Permalink
Browse files

API Escape form validation messages (SS-2013-008)

  • Loading branch information...
1 parent f3ef04a commit 2b7a2a289e135cb7bb1284ccfb88c2c0afcf4869 @chillu chillu committed Sep 24, 2013
Showing with 20 additions and 2 deletions.
  1. +11 −1 docs/en/changelogs/rc/3.1.0-rc3.md
  2. +5 −1 forms/Form.php
  3. +4 −0 forms/FormField.php
@@ -6,6 +6,16 @@
See [announcement](http://www.silverstripe.org/ss-2013-007-xss-in-cms-security-section/)
+### Security: XSS in form validation errors (SS-2013-008)
+
+See [announcement](http://www.silverstripe.org/ss-2013-008-xss-in-numericfield-validation/)
+
### Security: XSS in CMS "Pages" section (SS-2013-009)
-See [announcement](http://www.silverstripe.org/ss-2013-009-xss-in-cms-pages-section/)
+See [announcement](http://www.silverstripe.org/ss-2013-009-xss-in-cms-pages-section/)
+
+### API: Form validation message no longer allow HTML
+
+Due to cross-site scripting concerns when user data is used for form messages,
+it is no longer possible to use HTML in `Form->sessionMessage()`, and consequently
+in the `FormField->validate()` API.
View
@@ -155,6 +155,10 @@ class Form extends RequestHandler {
'forTemplate',
);
+ private static $casting = array(
+ 'Message' => 'Text'
+ );
+
/**
* Create a new form, with the given fields an action buttons.
*
@@ -489,7 +493,7 @@ public function getRedirectToFormOnValidationError() {
}
/**
- * Add an error message to a field on this form. It will be saved into the session
+ * Add a plain text error message to a field on this form. It will be saved into the session
* and used the next time this form is displayed.
*/
public function addErrorMessage($fieldName, $message, $messageType) {
View
@@ -93,6 +93,10 @@ class FormField extends RequestHandler {
*/
protected $attributes = array();
+ private static $casting = array(
+ 'Message' => 'Text'
+ );
+
/**
* Takes a fieldname and converts camelcase to spaced
* words. Also resolves combined fieldnames with dot syntax

0 comments on commit 2b7a2a2

Please sign in to comment.