silverstripe-framework/docs/en/04_Changelogs/rc/3.1.0-rc3.md

# 3.1.0-rc3

## Overview

### Security: XSS in CMS "Security" section (SS-2013-007)

See [announcement](http://www.silverstripe.org/ss-2013-007-xss-in-cms-security-section/)
### Security: XSS in form validation errors (SS-2013-008)

See [announcement](http://www.silverstripe.org/ss-2013-008-xss-in-numericfield-validation/)

### Security: XSS in CMS "Pages" section (SS-2013-009)

See [announcement](http://www.silverstripe.org/ss-2013-009-xss-in-cms-pages-section/)

### API: Form validation message no longer allow HTML

Due to cross-site scripting concerns when user data is used for form messages,
it is no longer possible to use HTML in `Form->sessionMessage()`, and consequently
in the `FormField->validate()` API.
Added 3.1.0-rc3 changelog 2013-09-26 01:42:27 +02:00			`# 3.1.0-rc3`

FIX Escape breadcrumbs in SecurityAdmin (SS-2013-007) 2013-09-24 10:45:55 +02:00			`## Overview`
Added 3.1.0-rc3 changelog 2013-09-26 01:42:27 +02:00
			`### Security: XSS in CMS "Security" section (SS-2013-007)`

			`See [announcement](http://www.silverstripe.org/ss-2013-007-xss-in-cms-security-section/)`
			`### Security: XSS in form validation errors (SS-2013-008)`

			`See [announcement](http://www.silverstripe.org/ss-2013-008-xss-in-numericfield-validation/)`

			`### Security: XSS in CMS "Pages" section (SS-2013-009)`

			`See [announcement](http://www.silverstripe.org/ss-2013-009-xss-in-cms-pages-section/)`

			`### API: Form validation message no longer allow HTML`

			`Due to cross-site scripting concerns when user data is used for form messages,`
			it is no longer possible to use HTML in `Form->sessionMessage()`, and consequently
			in the `FormField->validate()` API.