Silverstripe CMS 5.4.0 introduces important security updates, along with some exciting developer-focused features that enhance flexibility and streamline workflows.
CMS 5.4.0 marks the final feature release for CMS 5, though it will still be covered by various levels of support for some time. View the support timeline to learn more. Going forward, all new features will now be targeted to CMS 6 instead.
Improved security with sudo mode
Security is always a top priority, and Silverstripe CMS 5.4.0 brings an important enhancement to sudo mode for sensitive data. When users try to edit sensitive information like member data or permissions, they will now be prompted to enter their password for added security. This extra layer of authentication helps prevent unauthorized access or accidental changes, especially in cases where a user’s computer is left unattended. While viewing sensitive data remains unrestricted, editing now requires explicit confirmation.
Logged warning for unconfigured allowed hosts
Silverstripe CMS 5.4.0 introduces a new logged warning if your site has not configured the SS_ALLOWED_HOSTS environment variable or the AllowedHostsMiddleware.AllowedHosts property. Adding one of these is critical for preventing host header injection attacks. Configuring these settings ensures that Silverstripe CMS validates host headers, adding an additional layer of protection against security threats.
Enhanced oEmbed sandboxing
In response to security concerns, Silverstripe CMS 5.4.0 improves oEmbed sandboxing by automatically embedding third-party content in a sandboxed iframe. This approach mitigates potential security risks associated with embedded content. Developers can now exclude specific domains (e.g., YouTube) from sandboxing if needed, and also customize iframe attributes like allowing fullscreen for video embeds. This enhancement adds an extra layer of protection while still enabling rich media content.
New XssSanitiser class
A new XssSanitiser class has been introduced in Silverstripe CMS 5.4.0 to help mitigate XSS vulnerabilities. This class is useful in scenarios where you allow user-generated HTML (e.g., in WYSIWYG editors) but want to sanitize potentially dangerous content. While not a complete solution, it provides an additional tool for developers to safeguard their sites against XSS attacks.
Improved performance with ClassName column change
For websites with large databases, the ClassName column in the database schema can cause performance issues during dev/build. Silverstripe CMS 5.4.0 introduces an option to change the ClassName column from an enum type to a varchar type. This change eliminates the need for expensive ALTER TABLE queries when adding new valid class names, resulting in significant performance improvements. However, there is an increase in database size as a trade-off.
More features
This release includes a range of developer-focused improvements, such as the new class_description configuration for DataObject subclasses, providing better context and clarity for complex data models. There’s also "more flexible form scaffolding, which allows developers to customize form field generation more easily based on project needs. Other notable updates include the addition of BaseKernel::getBooted() for checking kernel boot status, and new array manipulation methods like insertBefore() and insertAfter() in ArrayLib. Additionally, the error logging system has been refined to improve handling of uncaught exceptions in live environments, ensuring more reliable error tracking.
Bug fixes and minor improvements
Alongside these exciting features, Silverstripe CMS 5.4.0 also includes various bug fixes and stability improvements. These updates address minor issues with content block reordering, image handling, and accessibility enhancements, ensuring a smoother experience for both developers and content editors.
Keen to get your upgrade underway?
Talk to your Digital Agency or Developer about upgrading
Haven’t got a Developer or Agency? No problem! Browse the Silverstripe CMS Developer Network and filter by location to find a Silverstripe CMS Developer near you.
Or reach out to Silverstripe directly to upgrade your project.
Developers, check out our documentation
This release announcement does not cover the full details of what is included in the release. Be sure to review the full changelog before planning your next site upgrade.
Post your comment
Comments
No one has commented on this page yet.
RSS feed for comments on this page | RSS feed for all comments