Thanks @brendo, this is great news.

There is one thing that I don't really understand — how XSRF tokens are supposed to work. Maybe you can explain? I am especially worried about the following scenario: Assumed that I want to create an API (page) which allows a second system to POST entries data to Symphony. In 2.3 I could simply add a "native" event to my API page (and some ACL, of course). Will this not be possible anymore?

Yep, the XSRF implementation is the most breaking of all changes and as it currently stands, I will be reverting the Frontend protection so it can be provided by an extension (Can of Spam or XSS Filter are candidates at the moment).

It violates one of Symphony's core goals, which is never to assume anything on the Frontend. The current implementation in 2.4 RC1 will prevent your API from working. Less than ideal. This will be resolved in RC2 (to be released on the weekend).

Thanks for the information @brendo!

Just an update for everyone that 2.4RC2 is now available for use from our integration branch. If you're testing with extensions, the bundle has also been updated. Barring any major issues, this release will be released as 2.4 final on May 13th.

This release contains a number of changes since 2.4RC1, the most notable that XSRF is now not enabled by default on the frontend and is opt-in through an updated XSS Filter extension.

If you notice anything during your testing, please log it in our issue tracker.

Everything is shaping up for a release in a few days, so the release notes have been drafted and the API documentation are now up.

Many thanks to everyone involved in this release, 544 commits and 15 contributors, a massive effort and we've delivered an excellent product as a result. Thank you :)

Brendo, How is it going? Excited to try the new 2.4 final! Greetings from Portugal! Wannes

Not asked me and I am the least man to say, but there are some little stopping bugs, at least I think #2062.

Symphony 2.4 works great, love the tuning of the Backend!

Extensions that give/gave me problems:

  • Multilingual Field: FIX:
  • Image upload: error: Symphony Recoverable Error: Argument 1 passed to fieldImageupload::getChildrenWithClass() must be an instance of XMLElement, string given, called in extensionsimageuploadfieldsfield.imageupload.php on line 525 and defined. ISSUE
  • Increment number:

Point 2 is to do with the XMLElement returning an object instead of a string in 2.4 I'll see if I can send PR to fix this one.

Not sure on 1 and 3 but maybe similar issues.

@wdebusschere Try this branch for image upload as a test.. very small fix: image_upload fix

Take it with a pinch of salt though as I don't think it's 100% right.

  • @moonoo2 Ok thanks, its working
  • point 1 Multilingual Field has already a fix.
  • Point 3 increment number: not yet

The release has been tagged on Github K just haven't had a chance yet to do the full publish here :) there are some outstanding tickets, but none are critical so hence the release :)

@brendo, did you see my ticket:

EventMessages class, conflicts with any event you create named Messages.

Yes I did, but as it's easy to avoid it didn't block launch.

I've now pushed the release to this domain and updated the tutorial with regards to the bundle branch :)

Many many thanks to all who helped contribute to this build.

All new tickets and issues will be considered for 2.4.1!

Cool beans!

It's finally out the door :)

Thanks guys for all the hard work!
One question: is there a way to disable XSRF completely?

I'de like to open one of my pages in an iframe on another domain, but this filter won't let me...


@brendo and everyone, thank you for all of your hard work!!!

@Cremol: There is a enable_xsrf setting under symphony in the configuration.

Nils, do you mean in the config.php file?

Yeah, it's in the config after running the update functionality at /update/

Create an account or sign in to comment.

Symphony • Open Source XSLT CMS

Server Requirements

  • PHP 5.3-5.6 or 7.0-7.3
  • PHP's LibXML module, with the XSLT extension enabled (--with-xsl)
  • MySQL 5.5 or above
  • An Apache or Litespeed webserver
  • Apache's mod_rewrite module or equivalent

Compatible Hosts

Sign in

Login details