From 25a437e5a0a515e6cae8b6cc970b3865697404ca Mon Sep 17 00:00:00 2001
From: Sam Minnee <sam@silverstripe.com>
Date: Tue, 12 Jan 2010 23:43:47 +0000
Subject: [PATCH] BUGFIX: Removed XSS holes (from r94823)

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@96773 467b73ca-7a2a-4603-9d3b-597d59a354a9
---
 forms/ComplexTableField.php | 2 +-
 security/Group.php          | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/forms/ComplexTableField.php b/forms/ComplexTableField.php
index 840f3237a..1341ac54a 100755
--- a/forms/ComplexTableField.php
+++ b/forms/ComplexTableField.php
@@ -832,7 +832,7 @@ class ComplexTableField_ItemRequest extends RequestHandler {
 		$message = sprintf(
 			_t('ComplexTableField.SUCCESSEDIT', 'Saved %s %s %s'),
 			$dataObject->singular_name(),
-			'<a href="' . $this->Link() . '">"' . $dataObject->Title . '"</a>',
+			'<a href="' . $this->Link() . '">"' . htmlspecialchars($dataObject->Title, ENT_QUOTES) . '"</a>',
 			$closeLink
 		);
 		
diff --git a/security/Group.php b/security/Group.php
index b310c562c..422044886 100644
--- a/security/Group.php
+++ b/security/Group.php
@@ -328,8 +328,8 @@ class Group extends DataObject {
 	}
 	
 	public function TreeTitle() {
-        if($this->hasMethod('alternateTreeTitle')) return $this->alternateTreeTitle();
-		else return $this->Title;
+	    if($this->hasMethod('alternateTreeTitle')) return $this->alternateTreeTitle();
+		else return htmlspecialchars($this->Title, ENT_QUOTES);
 	}
 	
 	/**