tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity

Merge pull request #2453 from chillu/pulls/escape-3.1.0

Browse Source 
Escaping 3.1
This commit is contained in:
Ingo Schommer 2013-09-25 16:02:45 -07:00
commit debd81d380
6 changed files with 56 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
admin/code/SecurityAdmin.php
View File

@ -84,7 +84,7 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
)); ));
$columns->setFieldFormatting(array( $columns->setFieldFormatting(array(
'Breadcrumbs' => function($val, $item) { 'Breadcrumbs' => function($val, $item) {
return $item->getBreadcrumbs(' > '); return Convert::raw2xml($item->getBreadcrumbs(' > '));
} }
)); ));

21
docs/en/changelogs/rc/3.1.0-rc3.md Normal file
View File

@ -0,0 +1,21 @@
# 3.1.0-rc3
## Overview
### Security: XSS in CMS "Security" section (SS-2013-007)
See [announcement](http://www.silverstripe.org/ss-2013-007-xss-in-cms-security-section/)
### Security: XSS in form validation errors (SS-2013-008)
See [announcement](http://www.silverstripe.org/ss-2013-008-xss-in-numericfield-validation/)
### Security: XSS in CMS "Pages" section (SS-2013-009)
See [announcement](http://www.silverstripe.org/ss-2013-009-xss-in-cms-pages-section/)
### API: Form validation message no longer allow HTML
Due to cross-site scripting concerns when user data is used for form messages,
it is no longer possible to use HTML in `Form->sessionMessage()`, and consequently
in the `FormField->validate()` API.

6
forms/Form.php
View File

@ -155,6 +155,10 @@ class Form extends RequestHandler {
'forTemplate', 'forTemplate',
); );
private static $casting = array(
'Message' => 'Text'
);
/** /**
* Create a new form, with the given fields an action buttons. * Create a new form, with the given fields an action buttons.
* *
@ -491,7 +495,7 @@ class Form extends RequestHandler {
} }
/** /**
* Add an error message to a field on this form. It will be saved into the session * Add a plain text error message to a field on this form. It will be saved into the session
* and used the next time this form is displayed. * and used the next time this form is displayed.
*/ */
public function addErrorMessage($fieldName, $message, $messageType) { public function addErrorMessage($fieldName, $message, $messageType) {

4
forms/FormField.php
View File

@ -93,6 +93,10 @@ class FormField extends RequestHandler {
*/ */
protected $attributes = array(); protected $attributes = array();
private static $casting = array(
'Message' => 'Text'
);
/** /**
* Takes a fieldname and converts camelcase to spaced * Takes a fieldname and converts camelcase to spaced
* words. Also resolves combined fieldnames with dot syntax * words. Also resolves combined fieldnames with dot syntax

24
forms/TreeDropdownField.php
View File

@ -269,9 +269,23 @@ class TreeDropdownField extends FormField {
$obj->markToExpose($this->objectForKey($value)); $obj->markToExpose($this->objectForKey($value));
} }
} }
$eval = '"<li id=\"selector-' . $this->getName() . '-{$child->' . $this->keyField . '}\" data-id=\"$child->'
. $this->keyField . '\" class=\"class-$child->class"' $self = $this;
. ' . $child->markingClasses() . "\"><a rel=\"$child->ID\">" . $child->' . $this->labelField . ' . "</a>"'; $escapeLabelField = ($obj->escapeTypeForField($this->labelField) != 'xml');
$titleFn = function(&$child) use(&$self, $escapeLabelField) {
$keyField = $self->keyField;
$labelField = $self->labelField;
return sprintf(
'<li id="selector-%s-%s" data-id="%s" class="class-%s %s"><a rel="%d">%s</a>',
Convert::raw2xml($self->getName()),
Convert::raw2xml($child->$keyField),
Convert::raw2xml($child->$keyField),
Convert::raw2xml($child->class),
Convert::raw2xml($child->markingClasses()),
(int)$child->ID,
$escapeLabelField ? Convert::raw2xml($child->$labelField) : $child->$labelField
);
};
// Limit the amount of nodes shown for performance reasons. // Limit the amount of nodes shown for performance reasons.
// Skip the check if we're filtering the tree, since its not clear how many children will // Skip the check if we're filtering the tree, since its not clear how many children will
@ -294,7 +308,7 @@ class TreeDropdownField extends FormField {
if($isSubTree) { if($isSubTree) {
$html = $obj->getChildrenAsUL( $html = $obj->getChildrenAsUL(
"", "",
$eval, $titleFn,
null, null,
true, true,
$this->childrenMethod, $this->childrenMethod,
@ -307,7 +321,7 @@ class TreeDropdownField extends FormField {
} else { } else {
$html = $obj->getChildrenAsUL( $html = $obj->getChildrenAsUL(
'class="tree"', 'class="tree"',
$eval, $titleFn,
null, null,
true, true,
$this->childrenMethod, $this->childrenMethod,

5
forms/gridfield/GridFieldDataColumns.php
View File

@ -95,11 +95,16 @@ class GridFieldDataColumns implements GridField_ColumnProvider {
/** /**
* Specify custom formatting for fields, e.g. to render a link instead of pure text. * Specify custom formatting for fields, e.g. to render a link instead of pure text.
*
* Caution: Make sure to escape special php-characters like in a normal php-statement. * Caution: Make sure to escape special php-characters like in a normal php-statement.
* Example: "myFieldName" => '<a href=\"custom-admin/$ID\">$ID</a>'. * Example: "myFieldName" => '<a href=\"custom-admin/$ID\">$ID</a>'.
*
* Alternatively, pass a anonymous function, which takes two parameters: * Alternatively, pass a anonymous function, which takes two parameters:
* The value and the original list item. * The value and the original list item.
* *
* Formatting is applied after field casting, so if you're modifying the string
* to include further data through custom formatting, ensure it's correctly escaped.
*
* @param array $formatting * @param array $formatting
*/ */
public function setFieldFormatting($formatting) { public function setFieldFormatting($formatting) {