From 78ce99be09eb68882896d813838e22dce5c7eb5e Mon Sep 17 00:00:00 2001
From: Ingo Schommer <ingo@silverstripe.com>
Date: Tue, 24 Sep 2013 10:45:55 +0200
Subject: [PATCH] FIX Escape breadcrumbs in SecurityAdmin (SS-2013-007)

---
 admin/code/SecurityAdmin.php             | 2 +-
 docs/en/changelogs/rc/3.1.0-rc3.md       | 7 +++++++
 forms/gridfield/GridFieldDataColumns.php | 7 ++++++-
 3 files changed, 14 insertions(+), 2 deletions(-)
 create mode 100644 docs/en/changelogs/rc/3.1.0-rc3.md

diff --git a/admin/code/SecurityAdmin.php b/admin/code/SecurityAdmin.php
index 317c12e5e..0a1a8e58b 100755
--- a/admin/code/SecurityAdmin.php
+++ b/admin/code/SecurityAdmin.php
@@ -83,7 +83,7 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
 		));
 		$columns->setFieldFormatting(array(
 			'Breadcrumbs' => function($val, $item) {
-				return $item->getBreadcrumbs(' > ');
+				return Convert::raw2xml($item->getBreadcrumbs(' > '));
 			}
 		));
 
diff --git a/docs/en/changelogs/rc/3.1.0-rc3.md b/docs/en/changelogs/rc/3.1.0-rc3.md
new file mode 100644
index 000000000..75ef1cb42
--- /dev/null
+++ b/docs/en/changelogs/rc/3.1.0-rc3.md
@@ -0,0 +1,7 @@
+# 3.1.0-rc3
+
+## Overview
+
+### Security: XSS in CMS "Security" section (SS-2013-007)
+
+See [announcement](http://www.silverstripe.org/ss-2013-007-xss-in-cms-security-section/)
\ No newline at end of file
diff --git a/forms/gridfield/GridFieldDataColumns.php b/forms/gridfield/GridFieldDataColumns.php
index 0749ac898..f3ae0f4f2 100644
--- a/forms/gridfield/GridFieldDataColumns.php
+++ b/forms/gridfield/GridFieldDataColumns.php
@@ -95,10 +95,15 @@ class GridFieldDataColumns implements GridField_ColumnProvider {
 
 	/**
 	 * Specify custom formatting for fields, e.g. to render a link instead of pure text.
+	 * 
 	 * Caution: Make sure to escape special php-characters like in a normal php-statement.
 	 * Example:	"myFieldName" => '<a href=\"custom-admin/$ID\">$ID</a>'.
+	 * 
 	 * Alternatively, pass a anonymous function, which takes two parameters:
-	 *  The value and the original list item.
+	 * The value and the original list item.
+	 *
+	 * Formatting is applied after field casting, so if you're modifying the string
+	 * to include further data through custom formatting, ensure it's correctly escaped.
 	 *
 	 * @param array $formatting
 	 */