1.2.13 (2015-11-23)

Overview of merged pull requests

[SECURITY] Escape flash message arguments in controllers

The module controllers used unescaped content in flash messages, leading to potential XSS issues.

[SECURITY] Fix XSS in TypoScript exception handlers

In exceptions some information from the request is output unchanged and unescaped, so that injection if JS is possible. One example is calling the registration plugin and adjusting the action parameter.

[SECURITY] Use double encoding in HtmlAugmenter

When entering HTML tags into text elements (using Aloha), the tags were correctly escaped by Neos. Still the tags would be in the DOM as “real” tags when switching to a preview mode in the backend.

This is caused by VIE and is resolved by double-encoding when using htmlspecialchars() on the attribute values used to pass data to VIE.

[BUGFIX] Use correct node for content collection metadata

Content collection handles are not shown since the meta data added is using the document node instead of the actual node.

Regression introduced with 4672697b9477ceca53ee7b4e47c4def002e50e32 causing the node not to be set correctly for the contentElementWrapping processor.

[TASK] Improve logging for “no homepage found” situations

When the Node Route Part Handler wasn’t able to find a site node, the exception now contains information about if at least a domain could be detected and if so, which one matched.

Additionally, matchValue() will now also log an exception if the request path was empty (that is, the user requested the homepage) and not only for sub pages.

  • Packages: Neos

[BUGFIX] if in backend, do not intercept links to static resources

Prevents loading links to static resources using AJAX in the backend interface, which fail when loaded.

  • Packages: Neos

[BUGFIX] Keep status code from module response on redirect

The response of a module loses the status code if it contains a Location header. This is caused by the ModuleController redirecting to the found location but ignoring any status code that may have been set. This means that a module will only create 303 redirects.

This change takes the status code of a module response and applies it to the generated redirect, fixing this behavior.

  • Packages: Neos

[TASK] Add apigen.yml

This adds an apigen.yml file for use when generating API docs.

  • Packages: Neos