We are happy to announce the 1.9.0 quarterly release of the CWP recipe.

This upgrade includes CMS and Framework version 3.7.1

Upgrade to Recipe 1.9.0 is optional, but is recommended for all CWP sites.

It contains new features which help you make decisions on an upgrade path (via the Installed Modules Report), as well as important changes to make caching of your sites safer and easier. As part of the caching changes, we’ve deprecated the (optional) controllerpolicy module, and recommend new core APIs for sending HTTP cache headers instead. If you are not caching your site, this is a great time to start: Fast sites make happy users, and are more resilient to traffic spikes. Read our CWP Performance Guide for details.

New Features

Installed Modules Report

Developed for the Common Web Platform as a co-fund submission, the Installed Modules Report otherwise named in the submission as the ‘Site Summariser’ has been built to provide agencies with access to module information, allowing them to make faster and more informed decisions about upgrading their site and modules.

Bringing site and module information to the CMS, the Installed Modules Report aims to:

  • Provide those responsible for agency sites to access a snapshot on the current build of their site and what upgrades are available.
  • Provide a list of what modules are utilised by the site and where further information can be found relating to user help documentation and module features.
  • Highlight known module security issues.
  • Provide a ‘health’ rating of each module based on the security and build quality.

The Installed Modules report can be added to your site through the combination of the below repositories. Consult with your development team to have this added to your site.

Information on accessing the report is covered in this user guide.

Caching Improvements

HTTP caching is an important part of making websites fast and reliable. This CWP release aims to avoid mistakes in the process by providing more high level HTTP Caching APIs. The default system behaviour will also pick up more situations where caching needs to be disabled automatically, for example when previewing draft content. CWP projects can choose to make this behaviour more secure by opting out of session-based draft stages and solely relying on the ?stage=Stage parameter.

Security Changes

  • Resolved a potential low level object injection exploit in the silverstripe-multivaluefield module. See SS-2018-017.
  • Resolved a potential low level cross site scripting vulnerability in the silverstripe-multivaluefield module. See SS-2018-017.
  • Resolved a potential low level vulnerability where in some circumstances a form could populate a PasswordField with submitted data back to the user who submitted it. See SS-2018-013.

For details on these and previous security fixes, please refer to our security release announcement page.

Upgrading Instructions

This upgrade can be carried out by any development team familiar with SilverStripe CMS, but if would like SilverStripe's assistance, you can request support via the Service Desk.

In order to update an existing site to use the new basic recipe the following changes to your composer.json can be made:

"require": {
    "cwp/cwp-recipe-basic": "~1.9.0@stable",
    "cwp/cwp-recipe-blog": "~1.9.0@stable",
    "cwp/starter-theme": "~1.1.1@stable"
"prefer-stable": true

The new Installed Module Report, mentioned above, is included by default as part of “cwp-recipe-basic”.

More information on upgrading major versions of CWP can be found in the online documentation

Accepted Failing Tests


  • UploadFieldTest.testAllowedExtensions — Behaviour intentionally altered by the MimeValidator module
  • UploadFieldTest.testSelect — Behaviour altered by SelectUploadField intentionally
  • UploadTest.testUploadTarGzFileTwiceAppendsNumber — This test is now expected to fail as the new MimeValidator module will no longer allow random content to be uploaded with a mismatched mime and file extension. The original test is attempting to upload a bunch of text as a gzip file.
  • CMSFormTest.testValidationExemptActions — Expected output modified by the starter theme
Expected output modified by the starter theme
  • CheckboxSetFieldTest.testSetDefaultItems
  • EmailFieldTest.testEmailFieldPopulation
  • LookupFieldTest.testNullValueWithNumericArraySource
  • LookupFieldTest.testStringValueWithNumericArraySource
  • LookupFieldTest.testUnknownStringValueWithNumericArraySource
  • LookupFieldTest.testArrayValueWithAssociativeArraySource
  • LookupFieldTest.testArrayValueWithNumericArraySource
  • LookupFieldTest.testArrayValueWithSqlMapSource
  • LookupFieldTest.testWithMultiDimensionalSource
  • OptionsetFieldTest.testSetDisabledItems
  • GridFieldDetailFormTest.testValidator
  • GridFieldSortableHeaderTest.testRenderHeaders


  • QueuedJobsTest.testImmediateQueuedJob - Test self-aborts when detecting lack of available system resources (inconclusive).
  • QueuedJobsTest.testStartJob - Test self-aborts when detecting lack of available system resources (inconclusive).



