FIX Escape breadcrumbs in SecurityAdmin (SS-2013-007)

2024-10-22 14:05:37 +02:00 · 2013-09-24 10:45:55 +02:00 · 2013-09-24 10:45:55 +02:00 · 78ce99be09
commit 78ce99be09
parent 477c3c9de6
3 changed files with 14 additions and 2 deletions
--- a/admin/code/SecurityAdmin.php
+++ b/admin/code/SecurityAdmin.php
@ -83,7 +83,7 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
 		));
 		$columns->setFieldFormatting(array(
 			'Breadcrumbs' => function($val, $item) {
-				return $item->getBreadcrumbs(' > ');
+				return Convert::raw2xml($item->getBreadcrumbs(' > '));
 			}
 		));

--- a/docs/en/changelogs/rc/3.1.0-rc3.md
+++ b/docs/en/changelogs/rc/3.1.0-rc3.md
@ -0,0 +1,7 @@
+# 3.1.0-rc3
+
+## Overview
+
+### Security: XSS in CMS "Security" section (SS-2013-007)
+
+See [announcement](http://www.silverstripe.org/ss-2013-007-xss-in-cms-security-section/)
--- a/forms/gridfield/GridFieldDataColumns.php
+++ b/forms/gridfield/GridFieldDataColumns.php
@ -95,11 +95,16 @@ class GridFieldDataColumns implements GridField_ColumnProvider {

 	/**
 	 * Specify custom formatting for fields, e.g. to render a link instead of pure text.
+	 * 
 	 * Caution: Make sure to escape special php-characters like in a normal php-statement.
 	 * Example:	"myFieldName" => '<a href=\"custom-admin/$ID\">$ID</a>'.
+	 * 
 	 * Alternatively, pass a anonymous function, which takes two parameters:
 	 * The value and the original list item.
 	 *
+	 * Formatting is applied after field casting, so if you're modifying the string
+	 * to include further data through custom formatting, ensure it's correctly escaped.
+	 *
 	 * @param array $formatting
 	 */
 	public function setFieldFormatting($formatting) {