--
You received this message because you are subscribed to the Google Groups "SilverStripe Core Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to silverstripe-d...@googlegroups.com.
To post to this group, send email to silverst...@googlegroups.com.
Visit this group at http://groups.google.com/group/silverstripe-dev?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
Hi Sam,
Anything to increase security is a good idea from my point of view. However, with ss 3.1 in beta2, it seems a bit late to introduce it. As a dev I wouldn't expect a change like that to come in between a beta and rc/launch. However, I am biased as I'm currently about to launch a site running 3.1 beta...
However, I am interested in how you feel the system can currently be exploited as I've always been under the impression that almost all content was casted and I know as a dev, if it isn't, I need to make it safe, just like I had to with DO::get.
Lastly, if this change would require all templates / snippets that are parsed as html text to be valid mark up (matching opening and close tags), then I don't think it's a good idea - this is a current issue with 3.1. Out is my opinion that the framework should not be enforcing 'correct' html, especially not on fragments of html.
Dan
I agree its a good change, but my feeling is to leave it for 3.2.We've already stretched the definition of "beta" by introducing some API changes in beta2.The more late stage API changes we do, the less early adopters trust in our release labelling,which eventually will lead to a slower adoption of pre-releases (and less community validation).
This change makes an upgrade from beta2 very time intensive and error prone.Every public method on controllers or models, every "renderWith()/customise()" or "return array(…)" invocationwill need to be reviewed manually if its assumed to contain HTML, by looking closely at its template usage.We should make the documentation for 3.0 and 3.1 clearer though
We should make the documentation for 3.0 and 3.1 clearer though