From 06f945f27840b53e57795dadbc38e76f7e11ab1c Mon Sep 17 00:00:00 2001 From: Horus3 Date: Mon, 24 Feb 2014 16:42:14 +0100 Subject: init --- .../documentation/manual/core/en/migration.19.html | 545 +++++++++++++++++++++ 1 file changed, 545 insertions(+) create mode 100644 zend/documentation/manual/core/en/migration.19.html (limited to 'zend/documentation/manual/core/en/migration.19.html') diff --git a/zend/documentation/manual/core/en/migration.19.html b/zend/documentation/manual/core/en/migration.19.html new file mode 100644 index 0000000..ab92ee8 --- /dev/null +++ b/zend/documentation/manual/core/en/migration.19.html @@ -0,0 +1,545 @@ + + + + + Zend Framework 1.9 - Zend Framework Manual + + + + + + + + +
+ + + + + + + + +
+ Zend Framework 1.10 + +
Zend Gdata Migration Notes
+ Programmer's Reference Guide
+ 		+ +
+
+

Zend Framework 1.9

+ + +

+ When upgrading from a release of Zend Framework earlier than 1.9.0 to any 1.9 release, you + should note the following migration notes. +

+ +

Zend_File_Transfer

+ + +

MimeType validation

+ + +

+ For security reasons we had to turn off the default fallback mechanism of the + MimeType, ExcludeMimeType, + IsCompressed and IsImage validators. + This means, that if the fileInfo or + magicMime extensions can not be found, the validation will + always fail. +

+ +

+ If you are in need of validation by using the HTTP fields which + are provided by the user then you can turn on this feature by using the + enableHeaderCheck() method. +

+ +

Note: Security hint
 + + + + You should note that relying on the HTTP fields, which are + provided by your user, is a security risk. They can easily be changed and could + allow your user to provide a malcious file. +
+

+ +

Example #1 Allow the usage of the HTTP fields

+ + +
  1. // at initiation
    2. +
  2. $valid = new Zend_File_Transfer_Adapter_Http(array('headerCheck' => true);
    3. +
  3.  
    4. +
  4. // or afterwards
    5. +
  5. $valid->enableHeaderCheck();
+ +
+
+
+ +

Zend_Filter

+ + +

+ Prior to the 1.9 release, Zend_Filter allowed + the usage of the static get() method. As with + release 1.9 this method has been renamed to + filterStatic() to be more descriptive. The + old get() method is marked as deprecated. +

+
+ +

Zend_Http_Client

+ + +

Changes to internal uploaded file information storage

+ + +

+ In version 1.9 of Zend Framework, there has been a change in the way + Zend_Http_Client internally stores information about + files to be uploaded, set using the + Zend_Http_Client::setFileUpload() method. +

+ +

+ This change was introduced in order to allow multiple files to be uploaded + with the same form name, as an array of files. More information about this issue + can be found in » this bug report. +

+ +

Example #2 Internal storage of uploaded file information

+ + +
  1. // Upload two files with the same form element name, as an array
    2. +
  2. $client = new Zend_Http_Client();
    3. +
  3. $client->setFileUpload('file1.txt',
    4. +
  4.                        'userfile[]',
    5. +
  5.                        'some raw data',
    6. +
  6.                        'text/plain');
    7. +
  7. $client->setFileUpload('file2.txt',
    8. +
  8.                        'userfile[]',
    9. +
  9.                        'some other data',
    10. +
  10.                        'application/octet-stream');
    11. +
  11.  
    12. +
  12. // In Zend Framework 1.8 or older, the value of
    13. +
  13. // the protected member $client->files is:
    14. +
  14. // $client->files = array(
    15. +
  15. //     'userfile[]' => array('file2.txt',
    16. +
  16.                              'application/octet-stream',
    17. +
  17.                              'some other data')
    18. +
  18. // );
    19. +
  19.  
    20. +
  20. // In Zend Framework 1.9 or newer, the value of $client->files is:
    21. +
  21. // $client->files = array(
    22. +
  22. //     array(
    23. +
  23. //         'formname' => 'userfile[]',
    24. +
  24. //         'filename' => 'file1.txt,
    25. +
  25. //         'ctype'    => 'text/plain',
    26. +
  26. //         'data'     => 'some raw data'
    27. +
  27. //     ),
    28. +
  28. //     array(
    29. +
  29. //         'formname' => 'userfile[]',
    30. +
  30. //         'filename' => 'file2.txt',
    31. +
  31. //         'formname' => 'application/octet-stream',
    32. +
  32. //         'formname' => 'some other data'
    33. +
  33. //     )
    34. +
  34. // );
+ +
+ +

+ As you can see, this change permits the usage of the same form element name with + more than one file - however, it introduces a subtle backwards-compatibility change + and as such should be noted. +

+
+ +

Deprecation of Zend_Http_Client::_getParametersRecursive()

+ + +

+ Starting from version 1.9, the protected method + _getParametersRecursive() is no longer used by + Zend_Http_Client and is deprecated. Using it will cause an + E_NOTICE message to be emitted by PHP. +

+ +

+ If you subclass Zend_Http_Client and call this method, you + should look into using the + Zend_Http_Client::_flattenParametersArray() static method + instead. +

+ +

+ Again, since this _getParametersRecursive() is a protected + method, this change will only affect users who subclass + Zend_Http_Client. +

+
+
+ +

Zend_Locale

+ + +

Deprecated methods

+ + +

+ Some specialized translation methods have been deprecated because they duplicate + existing behaviour. Note that the old methods will still work, but a user notice is + triggered which describes the new call. The methods will be erased with 2.0. + See the following list for old and new method call. +

