tonyair/silverstripe-subsites
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-subsites synced 2024-10-22 09:05:55 +00:00
Code Issues Projects Releases Wiki Activity

Security: XSS can be injected in the group edit view

Browse Source
This commit is contained in:
Stig Lindqvist 2014-07-31 09:51:06 +12:00
parent 205754854c
commit bd5bd877fd
2 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
code/extensions/GroupSubsites.php
View File

@ -55,6 +55,9 @@ class GroupSubsites extends DataExtension implements PermissionProvider {
$subsites = Subsite::accessible_sites(array('ADMIN', 'SECURITY_SUBSITE_GROUP'), true);
$subsiteMap = $subsites->map();
// Prevent XSS injection
$subsiteMap = Convert::raw2xml($subsiteMap);
// Interface is different if you have the rights to modify subsite group values on
// all subsites

2
code/extensions/SiteTreeSubsites.php
View File

@ -65,7 +65,7 @@ class SiteTreeSubsites extends DataExtension {
if($subsites && $subsites->Count()) {
$subsitesMap = $subsites->map('ID', 'Title');
unset($subsitesMap[$this->owner->SubsiteID]);
}
}
// Master page edit field (only allowed from default subsite to avoid inconsistent relationships)
$isDefaultSubsite = $this->owner->SubsiteID == 0 || $this->owner->Subsite()->DefaultSite;