tonyair/silverstripe-subsites
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-subsites synced 2024-06-29 16:09:44 +02:00
Code Issues Projects Releases Wiki Activity

Merge pull request #151 from stojg/pull/prevent-xss-attacks

Browse Source 
Security: XSS can be injected in the group edit view
This commit is contained in:
Sean Harvey 2014-08-01 10:51:38 +12:00
commit ccf125a4d6
2 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
code/extensions/GroupSubsites.php
View File

@ -56,6 +56,9 @@ class GroupSubsites extends DataExtension implements PermissionProvider {
$subsites = Subsite::accessible_sites(array('ADMIN', 'SECURITY_SUBSITE_GROUP'), true);
$subsiteMap = $subsites->map();
// Prevent XSS injection
$subsiteMap = Convert::raw2xml($subsiteMap);
// Interface is different if you have the rights to modify subsite group values on
// all subsites
if(isset($subsiteMap[0])) {