FIX Escape breadcrumbs in SecurityAdmin (SS-2013-007)

This commit is contained in:
Ingo Schommer 2013-09-24 10:45:55 +02:00
parent 477c3c9de6
commit 78ce99be09
3 changed files with 14 additions and 2 deletions

View File

@ -83,7 +83,7 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
));
$columns->setFieldFormatting(array(
'Breadcrumbs' => function($val, $item) {
return $item->getBreadcrumbs(' > ');
return Convert::raw2xml($item->getBreadcrumbs(' > '));
}
));

View File

@ -0,0 +1,7 @@
# 3.1.0-rc3
## Overview
### Security: XSS in CMS "Security" section (SS-2013-007)
See [announcement](http://www.silverstripe.org/ss-2013-007-xss-in-cms-security-section/)

View File

@ -95,10 +95,15 @@ class GridFieldDataColumns implements GridField_ColumnProvider {
/**
* Specify custom formatting for fields, e.g. to render a link instead of pure text.
*
* Caution: Make sure to escape special php-characters like in a normal php-statement.
* Example: "myFieldName" => '<a href=\"custom-admin/$ID\">$ID</a>'.
*
* Alternatively, pass a anonymous function, which takes two parameters:
* The value and the original list item.
* The value and the original list item.
*
* Formatting is applied after field casting, so if you're modifying the string
* to include further data through custom formatting, ensure it's correctly escaped.
*
* @param array $formatting
*/