Merge pull request #29 from cloudanswers/27-security-fixes

#27 Fixes for security issues

Author: thepaulfox

src/classes/CampaignCalendar.cls

@@ -115,7 +115,7 @@ public with sharing class CampaignCalendar {
             whereClause += ' AND Type = :type ';
         }
 
-        String query = 'SELECT ' + String.join(queryFields(), ',') + ' FROM Campaign WHERE ' + whereClause + ' WITH SECURITY_ENFORCED';
+        String query = 'SELECT ' + String.escapeSingleQuotes(String.join(queryFields(), ',')) + ' FROM Campaign WHERE ' + whereClause + ' WITH SECURITY_ENFORCED';
         List<Campaign> campaigns = (List<Campaign>)Database.query(query);
 
         List<CalendarEntry> calendarEntries =  new List<CalendarEntry>();

src/pages/CampaignCalendar.page

@@ -53,13 +53,13 @@
         <table width="100%">
             <apex:repeat value="{!$ObjectType.Campaign.FieldSets.MarketingCalendarPopup}" var="f"> 
                 <tr>
-                    {{if '{!f.FieldPath}' == 'OwnerId'}}
+                    {{if '{!JSENCODE(f.FieldPath)}' == 'OwnerId'}}
                          <td><b>Owner</b></td>
                          <td>{{>Owner.Name}}</td>
                     {{else}} 
-                        <td><b>{!f.Label}</b></td>
-                        <td class="{!f.FieldPath}" >
-                            {{:~formatData({!f.FieldPath},'{!f.type}','{!f.FieldPath}')}} 
+                        <td><b>{!JSENCODE(f.Label)}</b></td>
+                        <td class="{!JSENCODE(f.FieldPath)}" >
+                            {{:~formatData({!JSENCODE(f.FieldPath)},'{!JSENCODE(f.type)}','{!JSENCODE(f.FieldPath)}')}} 
                         </td>
                     {{/if}}
                 </tr>