From a338e608b8798d1d00d63114d0981bb8c9989160 Mon Sep 17 00:00:00 2001
From: Ingo Schommer <ingo@silverstripe.com>
Date: Tue, 24 Sep 2013 13:58:32 +0200
Subject: [PATCH] API Escape form validation messages (SS-2013-008)

---
 forms/Form.php      | 6 +++++-
 forms/FormField.php | 4 ++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/forms/Form.php b/forms/Form.php
index 4dd0f84f2..30186998c 100644
--- a/forms/Form.php
+++ b/forms/Form.php
@@ -155,6 +155,10 @@ class Form extends RequestHandler {
 		'forTemplate',
 	);
 
+	private static $casting = array(
+		'Message' => 'Text'
+	);
+
 	/**
 	 * Create a new form, with the given fields an action buttons.
 	 * 
@@ -489,7 +493,7 @@ class Form extends RequestHandler {
 	}
 
 	/**
-	 * Add an error message to a field on this form.  It will be saved into the session
+	 * Add a plain text error message to a field on this form.  It will be saved into the session
 	 * and used the next time this form is displayed.
 	 */
 	public function addErrorMessage($fieldName, $message, $messageType) {
diff --git a/forms/FormField.php b/forms/FormField.php
index 87b73e63c..76c9d5948 100644
--- a/forms/FormField.php
+++ b/forms/FormField.php
@@ -93,6 +93,10 @@ class FormField extends RequestHandler {
 	 */
 	protected $attributes = array();
 
+	private static $casting = array(
+		'Message' => 'Text'
+	);
+
 	/**
 	 * Takes a fieldname and converts camelcase to spaced
 	 * words. Also resolves combined fieldnames with dot syntax