API Escape form validation messages (SS-2013-008)

docs/en/changelogs/rc/3.1.0-rc3.md

@@ -6,6 +6,16 @@
 
 See [announcement](http://www.silverstripe.org/ss-2013-007-xss-in-cms-security-section/)
 
+### Security: XSS in form validation errors (SS-2013-008)
+
+See [announcement](http://www.silverstripe.org/ss-2013-008-xss-in-numericfield-validation/)
+
 ### Security: XSS in CMS "Pages" section (SS-2013-009)
 
-See [announcement](http://www.silverstripe.org/ss-2013-009-xss-in-cms-pages-section/)
+See [announcement](http://www.silverstripe.org/ss-2013-009-xss-in-cms-pages-section/)
+
+### API: Form validation message no longer allow HTML
+
+Due to cross-site scripting concerns when user data is used for form messages,
+it is no longer possible to use HTML in `Form->sessionMessage()`, and consequently
+in the `FormField->validate()` API.

forms/Form.php

@@ -155,6 +155,10 @@ class Form extends RequestHandler {
 		'forTemplate',
 	);
 
+	private static $casting = array(
+		'Message' => 'Text'
+	);
+
 	/**
 	 * Create a new form, with the given fields an action buttons.
 	 * 
@@ -489,7 +493,7 @@ class Form extends RequestHandler {
 	}
 
 	/**
-	 * Add an error message to a field on this form.  It will be saved into the session
+	 * Add a plain text error message to a field on this form.  It will be saved into the session
 	 * and used the next time this form is displayed.
 	 */
 	public function addErrorMessage($fieldName, $message, $messageType) {

forms/FormField.php

@@ -93,6 +93,10 @@ class FormField extends RequestHandler {
 	 */
 	protected $attributes = array();
 
+	private static $casting = array(
+		'Message' => 'Text'
+	);
+
 	/**
 	 * Takes a fieldname and converts camelcase to spaced
 	 * words. Also resolves combined fieldnames with dot syntax