Merge pull request #201 from silverstripe/pulls/2.0/escape-panel-keys

FIX Ensure actions panel keys and values have possible HTML escaped
2017-12-06 14:01:31 +13:00 · 2017-12-06 14:01:31 +13:00 · 82a8a4b142
parent b7aaadf7bb 0e84799f59
commit 82a8a4b142
1 changed files with 3 additions and 0 deletions
--- a/code/model/DMSDocument.php
+++ b/code/model/DMSDocument.php
@ -1320,6 +1320,9 @@ class DMSDocument extends DataObject implements DMSDocumentInterface
            . '<ul>';

        foreach ($this->actionTasks as $panelKey => $title) {
+            $panelKey = Convert::raw2xml($panelKey);
+            $title = Convert::raw2xml($title);
+
            $html .= '<li class="ss-ui-button dmsdocument-action" data-panel="' . $panelKey . '">'
                . _t('DMSDocument.ACTION_' . strtoupper($panelKey), $title)
                . '</li>';