BUG: Fixes #2796 XSS filtering off edit/close links #2803
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
BUG: Fixes silverstripe#2804 Invalid exit link when saving a ComplextableField Popup
|
Closing in favour of #2807. Kirk, invitation to peer review still stands there ;) |
chillu
added a commit
to silverstripe-iterators/silverstripe-framework
that referenced
this pull request
Mar 3, 2014
This fixes a limitation introduced through http://www.silverstripe.org/ss-2013-008-xss-in-numericfield-validation/. Form messages used to accept HTML, now they’re escaped by default, effectively removing the ability to pass in HTML and take care of escaping manually. We pass through HTML to message in core through the CTF system, so this needs to be fixed. It’s an alternative fix to silverstripe#2803. Conflicts: forms/ComplexTableField.php forms/Form.php forms/FormField.php tests/forms/FormTest.php
chillu
added a commit
to chillu/silverstripe-framework
that referenced
this pull request
Aug 21, 2014
This fixes a limitation introduced through http://www.silverstripe.org/ss-2013-008-xss-in-numericfield-validation/. Form messages used to accept HTML, now they’re escaped by default, effectively removing the ability to pass in HTML and take care of escaping manually. We pass through HTML to message in core through the CTF system, so this needs to be fixed. It’s an alternative fix to silverstripe#2803.
chillu
added a commit
that referenced
this pull request
Aug 22, 2014
This fixes a limitation introduced through http://www.silverstripe.org/ss-2013-008-xss-in-numericfield-validation/. Form messages used to accept HTML, now they’re escaped by default, effectively removing the ability to pass in HTML and take care of escaping manually. We pass through HTML to message in core through the CTF system, so this needs to be fixed. It’s an alternative fix to #2803.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a fix for issue #2796 where the recent 2.4 security fixes have broken the Edit/Close links on the ComplexTableField popup message.
The issue can be replicated by going to File & Images in the CMS backend clicking on the edit icon next to a file to bring up the popup box and clicking save.
This patch resolves this issue.
It has been tested on Chrome, FireFox, Safari and IE9.
I have also noticed that the Popups for ComplexTableField has other broken functionality for example the edit link in the popup goes to a blank page this patch does not resolve this issue and I will raise another issue for this