From 79996a76fe55bd95a99dd99aae5c5f27626f0f06 Mon Sep 17 00:00:00 2001
From: Ingo Schommer <ingo@silverstripe.com>
Date: Tue, 24 Sep 2013 12:11:13 +0200
Subject: [PATCH] Clearer escaping in ReportAdmin

No direct security issue since report titles can't be set by the user
---
 code/controllers/ReportAdmin.php | 8 +++++++-
 code/reports/Report.php          | 9 +++++++--
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/code/controllers/ReportAdmin.php b/code/controllers/ReportAdmin.php
index 21067b78..946633ca 100644
--- a/code/controllers/ReportAdmin.php
+++ b/code/controllers/ReportAdmin.php
@@ -166,7 +166,13 @@ class ReportAdmin extends LeftAndMain implements PermissionProvider {
 				'title' => _t('ReportAdmin.ReportTitle', 'Title'),
 			));
 			$columns->setFieldFormatting(array(
-				'title' => '<a href=\"$Link\" class=\"cms-panel-link\">$value</a>'
+				'title' => function($value, &$item) {
+					return sprintf(
+						'<a href=\"%s\" class=\"cms-panel-link\">%s</a>',
+						Convert::raw2xml($item->Link),
+						Convert::raw2xml($value)
+					);
+				}
 			));
 			$gridField->addExtraClass('all-reports-gridfield');
 			$fields->push($gridField);
diff --git a/code/reports/Report.php b/code/reports/Report.php
index 35fafadf..09e3ce0c 100644
--- a/code/reports/Report.php
+++ b/code/reports/Report.php
@@ -301,8 +301,13 @@ class SS_Report extends ViewableData {
 			if(isset($info['casting'])) $fieldCasting[$source] = $info['casting'];
 
 			if(isset($info['link']) && $info['link']) {
-				$link = singleton('CMSPageEditController')->Link('show');
-				$fieldFormatting[$source] = '<a href=\"' . $link . '/$ID\">$value</a>';
+				$fieldFormatting[$source] = function($value, &$item) {
+					return sprintf(
+						'<a href=\"%s\">%s</a>',
+						Controller::join_links(singleton('CMSPageEditController')->Link('show'), $item->ID),
+						Convert::raw2xml($value)
+					);
+				};
 			}
 
 			$displayFields[$source] = isset($info['title']) ? $info['title'] : $source;