mirror of
https://github.com/silverstripe/silverstripe-cms
synced 2024-10-22 08:05:56 +02:00
Clearer escaping in CMSMain
No direct security issue, but makes intent clearer
This commit is contained in:
parent
ec9c15917d
commit
f477983bff
@ -783,13 +783,21 @@ class CMSMain extends LeftAndMain implements CurrentPageIdentifier, PermissionPr
|
|||||||
if($num) {
|
if($num) {
|
||||||
return sprintf(
|
return sprintf(
|
||||||
'<a class="cms-panel-link list-children-link" data-pjax-target="ListViewForm,Breadcrumbs" href="%s">%s</a>',
|
'<a class="cms-panel-link list-children-link" data-pjax-target="ListViewForm,Breadcrumbs" href="%s">%s</a>',
|
||||||
Controller::join_links($controller->Link(), "?ParentID={$item->ID}&view=list"),
|
Controller::join_links(
|
||||||
|
$controller->Link(),
|
||||||
|
sprintf("?ParentID=%d&view=list", (int)$item->ID)
|
||||||
|
),
|
||||||
$num
|
$num
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
'getTreeTitle' => function($value, &$item) use($controller) {
|
'getTreeTitle' => function($value, &$item) use($controller) {
|
||||||
return '<a class="action-detail" href="' . singleton('CMSPageEditController')->Link('show') . '/' . $item->ID . '">' . $item->TreeTitle . '</a>';
|
return sprintf(
|
||||||
|
'<a class="action-detail" href="%s/%d">%s</a>',
|
||||||
|
singleton('CMSPageEditController')->Link('show'),
|
||||||
|
(int)$item->ID,
|
||||||
|
$item->TreeTitle // returns HTML, does its own escaping
|
||||||
|
);
|
||||||
}
|
}
|
||||||
));
|
));
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user