Skip to content

Commit 9d604f5

Browse files
JudxJudx
authored
Merge commit from fork
* Escape Admin Notification Labels * Fix hard coded js reference to notification url * Added escape to massaction template * Removed escape from _prepareMassaction
1 parent 858f3a7 commit 9d604f5

File tree

2 files changed

+14
-9
lines changed
  • app
    • code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer
    • design/adminhtml/default/default/template/widget/grid

2 files changed

+14
-9
lines changed

app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Actions.php

Lines changed: 12 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -21,28 +21,33 @@ class Mage_Adminhtml_Block_Notification_Grid_Renderer_Actions extends Mage_Admin
2121
*/
2222
public function render(Varien_Object $row)
2323
{
24-
$readDetailsHtml = ($row->getUrl())
25-
? '<a target="_blank" href="' . $row->getUrl() . '">' .
26-
Mage::helper('adminnotification')->__('Read Details') . '</a> | '
24+
$escapedRowUrl = $this->escapeUrl($row->getUrl());
25+
$readDetailsHtml = ($escapedRowUrl)
26+
? '<a target="_blank" href="' . $escapedRowUrl . '">' .
27+
$this->escapeHtml(Mage::helper('adminnotification')->__('Read Details')) . '</a> | '
2728
: '';
2829

2930
$markAsReadHtml = (!$row->getIsRead())
3031
? '<a href="' . $this->getUrl('*/*/markAsRead/', ['_current' => true, 'id' => $row->getId()]) . '">' .
31-
Mage::helper('adminnotification')->__('Mark as Read') . '</a> | '
32+
$this->escapeHtml(Mage::helper('adminnotification')->__('Mark as Read')) . '</a> | '
3233
: '';
3334

35+
$deleteConfirmHtml = sprintf("deleteConfirm('%s', this.href)",
36+
Mage::helper('core')->jsQuoteEscape(Mage::helper('adminnotification')->__('Are you sure?')),
37+
);
38+
3439
/** @var Mage_Core_Helper_Url $helper */
3540
$helper = $this->helper('core/url');
3641
return sprintf(
37-
'%s%s<a href="%s" onClick="deleteConfirm(\'%s\', this.href); return false;">%s</a>',
42+
'%s%s<a href="%s" onClick="%s; return false;">%s</a>',
3843
$readDetailsHtml,
3944
$markAsReadHtml,
4045
$this->getUrl('*/*/remove/', [
4146
'_current' => true,
4247
'id' => $row->getId(),
4348
Mage_Core_Controller_Front_Action::PARAM_NAME_URL_ENCODED => $helper->getEncodedUrl()]),
44-
Mage::helper('adminnotification')->__('Are you sure?'),
45-
Mage::helper('adminnotification')->__('Remove'),
49+
$deleteConfirmHtml,
50+
$this->escapeHtml(Mage::helper('adminnotification')->__('Remove')),
4651
);
4752
}
4853
}

app/design/adminhtml/default/default/template/widget/grid/massaction.phtml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -38,13 +38,13 @@
3838
<?php foreach($this->getGroupedItems() as $key => $group): ?>
3939
<?php if ($key === 'default'): ?>
4040
<?php foreach($group as $_item): ?>
41-
<option value="<?php echo $_item->getId() ?>"<?php echo ($_item->getSelected() ? ' selected="selected"' : '')?>><?php echo $_item->getLabel() ?></option>
41+
<option value="<?php echo $_item->getId() ?>"<?php echo ($_item->getSelected() ? ' selected="selected"' : '')?>><?php echo $this->escapeHtml($_item->getLabel()) ?></option>
4242
<?php endforeach ?>
4343
<?php elseif ($key === 'grouped'): ?>
4444
<?php foreach($group as $label => $_massGroup): ?>
4545
<optgroup label="<?php echo $this->quoteEscape($label); ?>">
4646
<?php foreach($_massGroup as $_item): ?>
47-
<option value="<?php echo $_item->getId() ?>"<?php echo ($_item->getSelected() ? ' selected="selected"' : '')?>><?php echo $_item->getLabel() ?></option>
47+
<option value="<?php echo $_item->getId() ?>"<?php echo ($_item->getSelected() ? ' selected="selected"' : '')?>><?php echo $this->escapeHtml($_item->getLabel()) ?></option>
4848
<?php endforeach ?>
4949
</optgroup>
5050
<?php endforeach ?>

0 commit comments

Comments
 (0)