From deadc154ca3ab8e0d0bab901c311e219e55a6a1f Mon Sep 17 00:00:00 2001
From: Ingo Schommer <ingo@silverstripe.com>
Date: Mon, 30 Sep 2013 23:55:32 +0200
Subject: [PATCH] Don't link record in GridField form message

This is no longer allows through Form->sessionMessage() to avoid XSS.
---
 forms/gridfield/GridFieldDetailForm.php | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/forms/gridfield/GridFieldDetailForm.php b/forms/gridfield/GridFieldDetailForm.php
index 0c7dc2187..443c665c8 100644
--- a/forms/gridfield/GridFieldDetailForm.php
+++ b/forms/gridfield/GridFieldDetailForm.php
@@ -508,9 +508,11 @@ class GridFieldDetailForm_ItemRequest extends RequestHandler {
 
 		// TODO Save this item into the given relationship
 
-		$link = '<a href="' . $this->Link('edit') . '">"' 
-			. htmlspecialchars($this->record->Title, ENT_QUOTES) 
-			. '"</a>';
+		// TODO Allow HTML in form messages
+		// $link = '<a href="' . $this->Link('edit') . '">"' 
+		// 	. htmlspecialchars($this->record->Title, ENT_QUOTES) 
+		// 	. '"</a>';
+		$link = '"' . $this->record->Title . '"';
 		$message = _t(
 			'GridFieldDetailForm.Saved', 
 			'Saved {name} {link}',