From 5fe7091dffa33a161cbc74ae7e73ab8ae4fa144b Mon Sep 17 00:00:00 2001
From: Ingo Schommer <ingo@silverstripe.com>
Date: Tue, 31 Jan 2012 15:01:59 +0100
Subject: [PATCH] SECURITY Sanitize messages passed to generated JS calls in
 FormResponse::status_message(), e.g. to avoid XSS on 'Successfully published
 <page title>' messages

---
 core/control/FormResponse.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/control/FormResponse.php b/core/control/FormResponse.php
index 1d6d8969b..f6fa35fbf 100755
--- a/core/control/FormResponse.php
+++ b/core/control/FormResponse.php
@@ -148,8 +148,8 @@ class FormResponse {
 	 * @param $status string
 	 */
 	static function status_message($message = "", $status = null) {
-		$JS_message = Convert::raw2js($message);
-		$JS_status = Convert::raw2js($status);
+		$JS_message = Convert::raw2js(Convert::raw2xml($message));
+		$JS_status = Convert::raw2js(Convert::raw2xml($status));
 		if(isset($JS_status)) {
 			self::$status_messages[$JS_status] = "statusMessage('{$JS_message}', '{$JS_status}');";
 		} else {