Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

FIX Escape breadcrumbs in SecurityAdmin (SS-2013-007)

  • Loading branch information...
commit 78ce99be09eb68882896d813838e22dce5c7eb5e 1 parent 477c3c9
@chillu chillu authored
View
2  admin/code/SecurityAdmin.php
@@ -83,7 +83,7 @@ public function getEditForm($id = null, $fields = null) {
));
$columns->setFieldFormatting(array(
'Breadcrumbs' => function($val, $item) {
- return $item->getBreadcrumbs(' > ');
+ return Convert::raw2xml($item->getBreadcrumbs(' > '));
}
));
View
7 docs/en/changelogs/rc/3.1.0-rc3.md
@@ -0,0 +1,7 @@
+# 3.1.0-rc3
+
+## Overview
+
+### Security: XSS in CMS "Security" section (SS-2013-007)
+
+See [announcement](http://www.silverstripe.org/ss-2013-007-xss-in-cms-security-section/)
View
7 forms/gridfield/GridFieldDataColumns.php
@@ -95,10 +95,15 @@ public function getFieldCasting() {
/**
* Specify custom formatting for fields, e.g. to render a link instead of pure text.
+ *
* Caution: Make sure to escape special php-characters like in a normal php-statement.
* Example: "myFieldName" => '<a href=\"custom-admin/$ID\">$ID</a>'.
+ *
* Alternatively, pass a anonymous function, which takes two parameters:
- * The value and the original list item.
+ * The value and the original list item.
+ *
+ * Formatting is applied after field casting, so if you're modifying the string
+ * to include further data through custom formatting, ensure it's correctly escaped.
*
* @param array $formatting
*/
Please sign in to comment.
Something went wrong with that request. Please try again.