From 7dd54246e13ddbfffd16c51d5776ffbb9de15e45 Mon Sep 17 00:00:00 2001
From: Paul Fox <paul@thepaulfox.com>
Date: Tue, 20 Feb 2024 19:29:09 -0700
Subject: [PATCH] #25 Fixes for security issues

---
 src/classes/CampaignCalendar.cls | 2 +-
 src/pages/CampaignCalendar.page  | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/classes/CampaignCalendar.cls b/src/classes/CampaignCalendar.cls
index 1b32595..42a34cc 100644
--- a/src/classes/CampaignCalendar.cls
+++ b/src/classes/CampaignCalendar.cls
@@ -115,7 +115,7 @@ public with sharing class CampaignCalendar {
             whereClause += ' AND Type = :type ';
         }
         
-        String query = 'SELECT ' + String.join(queryFields(), ',') + ' FROM Campaign WHERE ' + whereClause + ' WITH SECURITY_ENFORCED';
+        String query = 'SELECT ' + String.escapeSingleQuotes(String.join(queryFields(), ',')) + ' FROM Campaign WHERE ' + whereClause + ' WITH SECURITY_ENFORCED';
         List<Campaign> campaigns = (List<Campaign>)Database.query(query);
         
         List<CalendarEntry> calendarEntries =  new List<CalendarEntry>();
diff --git a/src/pages/CampaignCalendar.page b/src/pages/CampaignCalendar.page
index ef4602d..a074c4a 100644
--- a/src/pages/CampaignCalendar.page
+++ b/src/pages/CampaignCalendar.page
@@ -53,13 +53,13 @@
         <table width="100%">
             <apex:repeat value="{!$ObjectType.Campaign.FieldSets.MarketingCalendarPopup}" var="f"> 
                 <tr>
-                    {{if '{!f.FieldPath}' == 'OwnerId'}}
+                    {{if '{!JSENCODE(f.FieldPath)}' == 'OwnerId'}}
                          <td><b>Owner</b></td>
                          <td>{{>Owner.Name}}</td>
                     {{else}} 
-                        <td><b>{!f.Label}</b></td>
-                        <td class="{!f.FieldPath}" >
-                            {{:~formatData({!f.FieldPath},'{!f.type}','{!f.FieldPath}')}} 
+                        <td><b>{!JSENCODE(f.Label)}</b></td>
+                        <td class="{!JSENCODE(f.FieldPath)}" >
+                            {{:~formatData({!JSENCODE(f.FieldPath)},'{!JSENCODE(f.type)}','{!JSENCODE(f.FieldPath)}')}} 
                         </td>
                     {{/if}}
                 </tr>