  • UserDefinedFormControllerTest.testValidation - Test failure affected by global state (starter theme template overrides).
  • UserDefinedFormControllerTest.testRenderingIntoFormTemplate - Test failure affected by global state.
  • UserDefinedFormControllerTest.testRenderingIntoTemplateWithSubstringReplacement - Test failure affected by global state.

Change Log


  • 2018-07-18 e2af1cf Disabling use of serialise fallback in MultiValueField for new installations (Guy Marriott) - See ss-2018-017
  • 2018-07-16 31fbc8c Convert serialisation to JSON where possible. PHP serialise is still used as a deprecated fallback (Guy Marriott) - See ss-2018-017
  • 2018-07-16 f523dfc Potential XSS vulnerability in checkbox field, update overloading from core (Robbie Averill) - See ss-2018-017
  • 2018-04-24 e4c0f271b Ensure passwords do not get added to session on submission failure (Aaron Carlino) - See ss-2018-013

API Changes

  • 2017-12-11 0ec4b17 Delete .tx folder (Raissa North)
  • 2017-06-10 413b4936a Add extension hook to FormField::extraClass() (Damian Mooyman)
  • 2016-11-28 f16d7e183 Deprecate unused / undesirable create_new_password implementation (Damian Mooyman)

Features and Enhancements

  • 2018-06-17 6ab06cd Lazy-load spellcheck config instead of every request (Damian Mooyman)
  • 2018-06-11 e12aec8 Adding maintenance and additional composer modules (Guy)
  • 2018-06-07 2b4954035 Add better HTTP cache-control manipulation (#8086) (Daniel Hensby)
  • 2018-06-06 c639ffa9c isPopulated method to allow StringField subclasses to check existence without RAW (Aaron Carlino)
  • 2018-05-29 987798f Adding extension for relabelling filter options on report (Guy)
  • 2018-05-23 7c86995 Adding an extension for the silverstripe-maintenance "Site Summary" report to display a more appropriate version label (Guy)
  • 2018-05-07 dfdaac48 Backport versioned querystring fix (#2153) (Damian Mooyman)
  • 2018-05-07 47a9cdfd4 Backport of querystring work to 3.x (#8026) (Damian Mooyman)
  • 2017-11-30 910381633 Add php 7.2 support (Daniel Hensby)
  • 2017-11-06 2e43780a8 Add sort columns to DB index automatically (Daniel Hensby)
  • 2017-09-28 2f0a0cb63 Add (alt text) to title field for clarity (Robbie Averill)
  • 2017-09-28 67ebd5e (WorkflowService) Allow explicit passing of workflow definition to startWorkflow (Marcus Nyeholt)
  • 2017-08-28 0b34066f0 incorrect scalar types in doc blocks, add chainable returns in setters (Robbie Averill)
  • 2017-08-03 8577ad128 Added SSL support for MySQLi Connector (fixes #7242) (John)
  • 2017-08-02 2f9bfae1f Added MySQL SSL PDO Support (John)
  • 2017-07-04 b347ab86 Add version provider configuration (Robbie Averill)
  • 2017-07-04 ee4d8b4d4 Add new SilverStripeVersionProvider to provider module versions (Robbie Averill)
  • 2017-06-15 a990c99d6 suffix subfolder in silverstripe-cache with php-version (#6810) (Lukas)


