ReportAdmin: quotes in report titles are encoded ' #918

Open
Martimiz opened this Issue Jan 3, 2014 · 2 comments

4 participants

@Martimiz

Pages in Dutch are pagina's, now displayed as

pagina's

ReportAdmin.php #166:

$columns->setFieldFormatting(array(
    'title' => function($value, &$item) {
        return sprintf(
            '<a href="%s" class="cms-panel-link">%s</a>',
            Convert::raw2xml($item->Link),
            Convert::raw2xml($value)  
        );
    }
));

Is there a valid reason for performing a raw2xml() on report titles or would replacing Convert::raw2xml($value) by just $value even be ok?

@kmayo-ss

I believe the reason for using raw2xml it to sanitize the report title, normally this would not be an issue however imagine a scenario where you install a third party/compromised module where they have added a report with the title name of something like

<script>window.location = "http://www.nasty-url.com";</script>
@ajshort

The issue here is that it's being double escaped though, as by default the $value is already escaped HTML. The best fix is probably to change the field casting.

@simonwelsh simonwelsh added the 3.1 label Mar 16, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment