tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity

FIX Auto-escape titles in TreeDropdownField

Browse Source 
Related to SS-2013-009. While the default "TreeTitle" was escaped
within the SiteTree->TreeTitle() getter, other properties like SiteTree->Title
weren't escaped. The new logic uses the underlying casting helpers
on the processed objects.
This commit is contained in:
Ingo Schommer 2013-09-24 12:59:05 +02:00
parent 78ce99be09
commit f3ef04a432
2 changed files with 24 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/en/changelogs/rc/3.1.0-rc3.md
View File

@ -5,3 +5,7 @@
### Security: XSS in CMS "Security" section (SS-2013-007) ### Security: XSS in CMS "Security" section (SS-2013-007)
See [announcement](http://www.silverstripe.org/ss-2013-007-xss-in-cms-security-section/) See [announcement](http://www.silverstripe.org/ss-2013-007-xss-in-cms-security-section/)
### Security: XSS in CMS "Pages" section (SS-2013-009)
See [announcement](http://www.silverstripe.org/ss-2013-009-xss-in-cms-pages-section/)

24
forms/TreeDropdownField.php
View File

@ -265,9 +265,23 @@ class TreeDropdownField extends FormField {
$obj->markToExpose($this->objectForKey($value)); $obj->markToExpose($this->objectForKey($value));
} }
} }
$eval = '"<li id=\"selector-' . $this->getName() . '-{$child->' . $this->keyField . '}\" data-id=\"$child->'
. $this->keyField . '\" class=\"class-$child->class"' $self = $this;
. ' . $child->markingClasses() . "\"><a rel=\"$child->ID\">" . $child->' . $this->labelField . ' . "</a>"'; $escapeLabelField = ($obj->escapeTypeForField($this->labelField) != 'xml');
$titleFn = function(&$child) use(&$self, $escapeLabelField) {
$keyField = $self->keyField;
$labelField = $self->labelField;
return sprintf(
'<li id="selector-%s-%s" data-id="%s" class="class-%s %s"><a rel="%d">%s</a>',
Convert::raw2xml($self->getName()),
Convert::raw2xml($child->$keyField),
Convert::raw2xml($child->$keyField),
Convert::raw2xml($child->class),
Convert::raw2xml($child->markingClasses()),
(int)$child->ID,
$escapeLabelField ? Convert::raw2xml($child->$labelField) : $child->$labelField
);
};
// Limit the amount of nodes shown for performance reasons. // Limit the amount of nodes shown for performance reasons.
// Skip the check if we're filtering the tree, since its not clear how many children will // Skip the check if we're filtering the tree, since its not clear how many children will
@ -290,7 +304,7 @@ class TreeDropdownField extends FormField {
if($isSubTree) { if($isSubTree) {
$html = $obj->getChildrenAsUL( $html = $obj->getChildrenAsUL(
"", "",
$eval, $titleFn,
null, null,
true, true,
$this->childrenMethod, $this->childrenMethod,
@ -303,7 +317,7 @@ class TreeDropdownField extends FormField {
} else { } else {
$html = $obj->getChildrenAsUL( $html = $obj->getChildrenAsUL(
'class="tree"', 'class="tree"',
$eval, $titleFn,
null, null,
true, true,
$this->childrenMethod, $this->childrenMethod,