+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
List of measurement types
Old callNew call
+ getLanguageTranslationList($locale) + + getTranslationList('language', $locale) +
+ getScriptTranslationList($locale) + + getTranslationList('script', $locale) +
+ getCountryTranslationList($locale) + + getTranslationList('territory', $locale, 2) +
+ getTerritoryTranslationList($locale) + + getTranslationList('territory', $locale, 1) +
+ getLanguageTranslation($value, $locale) + + getTranslation($value, 'language', $locale) +
+ getScriptTranslation($value, $locale) + + getTranslation($value, 'script', $locale) +
+ getCountryTranslation($value, $locale) + + getTranslation($value, 'country', $locale) +
+ getTerritoryTranslation($value, $locale) + + getTranslation($value, 'territory', + $locale) +
+ +
+
+ +

Zend_View_Helper_Navigation

+ + +

+ Prior to the 1.9 release, the menu helper + (Zend_View_Helper_Navigation_Menu) did not + render sub menus correctly. When onlyActiveBranch + was TRUE and the option renderParents + FALSE, nothing would be rendered if the deepest active + page was at a depth lower than the minDepth option. +

+ +

+ In simpler words; if minDepth was set to '1' + and the active page was at one of the first level pages, nothing + would be rendered, as the following example shows. +

+ +

+ Consider the following container setup: +

+ +
  1. <?php
    2. +
  2. $container = new Zend_Navigation(array(
    3. +
  3.     array(
    4. +
  4.         'label' => 'Home',
    5. +
  5.         'uri'   => '#'
    6. +
  6.     ),
    7. +
  7.     array(
    8. +
  8.         'label'  => 'Products',
    9. +
  9.         'uri'    => '#',
    10. +
  10.         'active' => true,
    11. +
  11.         'pages'  => array(
    12. +
  12.             array(
    13. +
  13.                 'label' => 'Server',
    14. +
  14.                 'uri'   => '#'
    15. +
  15.             ),
    16. +
  16.             array(
    17. +
  17.                 'label' => 'Studio',
    18. +
  18.                 'uri'   => '#'
    19. +
  19.             )
    20. +
  20.         )
    21. +
  21.     ),
    22. +
  22.     array(
    23. +
  23.         'label' => 'Solutions',
    24. +
  24.         'uri'   => '#'
    25. +
  25.     )
    26. +
  26. ));
+ + +

+ The following code is used in a view script: +

+ +
  1. <?php echo $this->navigation()->menu()->renderMenu($container, array(
    2. +
  2.     'minDepth'         => 1,
    3. +
  3.     'onlyActiveBranch' => true,
    4. +
  4.     'renderParents'    => false
    5. +
  5. )); ?>
+ + +

+ Before release 1.9, the code snippet above would output nothing. +

+ +

+ Since release 1.9, the _renderDeepestMenu() method in + Zend_View_Helper_Navigation_Menu will accept + active pages at one level below minDepth, as long as + the page has children. +

+ +

+ The same code snippet will now output the following: +

+ +
  1. <ul class="navigation">
    2. +
  2.     <li>
    3. +
  3.         <a href="#">Server</a>
    4. +
  4.     </li>
    5. +
  5.     <li>
    6. +
  6.         <a href="#">Studio</a>
    7. +
  7.     </li>
    8. +
  8. </ul>
+ +
+ +

Security fixes as with 1.9.7

+ + +

+ Additionally, users of the 1.9 series may be affected by other changes starting in + version 1.9.7. These are all security fixes that also have potential backwards + compatibility implications. +

+ +

Zend_Dojo_View_Helper_Editor

+ + +

+ A slight change was made in the 1.9 series to modify the default usage of the Editor + dijit to use div tags instead of a textarea + tag; the latter usage has » security + implications, and usage of div tags is recommended by the + Dojo project. +

+ +

+ In order to still allow graceful degradation, a new degrade + option was added to the view helper; this would allow developers to optionally use a + textarea instead. However, this opens applications developed with + that usage to XSS vectors. In 1.9.7, we have removed this option. + Graceful degradation is still supported, however, via a noscript + tag that embeds a textarea. This solution addressess all security + concerns. +

+ +

+ The takeaway is that if you were using the degrade flag, it will + simply be ignored at this time. +

+
+ +

Zend_Filter_HtmlEntities

+ + +

+ In order to default to a more secure character encoding, + Zend_Filter_HtmlEntities now defaults to + UTF-8 instead of ISO-8859-1. +

+ +

+ Additionally, because the actual mechanism is dealing with character encodings and + not character sets, two new methods have been added, + setEncoding() and getEncoding(). + The previous methods setCharSet() and + setCharSet() are now deprecated and proxy to the new + methods. Finally, instead of using the protected members directly within the + filter() method, these members are retrieved by their + explicit accessors. If you were extending the filter in the past, please check your + code and unit tests to ensure everything still continues to work. +

+
+ +

Zend_Filter_StripTags

+ + +

+ Zend_Filter_StripTags contains a flag, + commentsAllowed, that, in previous versions, allowed you to + optionally whitelist HTML comments in HTML + text filtered by the class. However, this opens code enabling the flag to + XSS attacks, particularly in Internet Explorer (which allows + specifying conditional functionality via HTML comments). Starting + in version 1.9.7 (and backported to versions 1.8.5 and 1.7.9), the + commentsAllowed flag no longer has any meaning, and all + HTML comments, including those containing other + HTML tags or nested commments, will be stripped from the final + output of the filter. +

+
+
+
+
+ + + + + + + + + +
+ Zend Framework 1.10 + +
Zend Gdata Migration Notes
+ Programmer's Reference Guide
+ 		+ +
+		 + +
+ + \ No newline at end of file -- cgit v1.2.3