  • 2018-07-17 e38c30ff0 sizeof doesnt work with null types (Daniel Hensby)
  • 2018-06-26 837920a Maintenance module extension now provides CWP proxy information for HTTP requests (Robbie Averill)
  • 2018-06-19 d392ca7 Make sure setAllowMultibyte is on when looking up by URLSegment (Daniel Hensby)
  • 2018-06-19 58bd6c224 Switch to Trusty in Travis (Robbie Averill)
  • 2018-06-19 7656ced Updating spellchecker to use new HTTPCacheControl API (Guy)
  • 2018-06-12 6a6bc6d Fix invalid stage being specified for queried records (Guy)
  • 2018-06-12 73cccf9 Removing syntax error in config file (Guy)
  • 2018-06-11 07112dbb Remove blind reliance on current versioning stage being valid (Guy)
  • 2018-06-11 bea626e Fix invalid stage being specified for queried records (Damian Mooyman)
  • 2018-06-11 02cd32acb Error if invalid stage specified for get_by_stage (Damian Mooyman)
  • 2018-06-09 42e799bc4 Versioned::choose_site_stage() if no request given (Florian Thoma)
  • 2018-06-07 833db05 Fix for 3.7 compat (Damian Mooyman)
  • 2018-06-07 4a0e5b636 Fix crash on fixed_fields in default_sort (Damian Mooyman)
  • 2018-06-04 85a712e1c postgres test (Damian Mooyman)
  • 2018-06-04 41e601a03 Regression from #8009 (Daniel Hensby)
  • 2018-06-04 a20b0a4aa Remove use of deprecated each method (Daniel Hensby)
  • 2018-06-01 5b47edc broken links (#94) (Raissa North)
  • 2018-06-01 ce1db58 broken link (#92) (Raissa North)
  • 2018-06-01 1012ccb broken link (Raissa North)
  • 2018-06-01 05a519ecc code style / php 5.3 compat (Damian Mooyman)
  • 2018-06-01 af89140 broken link in developer docs (#91) (Raissa North)
  • 2018-06-01 c5205ecc Ensure errorpage is built in live mode (Damian Mooyman)
  • 2018-06-01 2756d60da Prevent stage querystring args during dev/build (Damian Mooyman)
  • 2018-06-01 60a98be broken links in developer docs (Raissa North)
  • 2018-05-29 1cbf27e0f PHP 5.3 compat for referencing $this in closure, and make method public for same reason (Robbie Averill)
  • 2018-05-23 b6dbae8b Make RedirectorPage::Link compatible with SiteTree::Link (Daniel Hensby)
  • 2018-05-09 8f363d6 Remove unnecessary translation of parameterised field value (Raissa North)
  • 2018-04-20 b4943fb Automatically create default SiteTree records for new subsites (Robbie Averill)
  • 2018-04-17 af3a9f3ec Duplicating many_many relationships looses the extra fields (fixes #7973) (UndefinedOffset)
  • 2018-03-23 f7ffb70 Use userforms template for member list field, fixes display rule issue (Robbie Averill)
  • 2018-03-20 ebd3fb652 Don't auto-generate indexes for Text field types (fixes #7900) (Loz Calver)
  • 2018-03-15 61ce4771f ing HTMLEditorField API documentation (3Dgoo)
  • 2018-03-15 d17d93f7 Remove SearchForm results() function from allowed_actions (Steve Dixon)
  • 2018-03-14 97f22cbaa ing FormAction API documentation (3Dgoo)
  • 2018-03-01 6523d7a6e ing HTMLEditorField API documentation (3Dgoo)
  • 2018-02-27 c755f7728 indentation (Aaron Carlino)
  • 2018-02-21 0ce8b95 Escape dollar signs in UserForm contents before inserting them with regex (#723) (Scott Hutchinson)
  • 2018-02-16 86addea1d Split HTML manipulation to onadd, so elements are not accidentally duplicated (Christopher Joe)
  • 2018-02-13 c767e472d DataObject singleton creation (Jonathon Menz)
  • 2017-12-21 b58f6d0 (travis) remove php 5.3 from Travis config as it's no longer supported (Stephen McMahon)
  • 2017-12-21 f6750a9 (Service) ensure run as user is cleared at the end of each runJob (Stephen McMahon)
  • 2017-12-01 74a3ba54a count size of $relations (Daniel Hensby)
  • 2017-11-29 2717f0134 link to nginx.org wiki (JorisDebonnet)
  • 2017-08-08 1a4a006d0 PDOConnector ssl_cipher bug fixes #7258 (John)
  • 2017-04-12 8999f70ac ing broken search in SecurityAdmin Groups field (Sean Harvey)
  • 2017-02-03 3679cb7 Ensure QueuedJob health check doesn't kill long running review jobs (Jake Bentvelzen)
  • 2017-01-31 e302c4e Fixed ambiguous column crash caused when publishing a versioned object if the query is joined against another table (UndefinedOffset)

Was this article helpful?