MNT Added 5.3.0-beta1 changelog

en/08_Changelogs/5.3.0.md

@@ -6,6 +6,7 @@ title: 5.3.0 (unreleased)
 
 ## Overview
 
+- [Security considerations](#security-considerations)
 - [Features and enhancements](#features-and-enhancements)
   - [High-level API for converting files](#file-converter)
   - [Improve customisability of rendered images](#image-rendering)
@@ -14,9 +15,21 @@ title: 5.3.0 (unreleased)
   - [Support for `JOIN` in SQL `UPDATE`](#sql-update-join)
   - [Autologin token regeneration changes](#autologin-token-regeneration)
   - [Other new features](#other-new-features)
-  - [API changes](#api-changes)
+- [API changes](#api-changes)
 - [Bug fixes](#bug-fixes)
 
+## Security considerations {#security-considerations}
+
+Three security fixes that were previously released in the July security release are mentioned in the [Silverstripe CMS security patches July 2024](https://www.silverstripe.org/blog/silverstripe-cms-security-patches-july-2024/) blog post are listed below.
+
+Review the individual vulnerability disclosure for more detailed descriptions of each security fix. We highly encourage upgrading your project to include the latest security patches.
+
+We have provided a severity rating of the vulnerabilities below based on the CVSS score. Note that the impact of each vulnerability could vary based on the specifics of each project. You can [read the severity rating definitions in the Silverstripe CMS release process](/contributing/release_process/#severity-rating).
+
+- [CVE-2024-29885 - Reports are still accessible even when canView is set to false](https://www.silverstripe.org/download/security-releases/cve-2024-29885) Severity: Medium
+- [CVE-2024-32981 - XSS Vulnerability with text/html base64-encoded payload](https://www.silverstripe.org/download/security-releases/cve-2024-32981) Severity: Medium
+- [SS-2024-001 - TinyMCE allows svg files linked in object tags](https://www.silverstripe.org/download/security-releases/ss-2024-001) Severity: Medium
+
 ## Features and enhancements
 
 ### Changes to `TinyMCEConfig` {#changes-to-tinymce}
@@ -106,6 +119,27 @@ class MyParent extends DataObject
 }
 ```
 
+```php
+namespace App\Model;
+
+use SilverStripe\Forms\FormField;
+use SilverStripe\ORM\DataObject;
+
+class MyChild extends DataObject
+{
+    // ...
+
+    public function scaffoldFormFieldForHasOne(
+        string $fieldName,
+        ?string $fieldTitle,
+        string $relationName,
+        DataObject $ownerRecord
+    ): FormField {
+        return /* instantiate some FormField here */;
+    }
+}
+```
+
 This means modules can pre-define the form field that should be used for their custom models, which reduces the amount of boilerplate code developers need to include in their `getCMSFields()` implementations.
 
 For more information see [scaffolding for relations](/developer_guides/model/scaffolding/#scaffolding-for-relations).
@@ -159,7 +193,7 @@ From 6.0 onwards, tokens will never be regenerated during session renewal, and t
 ## API changes
 
 - Passing a non-array `$fields` argument to both [`FieldList::addFieldsToTab()`](api:SilverStripe\Forms\FieldList::addFieldsToTab()) and [`FieldList::removeFieldsFromTab()`](api:SilverStripe\Forms\FieldList::removeFieldsFromTab()) has been deprecated.
-- The [`BaseElement::getDescription()`](api:DNADesign\Elemental\Models\BaseElement::getDescription()) method has been deprecated. To update the description of elemental blocks, use the [`description`](api:DNADesign\Elemental\Models\BaseElement->description) configuration property and the localisation API.
+- The [`BaseElement::getDescription()`](api:DNADesign\Elemental\Models\BaseElement::getDescription()) method has been deprecated. To update or get the CMS description of elemental blocks, use the [`description`](api:DNADesign\Elemental\Models\BaseElement->description) configuration property and the localisation API.
 - The [`RememberLoginHash::renew()`](api:SilverStripe\Security\RememberLoginHash::renew()) method has been deprecated without replacement, since the associated behaviour will be removed in 6.0.
   - The `onAfterRenewToken` extension point within this method will likely be replaced with a new extension point in 6.0.
 - The [`RememberLoginHash.replace_token_during_session_renewal`](api:SilverStripe\Security\RememberLoginHash->replace_token_during_session_renewal) configuration property has been added to allow disabling token regeneration during session renewal. This property will be removed in 6.0.