We have just released the latest stable versions of symfony: 1.3.2 and 1.4.2. These releases include numerous bug fixes and one security fix. The bundled version of Propel has also been updated to version 1.4.1. We recommend all 1.3.x and 1.4.x projects upgrade to these latest releases immediately.
The security fix
A cross-site scripting (XSS) vulnerability was discovered in the form framework's widget classes that render collections of radio buttons or checkboxes and their labels. This hole has been closed.
We were able to address a number of bugs that have been reported in the 2+ months since 1.3.0 and 1.4.0 were first released. Some highlights from the changelog include:
- fixed enabling of local csrf protection when disabled globally
- fixed submission of disable form fields by browser
- fixed double escaping of partial vars
- updated doctrine and propel forms to allow setting of defaults on numeric fields from within configure
- fixed form filtering by 0 on a number column
- fixed doctrine pager iteration
- fixed sfValidatorDoctrineChoice in cloned forms
- fixed empty class attributes in WDT markup
- fixed sfDomCssSelector requires quotes for matching attribute values when they should be optional
- fixed sfWidgetFormSchema::setPositions() which accepts duplication positions
- turned off xdebug_logging by default as it can make the dev env very very slow
- added the module name when including a partial in the admin generator
How to upgrade
If you've checked out a copy of the a tag from Subversion, switch to the latest.
// symfony 1.3 $ svn switch http://svn.symfony-project.com/tags/RELEASE_1_3_2 // symfony 1.4 $ svn switch http://svn.symfony-project.com/tags/RELEASE_1_4_2
Once that's complete, rebuild your model files and clear your cache.
// doctrine $ php symfony doctrine:build --all-classes // propel $ php symfony propel:build --all-classes $ php symfony cache:clear
Enjoy the fresh code!