Merge pull request #2451 from chillu/pulls/escape-2.4

Escaping 2.4
This commit is contained in:
Simon Welsh 2013-09-24 12:41:00 -07:00
commit c504fe0beb
4 changed files with 25 additions and 2 deletions

View File

@ -13,3 +13,12 @@ See [announcement](http://www.silverstripe.org/ss-2013-004-privilege-escalation-
### Security: Privilege escalation through APPLY_ROLES assignment (SS-2013-005) ### Security: Privilege escalation through APPLY_ROLES assignment (SS-2013-005)
See [announcement](http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/) See [announcement](http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/)
## Changelog
### Bugfixes
* 2013-08-30 [a914dee] Disallow permissions assign for APPLY_ROLES (SS-2013-005) (Ingo Schommer)
* 2013-08-30 [6543b4e](https://github.com/silverstripe/silverstripe-cms/commit/6543b4e) Privilege escalation through Group and Member CSV upload (SS-2013-004) (Ingo Schommer)
* 2013-08-30 [ec8e826] Privilege escalation through APPLY_ROLES assignment (SS-2013-005) (Ingo Schommer)
* 2013-08-30 [7979515] Privilege escalation through Group hierarchy setting (SS-2013-003) (Ingo Schommer)

View File

@ -137,6 +137,10 @@ class Form extends RequestHandler {
*/ */
protected $extraClasses = array(); protected $extraClasses = array();
public static $casting = array(
'Message' => 'Text'
);
/** /**
* Create a new form, with the given fields an action buttons. * Create a new form, with the given fields an action buttons.
* *

View File

@ -73,6 +73,10 @@ class FormField extends RequestHandler {
*/ */
protected $customValidationMessage = ""; protected $customValidationMessage = "";
public static $casting = array(
'Message' => 'Text'
);
/** /**
* Create a new field. * Create a new field.
* @param name The internal field name, passed to forms. * @param name The internal field name, passed to forms.

View File

@ -233,8 +233,14 @@ class TreeDropdownField extends FormField {
} }
} }
if($obj->escapeTypeForField($this->labelField) == 'xml') {
$labelFieldEval = '$child->' . $this->labelField;
} else {
$labelFieldEval = 'Convert::raw2xml($child->' . $this->labelField . ')';
}
$eval = '"<li id=\"selector-' . $this->Name() . '-{$child->' . $this->keyField . '}\" class=\"$child->class"' . $eval = '"<li id=\"selector-' . $this->Name() . '-{$child->' . $this->keyField . '}\" class=\"$child->class"' .
' . $child->markingClasses() . "\"><a rel=\"$child->ID\">" . $child->' . $this->labelField . ' . "</a>"'; ' . $child->markingClasses() . "\"><a rel=\"$child->ID\">" . ' . $labelFieldEval . ' . "</a>"';
if($isSubTree) { if($isSubTree) {
return substr(trim($obj->getChildrenAsUL('', $eval, null, true)), 4, -5); return substr(trim($obj->getChildrenAsUL('', $eval, null, true)), 4, -5);