Merge pull request #35 from silverstripe-security/patch/3.1/ss-2016-016

[SS-2016-016] FIX Properly escape backURL for template injection

security/CMSSecurity.php

@@ -204,7 +204,7 @@ PHP
 				'<p>Login success. If you are not automatically redirected '.
 				'<a target="_top" href="{link}">click here</a></p>',
 				'Login message displayed in the cms popup once a user has re-authenticated themselves',
-				array('link' => $backURL)
+				array('link' => Convert::raw2att($backURL))
 			)
 		));