Clearer escaping in ReportAdmin

No direct security issue since report titles can't be set by the user
This commit is contained in:
Ingo Schommer 2013-09-24 12:11:13 +02:00
parent aee0381663
commit a5d9958f8c
2 changed files with 14 additions and 3 deletions

View File

@ -164,7 +164,13 @@ class ReportAdmin extends LeftAndMain implements PermissionProvider {
'title' => _t('ReportAdmin.ReportTitle', 'Title'), 'title' => _t('ReportAdmin.ReportTitle', 'Title'),
)); ));
$columns->setFieldFormatting(array( $columns->setFieldFormatting(array(
'title' => '<a href=\"$Link\" class=\"cms-panel-link\">$value</a>' 'title' => function($value, &$item) {
return sprintf(
'<a href=\"%s\" class=\"cms-panel-link\">%s</a>',
Convert::raw2xml($item->Link),
Convert::raw2xml($value)
);
}
)); ));
$gridField->addExtraClass('all-reports-gridfield'); $gridField->addExtraClass('all-reports-gridfield');
$fields->push($gridField); $fields->push($gridField);

View File

@ -282,8 +282,13 @@ class SS_Report extends ViewableData {
if(isset($info['casting'])) $fieldCasting[$source] = $info['casting']; if(isset($info['casting'])) $fieldCasting[$source] = $info['casting'];
if(isset($info['link']) && $info['link']) { if(isset($info['link']) && $info['link']) {
$link = singleton('CMSPageEditController')->Link('show'); $fieldFormatting[$source] = function($value, &$item) {
$fieldFormatting[$source] = '<a href=\"' . $link . '/$ID\">$value</a>'; return sprintf(
'<a href=\"%s\">%s</a>',
Controller::join_links(singleton('CMSPageEditController')->Link('show'), $item->ID),
Convert::raw2xml($value)
);
};
} }
$displayFields[$source] = isset($info['title']) ? $info['title'] : $source; $displayFields[$source] = isset($info['title']) ? $info['title'] : $source;