List text values should be escaped, since they come directly from the model values

Fxies https://github.com/rainlab/user-plugin/pull/37
2015-02-21 19:16:44 +11:00 · 2015-02-21 19:16:44 +11:00 · 320f7bfb1a
parent a4418aeab8
commit 320f7bfb1a
1 changed files with 9 additions and 1 deletions
--- a/modules/backend/widgets/Lists.php
+++ b/modules/backend/widgets/Lists.php
@ -774,7 +774,15 @@ class Lists extends WidgetBase
    //

    /**
-     * Process as boolean switch
+     * Process as text, escape the value
+     */
+    protected function evalTextTypeValue($record, $column, $value)
+    {
+        return htmlentities($value, ENT_QUOTES, 'UTF-8', false);
+    }
+
+    /**
+     * Process as partial reference
     */
    protected function evalPartialTypeValue($record, $column, $value)
    {