mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 12:05:37 +00:00
commit
c504fe0beb
@ -13,3 +13,12 @@ See [announcement](http://www.silverstripe.org/ss-2013-004-privilege-escalation-
|
||||
### Security: Privilege escalation through APPLY_ROLES assignment (SS-2013-005)
|
||||
|
||||
See [announcement](http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/)
|
||||
|
||||
## Changelog
|
||||
|
||||
### Bugfixes
|
||||
|
||||
* 2013-08-30 [a914dee] Disallow permissions assign for APPLY_ROLES (SS-2013-005) (Ingo Schommer)
|
||||
* 2013-08-30 [6543b4e](https://github.com/silverstripe/silverstripe-cms/commit/6543b4e) Privilege escalation through Group and Member CSV upload (SS-2013-004) (Ingo Schommer)
|
||||
* 2013-08-30 [ec8e826] Privilege escalation through APPLY_ROLES assignment (SS-2013-005) (Ingo Schommer)
|
||||
* 2013-08-30 [7979515] Privilege escalation through Group hierarchy setting (SS-2013-003) (Ingo Schommer)
|
@ -137,6 +137,10 @@ class Form extends RequestHandler {
|
||||
*/
|
||||
protected $extraClasses = array();
|
||||
|
||||
public static $casting = array(
|
||||
'Message' => 'Text'
|
||||
);
|
||||
|
||||
/**
|
||||
* Create a new form, with the given fields an action buttons.
|
||||
*
|
||||
|
@ -73,6 +73,10 @@ class FormField extends RequestHandler {
|
||||
*/
|
||||
protected $customValidationMessage = "";
|
||||
|
||||
public static $casting = array(
|
||||
'Message' => 'Text'
|
||||
);
|
||||
|
||||
/**
|
||||
* Create a new field.
|
||||
* @param name The internal field name, passed to forms.
|
||||
|
@ -233,8 +233,14 @@ class TreeDropdownField extends FormField {
|
||||
}
|
||||
}
|
||||
|
||||
if($obj->escapeTypeForField($this->labelField) == 'xml') {
|
||||
$labelFieldEval = '$child->' . $this->labelField;
|
||||
} else {
|
||||
$labelFieldEval = 'Convert::raw2xml($child->' . $this->labelField . ')';
|
||||
}
|
||||
|
||||
$eval = '"<li id=\"selector-' . $this->Name() . '-{$child->' . $this->keyField . '}\" class=\"$child->class"' .
|
||||
' . $child->markingClasses() . "\"><a rel=\"$child->ID\">" . $child->' . $this->labelField . ' . "</a>"';
|
||||
' . $child->markingClasses() . "\"><a rel=\"$child->ID\">" . ' . $labelFieldEval . ' . "</a>"';
|
||||
|
||||
if($isSubTree) {
|
||||
return substr(trim($obj->getChildrenAsUL('', $eval, null, true)), 4, -5);
|
||||
|
Loading…
x
Reference in New Issue
Block a user