silverstripe-framework/docs/en/changelogs/2.4.13.md

# 2.4.13

## Overview

### Security: XSS in form validation errors (SS-2013-008)

See [announcement](https://www.silverstripe.org/download/security-releases/ss-2013-008-xss-in-numericfield-validation/)

### Security: XSS in CMS "Pages" section (SS-2013-009)

See [announcement](https://www.silverstripe.org/download/security-releases/ss-2013-009-xss-in-cms-pages-section/)

### API: Form validation message no longer allow HTML

Due to cross-site scripting concerns when user data is used for form messages,
it is no longer possible to use HTML in `Form->sessionMessage()`, and consequently
in the `FormField->validate()` API.
Added 2.4.13 changelog 2013-09-26 01:11:59 +02:00			`# 2.4.13`

			`## Overview`

			`### Security: XSS in form validation errors (SS-2013-008)`

DOCS 2.4 : Fixed all internally generated 404s DOCS 2.4 : Fixed some external links causing 404s DOCS 2.4 : adjusted link labels DOCS 2.4 : another link label fixed up DOCS 2.4 : fixed link 2015-12-01 18:58:31 +13:00			`See [announcement](https://www.silverstripe.org/download/security-releases/ss-2013-008-xss-in-numericfield-validation/)`
Added 2.4.13 changelog 2013-09-26 01:11:59 +02:00
			`### Security: XSS in CMS "Pages" section (SS-2013-009)`

DOCS 2.4 : Fixed all internally generated 404s DOCS 2.4 : Fixed some external links causing 404s DOCS 2.4 : adjusted link labels DOCS 2.4 : another link label fixed up DOCS 2.4 : fixed link 2015-12-01 18:58:31 +13:00			`See [announcement](https://www.silverstripe.org/download/security-releases/ss-2013-009-xss-in-cms-pages-section/)`
Added 2.4.13 changelog 2013-09-26 01:11:59 +02:00
			`### API: Form validation message no longer allow HTML`

			`Due to cross-site scripting concerns when user data is used for form messages,`
			it is no longer possible to use HTML in `Form->sessionMessage()`, and consequently
			in the `FormField->validate()` API.