ReportAdmin: quotes in report titles are encoded ' #918

Martimiz opened this Issue Jan 3, 2014 · 2 comments

4 participants


Pages in Dutch are pagina's, now displayed as


ReportAdmin.php #166:

    'title' => function($value, &$item) {
        return sprintf(
            '<a href="%s" class="cms-panel-link">%s</a>',

Is there a valid reason for performing a raw2xml() on report titles or would replacing Convert::raw2xml($value) by just $value even be ok?


I believe the reason for using raw2xml it to sanitize the report title, normally this would not be an issue however imagine a scenario where you install a third party/compromised module where they have added a report with the title name of something like

<script>window.location = "";</script>

The issue here is that it's being double escaped though, as by default the $value is already escaped HTML. The best fix is probably to change the field casting.

@simonwelsh simonwelsh added the 3.1 label Mar 16, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment