FIX Escape breadcrumbs in SecurityAdmin (SS-2013-007)

admin/code/SecurityAdmin.php

@@ -83,7 +83,7 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
 		));
 		$columns->setFieldFormatting(array(
 			'Breadcrumbs' => function($val, $item) {
-				return $item->getBreadcrumbs(' > ');
+				return Convert::raw2xml($item->getBreadcrumbs(' > '));
 			}
 		));
 

docs/en/changelogs/rc/3.1.0-rc3.md

@@ -0,0 +1,7 @@
+# 3.1.0-rc3
+
+## Overview
+
+### Security: XSS in CMS "Security" section (SS-2013-007)
+
+See [announcement](http://www.silverstripe.org/ss-2013-007-xss-in-cms-security-section/)

forms/gridfield/GridFieldDataColumns.php

@@ -95,10 +95,15 @@ class GridFieldDataColumns implements GridField_ColumnProvider {
 
 	/**
 	 * Specify custom formatting for fields, e.g. to render a link instead of pure text.
+	 * 
 	 * Caution: Make sure to escape special php-characters like in a normal php-statement.
 	 * Example:	"myFieldName" => '<a href=\"custom-admin/$ID\">$ID</a>'.
+	 * 
 	 * Alternatively, pass a anonymous function, which takes two parameters:
-	 *  The value and the original list item.
+	 * The value and the original list item.
+	 *
+	 * Formatting is applied after field casting, so if you're modifying the string
+	 * to include further data through custom formatting, ensure it's correctly escaped.
 	 *
 	 * @param array $formatting
 	 */