symfony 1.3.2 and 1.4.2

We have just released the latest stable versions of symfony: 1.3.2 and 1.4.2. These releases include numerous bug fixes and one security fix. The bundled version of Propel has also been updated to version 1.4.1. We recommend all 1.3.x and 1.4.x projects upgrade to these latest releases immediately.

The security fix

A cross-site scripting (XSS) vulnerability was discovered in the form framework's widget classes that render collections of radio buttons or checkboxes and their labels. This hole has been closed.

Bug fixes

We were able to address a number of bugs that have been reported in the 2+ months since 1.3.0 and 1.4.0 were first released. Some highlights from the changelog include:

  • fixed enabling of local csrf protection when disabled globally
  • fixed submission of disable form fields by browser
  • fixed double escaping of partial vars
  • updated doctrine and propel forms to allow setting of defaults on numeric fields from within configure
  • fixed form filtering by 0 on a number column
  • fixed doctrine pager iteration
  • fixed sfValidatorDoctrineChoice in cloned forms
  • fixed empty class attributes in WDT markup
  • updated web debug javascript to work when the dom includes an svg element
  • fixed sfDomCssSelector requires quotes for matching attribute values when they should be optional
  • fixed sfWidgetFormSchema::setPositions() which accepts duplication positions
  • turned off xdebug_logging by default as it can make the dev env very very slow
  • added the module name when including a partial in the admin generator

How to upgrade

If you've checked out a copy of the a tag from Subversion, switch to the latest.

// symfony 1.3
$ svn switch http://svn.symfony-project.com/tags/RELEASE_1_3_2

// symfony 1.4
$ svn switch http://svn.symfony-project.com/tags/RELEASE_1_4_2

Once that's complete, rebuild your model files and clear your cache.

// doctrine
$ php symfony doctrine:build --all-classes

// propel
$ php symfony propel:build --all-classes

$ php symfony cache:clear

Enjoy the fresh code!

If you have found a security issue in Symfony, please send the details to security [at] symfony.com and don't disclose it publicly until we can provide a fix for it.

Comments

How do I upgrade a project (in this case a work in progress of the jobbet tutorial) to 1.4.2 using the ZIP package?
How can i find what ticket those bugfix close?

I actually would like to understand betters ome of those issues that seems to have happened in my project...
you overwrite the contents of your current symfony folder with those of the zip file, then follow the instructions regarding rebuilding model files and clearing your cache.
Thanks for the bugfixes!

Regards,
Michał
@petersaints : I'm currently upgrading the jobeet tutorial to fit the new symfony 1.4 code ;)
Thanks for the fixes, RAPHAEL.
@stormsson: http://trac.symfony-project.org/query?group=resolution&milestone=1.4.2&order=priority
The XSS fix is problematic if you want your labels to contain HTML code (links for example). Seems that there is no possibility to switch off escaping in special cases when you are sure that the labels are static and not set from user's input.

The only solution is to use a custom formatter that subsequently removes the escaping.

I will write a feature request on trac.
Thank you so much for turning off xdebug_logging by default! Pages in my dev env are now typically processing in 150ms compared to 500ms (1.4.1)! So it's now 70% faster, which means I get things done 70% quicker - great job!
CSS selector seems to have been broken slightly. This selector no longer finds an (existing) element:

input[value="0"]

However, changing the select to this works:

input[value=0]

Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.