mirror of
https://github.com/silverstripe/silverstripe-reports
synced 2024-10-22 11:05:53 +02:00
Clearer escaping in ReportAdmin
No direct security issue since report titles can't be set by the user
This commit is contained in:
parent
29e502a63a
commit
79996a76fe
@ -166,7 +166,13 @@ class ReportAdmin extends LeftAndMain implements PermissionProvider {
|
||||
'title' => _t('ReportAdmin.ReportTitle', 'Title'),
|
||||
));
|
||||
$columns->setFieldFormatting(array(
|
||||
'title' => '<a href=\"$Link\" class=\"cms-panel-link\">$value</a>'
|
||||
'title' => function($value, &$item) {
|
||||
return sprintf(
|
||||
'<a href=\"%s\" class=\"cms-panel-link\">%s</a>',
|
||||
Convert::raw2xml($item->Link),
|
||||
Convert::raw2xml($value)
|
||||
);
|
||||
}
|
||||
));
|
||||
$gridField->addExtraClass('all-reports-gridfield');
|
||||
$fields->push($gridField);
|
||||
|
@ -301,8 +301,13 @@ class SS_Report extends ViewableData {
|
||||
if(isset($info['casting'])) $fieldCasting[$source] = $info['casting'];
|
||||
|
||||
if(isset($info['link']) && $info['link']) {
|
||||
$link = singleton('CMSPageEditController')->Link('show');
|
||||
$fieldFormatting[$source] = '<a href=\"' . $link . '/$ID\">$value</a>';
|
||||
$fieldFormatting[$source] = function($value, &$item) {
|
||||
return sprintf(
|
||||
'<a href=\"%s\">%s</a>',
|
||||
Controller::join_links(singleton('CMSPageEditController')->Link('show'), $item->ID),
|
||||
Convert::raw2xml($value)
|
||||
);
|
||||
};
|
||||
}
|
||||
|
||||
$displayFields[$source] = isset($info['title']) ? $info['title'] : $source;
|
||||
|
Loading…
Reference in New Issue
Block a user