mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-09-28 20:29:15 +02:00
Don't link record in GridField form message
This is no longer allows through Form->sessionMessage() to avoid XSS.
This commit is contained in:
parent
298de5a67d
commit
deadc154ca
@ -508,9 +508,11 @@ class GridFieldDetailForm_ItemRequest extends RequestHandler {
|
||||
|
||||
// TODO Save this item into the given relationship
|
||||
|
||||
$link = '<a href="' . $this->Link('edit') . '">"'
|
||||
. htmlspecialchars($this->record->Title, ENT_QUOTES)
|
||||
. '"</a>';
|
||||
// TODO Allow HTML in form messages
|
||||
// $link = '<a href="' . $this->Link('edit') . '">"'
|
||||
// . htmlspecialchars($this->record->Title, ENT_QUOTES)
|
||||
// . '"</a>';
|
||||
$link = '"' . $this->record->Title . '"';
|
||||
$message = _t(
|
||||
'GridFieldDetailForm.Saved',
|
||||
'Saved {name} {link}',
|
||||
|
Loading…
Reference in New Issue
Block a user