From ec9c15917dcd882baedfbe0cd4b0eb8ad0a844b7 Mon Sep 17 00:00:00 2001 From: Ingo Schommer Date: Tue, 24 Sep 2013 12:12:21 +0200 Subject: [PATCH] FIX Escaping in "dependent pages" (SS-2013-009) --- code/model/SiteTree.php | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/code/model/SiteTree.php b/code/model/SiteTree.php index c87d15da..4c7df17d 100644 --- a/code/model/SiteTree.php +++ b/code/model/SiteTree.php @@ -1850,8 +1850,20 @@ class SiteTree extends DataObject implements PermissionProvider,i18nEntityProvid $dependentTable->getConfig()->getComponentByType('GridFieldDataColumns') ->setDisplayFields($dependentColumns) ->setFieldFormatting(array( - 'Title' => '$Title', - 'AbsoluteLink' => '$value', + 'Title' => function($value, &$item) { + return sprintf( + '%s', + (int)$item->ID, + Convert::raw2xml($item->Title) + ); + }, + 'AbsoluteLink' => function($value, &$item) { + return sprintf( + '%s', + Convert::raw2xml($value), + Convert::raw2xml($value) + ); + } )); }