Skip to content
This repository
Browse code

SECURITY Escape links for SilverStripeNavigatorItem

  • Loading branch information...
commit 252e187015a4f4c14470ab39bcf6a5c43b64081e 1 parent 5fe7091
Ingo Schommer authored January 31, 2012
8  core/control/SilverStripeNavigatorItem.php
@@ -67,7 +67,7 @@ function getHTML($page) {
67 67
 		if(is_a(Controller::curr(), 'CMSMain')) {
68 68
 			return '<a class="current">CMS</a>';
69 69
 		} else {
70  
-			$cmsLink = 'admin/show/' . $page->ID;
  70
+			$cmsLink = Convert::raw2att('admin/show/' . $page->ID);
71 71
 			$cmsLink = "<a href=\"$cmsLink\" class=\"newWindow\" target=\"cms\">". _t('ContentController.CMS', 'CMS') ."</a>";
72 72
 	
73 73
 			return $cmsLink;
@@ -96,7 +96,7 @@ function getHTML($page) {
96 96
 		} else {
97 97
 			$draftPage = Versioned::get_one_by_stage('SiteTree', 'Stage', '"SiteTree"."ID" = ' . $page->ID);
98 98
 			if($draftPage) {
99  
-				$pageLink = Controller::join_links($draftPage->AbsoluteLink(), "?stage=Stage");
  99
+				$pageLink = Convert::raw2att(Controller::join_links($draftPage->AbsoluteLink(), "?stage=Stage"));
100 100
 				return "<a href=\"$pageLink\" class=\"newWindow\" target=\"site\" style=\"left : -1px;\">". _t('ContentController.DRAFTSITE', 'Draft Site') ."</a>";
101 101
 			}
102 102
 		}
@@ -128,7 +128,7 @@ function getHTML($page) {
128 128
 		} else {
129 129
 			$livePage = Versioned::get_one_by_stage('SiteTree', 'Live', '"SiteTree"."ID" = ' . $page->ID);
130 130
 			if($livePage) {
131  
-				$pageLink = Controller::join_links($livePage->AbsoluteLink(), "?stage=Live");
  131
+				$pageLink = Convert::raw2att(Controller::join_links($livePage->AbsoluteLink(), "?stage=Live"));
132 132
 				return "<a href=\"$pageLink\" class=\"newWindow\" target=\"site\" style=\"left : -3px;\">". _t('ContentController.PUBLISHEDSITE', 'Published Site') ."</a>";
133 133
 			}
134 134
 		}
@@ -165,7 +165,7 @@ function getHTML($page) {
165 165
 				(!$currentDraft || ($currentDraft && $page->Version != $currentDraft->Version)) 
166 166
 				&& (!$currentLive || ($currentLive && $page->Version != $currentLive->Version))
167 167
 			) {
168  
-				$pageLink = $page->AbsoluteLink();
  168
+				$pageLink = Convert::raw2att($page->AbsoluteLink());
169 169
 				return "<a href=\"$pageLink?archiveDate={$page->LastEdited}\" class=\"newWindow\" target=\"site\" style=\"left : -3px;\">". _t('ContentController.ARCHIVEDSITE', 'Archived Site') ."</a>";
170 170
 			}
171 171
 		}

1 note on commit 252e187

Sam Minnée
Owner

This looks fine.

Please sign in to comment.
Something went wrong with that request. Please try again.