mirror of
https://github.com/silverstripe/silverstripe-reports
synced 2024-10-22 11:05:53 +02:00
Clearer escaping in ReportAdmin
No direct security issue since report titles can't be set by the user
This commit is contained in:
parent
aee0381663
commit
a5d9958f8c
@ -164,7 +164,13 @@ class ReportAdmin extends LeftAndMain implements PermissionProvider {
|
|||||||
'title' => _t('ReportAdmin.ReportTitle', 'Title'),
|
'title' => _t('ReportAdmin.ReportTitle', 'Title'),
|
||||||
));
|
));
|
||||||
$columns->setFieldFormatting(array(
|
$columns->setFieldFormatting(array(
|
||||||
'title' => '<a href=\"$Link\" class=\"cms-panel-link\">$value</a>'
|
'title' => function($value, &$item) {
|
||||||
|
return sprintf(
|
||||||
|
'<a href=\"%s\" class=\"cms-panel-link\">%s</a>',
|
||||||
|
Convert::raw2xml($item->Link),
|
||||||
|
Convert::raw2xml($value)
|
||||||
|
);
|
||||||
|
}
|
||||||
));
|
));
|
||||||
$gridField->addExtraClass('all-reports-gridfield');
|
$gridField->addExtraClass('all-reports-gridfield');
|
||||||
$fields->push($gridField);
|
$fields->push($gridField);
|
||||||
|
@ -282,8 +282,13 @@ class SS_Report extends ViewableData {
|
|||||||
if(isset($info['casting'])) $fieldCasting[$source] = $info['casting'];
|
if(isset($info['casting'])) $fieldCasting[$source] = $info['casting'];
|
||||||
|
|
||||||
if(isset($info['link']) && $info['link']) {
|
if(isset($info['link']) && $info['link']) {
|
||||||
$link = singleton('CMSPageEditController')->Link('show');
|
$fieldFormatting[$source] = function($value, &$item) {
|
||||||
$fieldFormatting[$source] = '<a href=\"' . $link . '/$ID\">$value</a>';
|
return sprintf(
|
||||||
|
'<a href=\"%s\">%s</a>',
|
||||||
|
Controller::join_links(singleton('CMSPageEditController')->Link('show'), $item->ID),
|
||||||
|
Convert::raw2xml($value)
|
||||||
|
);
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
$displayFields[$source] = isset($info['title']) ? $info['title'] : $source;
|
$displayFields[$source] = isset($info['title']) ? $info['title'] : $source;
|
||||||
|
Loading…
Reference in New Issue
Block a user