From a5d9958f8c264b93ee42b161fbab16de39592236 Mon Sep 17 00:00:00 2001 From: Ingo Schommer Date: Tue, 24 Sep 2013 12:11:13 +0200 Subject: [PATCH] Clearer escaping in ReportAdmin No direct security issue since report titles can't be set by the user --- code/controllers/ReportAdmin.php | 8 +++++++- code/reports/Report.php | 9 +++++++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/code/controllers/ReportAdmin.php b/code/controllers/ReportAdmin.php index 55b128a8..05fb82c3 100644 --- a/code/controllers/ReportAdmin.php +++ b/code/controllers/ReportAdmin.php @@ -164,7 +164,13 @@ class ReportAdmin extends LeftAndMain implements PermissionProvider { 'title' => _t('ReportAdmin.ReportTitle', 'Title'), )); $columns->setFieldFormatting(array( - 'title' => '$value' + 'title' => function($value, &$item) { + return sprintf( + '%s', + Convert::raw2xml($item->Link), + Convert::raw2xml($value) + ); + } )); $gridField->addExtraClass('all-reports-gridfield'); $fields->push($gridField); diff --git a/code/reports/Report.php b/code/reports/Report.php index a76b93b4..85b1f03a 100644 --- a/code/reports/Report.php +++ b/code/reports/Report.php @@ -282,8 +282,13 @@ class SS_Report extends ViewableData { if(isset($info['casting'])) $fieldCasting[$source] = $info['casting']; if(isset($info['link']) && $info['link']) { - $link = singleton('CMSPageEditController')->Link('show'); - $fieldFormatting[$source] = '$value'; + $fieldFormatting[$source] = function($value, &$item) { + return sprintf( + '%s', + Controller::join_links(singleton('CMSPageEditController')->Link('show'), $item->ID), + Convert::raw2xml($value) + ); + }; } $displayFields[$source] = isset($info['title']) ? $info['title'] : $source;