FIX StringTagField now works with SS-2018-021/CVE-2019-5715 by serialising arrays before write

2024-10-22 11:05:32 +02:00 · 2019-02-19 11:01:58 +07:00 · 2019-02-19 11:01:58 +07:00 · daf71e2fab
commit daf71e2fab
parent 7b7dc3e58e
1 changed files with 11 additions and 1 deletions
--- a/src/StringTagField.php
+++ b/src/StringTagField.php
@ -269,10 +269,20 @@ class StringTagField extends DropdownField

        $name = $this->getName();

-        $record->$name = implode(',', $this->Value());
+        $record->$name = $this->dataValue();
        $record->write();
    }

+    /**
+     * Ensure that arrays are imploded before being saved
+     *
+     * @return mixed|string
+     */
+    public function dataValue()
+    {
+        return implode(',', $this->value);
+    }
+
    /**
     * Returns a JSON string of tags, for lazy loading.
     *