From aee038166353dffbae6741928a9a0a118dfcd9c4 Mon Sep 17 00:00:00 2001
From: Ingo Schommer <ingo@silverstripe.com>
Date: Tue, 24 Sep 2013 12:10:12 +0200
Subject: [PATCH 1/5] Hints for SiteTree.TreeTitle casting

Relates to SS-2013-009
---
 code/model/SiteTree.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/code/model/SiteTree.php b/code/model/SiteTree.php
index cd6443a6..c87d15da 100644
--- a/code/model/SiteTree.php
+++ b/code/model/SiteTree.php
@@ -121,6 +121,7 @@ class SiteTree extends DataObject implements PermissionProvider,i18nEntityProvid
 		'Link' => 'Text',
 		'RelativeLink' => 'Text',
 		'AbsoluteLink' => 'Text',
+		'TreeTitle' => 'HTMLText',
 	);
 
 	private static $defaults = array(

From a5d9958f8c264b93ee42b161fbab16de39592236 Mon Sep 17 00:00:00 2001
From: Ingo Schommer <ingo@silverstripe.com>
Date: Tue, 24 Sep 2013 12:11:13 +0200
Subject: [PATCH 2/5] Clearer escaping in ReportAdmin

No direct security issue since report titles can't be set by the user
---
 code/controllers/ReportAdmin.php | 8 +++++++-
 code/reports/Report.php          | 9 +++++++--
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/code/controllers/ReportAdmin.php b/code/controllers/ReportAdmin.php
index 55b128a8..05fb82c3 100644
--- a/code/controllers/ReportAdmin.php
+++ b/code/controllers/ReportAdmin.php
@@ -164,7 +164,13 @@ class ReportAdmin extends LeftAndMain implements PermissionProvider {
 				'title' => _t('ReportAdmin.ReportTitle', 'Title'),
 			));
 			$columns->setFieldFormatting(array(
-				'title' => '<a href=\"$Link\" class=\"cms-panel-link\">$value</a>'
+				'title' => function($value, &$item) {
+					return sprintf(
+						'<a href=\"%s\" class=\"cms-panel-link\">%s</a>',
+						Convert::raw2xml($item->Link),
+						Convert::raw2xml($value)
+					);
+				}
 			));
 			$gridField->addExtraClass('all-reports-gridfield');
 			$fields->push($gridField);
diff --git a/code/reports/Report.php b/code/reports/Report.php
index a76b93b4..85b1f03a 100644
--- a/code/reports/Report.php
+++ b/code/reports/Report.php
@@ -282,8 +282,13 @@ class SS_Report extends ViewableData {
 			if(isset($info['casting'])) $fieldCasting[$source] = $info['casting'];
 
 			if(isset($info['link']) && $info['link']) {
-				$link = singleton('CMSPageEditController')->Link('show');
-				$fieldFormatting[$source] = '<a href=\"' . $link . '/$ID\">$value</a>';
+				$fieldFormatting[$source] = function($value, &$item) {
+					return sprintf(
+						'<a href=\"%s\">%s</a>',
+						Controller::join_links(singleton('CMSPageEditController')->Link('show'), $item->ID),
+						Convert::raw2xml($value)
+					);
+				};
 			}
 
 			$displayFields[$source] = isset($info['title']) ? $info['title'] : $source;

From ec9c15917dcd882baedfbe0cd4b0eb8ad0a844b7 Mon Sep 17 00:00:00 2001
From: Ingo Schommer <ingo@silverstripe.com>
Date: Tue, 24 Sep 2013 12:12:21 +0200
Subject: [PATCH 3/5] FIX Escaping in "dependent pages" (SS-2013-009)

---
 code/model/SiteTree.php | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/code/model/SiteTree.php b/code/model/SiteTree.php
index c87d15da..4c7df17d 100644
--- a/code/model/SiteTree.php
+++ b/code/model/SiteTree.php
@@ -1850,8 +1850,20 @@ class SiteTree extends DataObject implements PermissionProvider,i18nEntityProvid
 			$dependentTable->getConfig()->getComponentByType('GridFieldDataColumns')
 				->setDisplayFields($dependentColumns)
 				->setFieldFormatting(array(
-				'Title' => '<a href=\"admin/pages/edit/show/$ID\">$Title</a>',
-				'AbsoluteLink' => '<a href=\"$value\">$value</a>',
+					'Title' => function($value, &$item) {
+						return sprintf(
+							'<a href=\"admin/pages/edit/show/%d\">%s</a>',
+							(int)$item->ID,
+							Convert::raw2xml($item->Title)
+						);
+					},
+					'AbsoluteLink' => function($value, &$item) {
+						return sprintf(
+							'<a href=\"%s\">%s</a>',
+							Convert::raw2xml($value),
+							Convert::raw2xml($value)
+						);
+					}
 				));
 		}
 		

From f477983bffeb5542322028df731495195fd649ff Mon Sep 17 00:00:00 2001
From: Ingo Schommer <ingo@silverstripe.com>
Date: Tue, 24 Sep 2013 12:12:57 +0200
Subject: [PATCH 4/5] Clearer escaping in CMSMain

No direct security issue, but makes intent clearer
---
 code/controllers/CMSMain.php | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/code/controllers/CMSMain.php b/code/controllers/CMSMain.php
index 86cedb15..68c0b0d9 100644
--- a/code/controllers/CMSMain.php
+++ b/code/controllers/CMSMain.php
@@ -783,13 +783,21 @@ class CMSMain extends LeftAndMain implements CurrentPageIdentifier, PermissionPr
 				if($num) {
 					return sprintf(
 						'<a class="cms-panel-link list-children-link" data-pjax-target="ListViewForm,Breadcrumbs" href="%s">%s</a>',
-						Controller::join_links($controller->Link(), "?ParentID={$item->ID}&view=list"),
+						Controller::join_links(
+							$controller->Link(), 
+							sprintf("?ParentID=%d&view=list", (int)$item->ID)
+						),
 						$num
 					);
 				}
 			},
 			'getTreeTitle' => function($value, &$item) use($controller) {
-				return '<a class="action-detail" href="' . singleton('CMSPageEditController')->Link('show') . '/' . $item->ID . '">' . $item->TreeTitle . '</a>';
+				return sprintf(
+					'<a class="action-detail" href="%s/%d">%s</a>',
+					singleton('CMSPageEditController')->Link('show'),
+					(int)$item->ID,
+					$item->TreeTitle // returns HTML, does its own escaping
+				);
 			}
 		));
 		

From dc1ae03fece82a69d0010b4f54c4c1714b25525e Mon Sep 17 00:00:00 2001
From: Ingo Schommer <ingo@silverstripe.com>
Date: Thu, 26 Sep 2013 01:42:31 +0200
Subject: [PATCH 5/5] Tagged 3.1.0-rc3