
10 GB of VOD

Professional messaging
5 email addresses with unlimited storage

Online messaging
Instant messaging
Syncing contacts and calendars

Learn more

from CHF 12.00 / month

Cloud Server


100% SSD Web Hosting
100 GB and +
Multi-site management
Advanced management of EV and DV SSL certificates
Anti-DDoS protection
10 GB of VOD

2 CPU and +
6 Gb (RAM) and +
100% SSD
100% dedicated resources

Infomaniak manages your server

Learn more

from CHF 39.00 / month

Prices in CHF