FIX Escape user input from an HTML context. (#488)

There is no XSS vulnerability here due to other measures to mitigate one - but user input which includes HTML characters still might not render correctly without this fix.
silverstripe · Jan 14, 2025 · 970135b · 970135b
1 parent 2ade8aa
commit 970135b
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 6 deletions.
diff --git a/src/RestoreAction.php b/src/RestoreAction.php
@@ -2,6 +2,7 @@
 
 namespace SilverStripe\Versioned;
 
+use SilverStripe\Core\Convert;
 use SilverStripe\ORM\Hierarchy\Hierarchy;
 use SilverStripe\ORM\ValidationException;
 use SilverStripe\Versioned\Versioned;
@@ -86,7 +87,7 @@ public static function restore($item)
     public static function getRestoreMessage($originalItem, $restoredItem, $changedLocation = false)
     {
         $restoredID = $restoredItem->Title ?: $restoredItem->ID;
-        $restoredType = strtolower($restoredItem->i18n_singular_name() ?? '');
+        $restoredType = Convert::raw2xml(strtolower($restoredItem->i18n_singular_name() ?? ''));
 
         if (method_exists($restoredItem, 'CMSEditLink') &&
         $restoredItem->CMSEditLink()) {

diff --git a/src/VersionedGridFieldItemRequest.php b/src/VersionedGridFieldItemRequest.php
@@ -132,8 +132,8 @@ public function doArchive($data, $form)
             __CLASS__ . '.Archived',
             'Archived {name} "{title}"',
             [
-                'name' => $record->i18n_singular_name(),
-                'title' => $title
+                'name' => Convert::raw2xml($record->i18n_singular_name()),
+                'title' => Convert::raw2xml($title)
             ]
         );
         $this->setFormMessage($form, $message);
@@ -174,7 +174,7 @@ public function doPublish($data, $form)
             __CLASS__ . '.Published',
             'Published {name} {link}',
             [
-                'name' => $record->i18n_singular_name(),
+                'name' => Convert::raw2xml($record->i18n_singular_name()),
                 'link' => $link
             ]
         );
@@ -218,8 +218,8 @@ public function doUnpublish($data, $form)
             __CLASS__ . '.Unpublished',
             'Unpublished {name} "{title}"',
             [
-                'name' => $record->i18n_singular_name(),
-                'title' => $title
+                'name' => Convert::raw2xml($record->i18n_singular_name()),
+                'title' => Convert::raw2xml($title)
             ]
         );
         $this->setFormMessage($form, $message);