Browse files

SECURITY Sanitize messages passed to generated JS calls in FormRespon…

…se::status_message(), e.g. to avoid XSS on 'Successfully published <page title>' messages
  • Loading branch information...
1 parent 84f47f5 commit 5fe7091dffa33a161cbc74ae7e73ab8ae4fa144b @chillu chillu committed Jan 31, 2012
Showing with 2 additions and 2 deletions.
  1. +2 −2 core/control/FormResponse.php
View
4 core/control/FormResponse.php
@@ -148,8 +148,8 @@ static function get_page($id, $form = 'Form_EditForm', $uniquenessID = null) {
* @param $status string
*/
static function status_message($message = "", $status = null) {
- $JS_message = Convert::raw2js($message);
- $JS_status = Convert::raw2js($status);
+ $JS_message = Convert::raw2js(Convert::raw2xml($message));
+ $JS_status = Convert::raw2js(Convert::raw2xml($status));
if(isset($JS_status)) {
self::$status_messages[$JS_status] = "statusMessage('{$JS_message}', '{$JS_status}');";
} else {

1 comment on commit 5fe7091

@sminnee
SilverStripe Ltd. member

Looks good, as long as we acknowledge that statusMessage expects HTML not text.

Please sign in to comment.