This guide contains instructions to upgrade from version v7.0.0 to v7.0.1.
Before you start, don't forget to take a look at general instructions about upgrading. There you can find links to upgrade notes for other versions too.
- escape the values of replacements passed as a sixth argument of the
MessageData
's constructor to prevent HTML injection (#1120)- all values passed to the
$variablesReplacementsForBody
argument inMessageData::__construct()
should either be trusted (such as URLs generated by theRouter
or HTML content) or escaped viahtmlspecialchars($value, ENT_QUOTES)
- check the calls of
new MessageData(...)
in your project's repository and possible overwritten methods:\Shopsys\FrameworkBundle\Model\Customer\Mail\RegistrationMail::getVariablesReplacements()
\Shopsys\FrameworkBundle\Model\Customer\Mail\ResetPasswordMail::getBodyValuesIndexedByVariableName()
\Shopsys\FrameworkBundle\Model\Order\Mail\OrderMail::getVariablesReplacementsForBody()
\Shopsys\FrameworkBundle\Model\PersonalData\Mail\PersonalDataAccessMail::getBodyValuesIndexedByVariableName()
\Shopsys\FrameworkBundle\Model\PersonalData\Mail\PersonalDataExportMail::getBodyValuesIndexedByVariableName()
- if you haven't extended any of these methods and haven't called
new MessageData(...)
in your code, you should be protected by the upgrade alone - if you have customized e-mailing on your project (eg. by implementing Twig templates for mail content), you should check your code to avoid double escaping (eg. execute
htmlspecialchars_decode($value, ENT_QUOTES)
before passing the variables replacements to you implementation)
- all values passed to the
- do not update
symfony/monolog-bundle
to the version3.4.0
and higher (#1148) or fix the bundle configuration, see #1154- in
app/config/packages/dev/monolog.yml
:monolog: handlers: main: # change "fingers_crossed" handler to "group" that works as a passthrough to "nested" type: group members: [ nested ] + excluded_404s: false
- in
app/config/packages/test/monolog.yml
:monolog: handlers: main: type: "null" + excluded_404s: false
- in