# 3.0.7-rc1

## Overview

### Security: XSS in form validation errors (SS-2013-008)

See [announcement](http://www.silverstripe.org/ss-2013-008-xss-in-numericfield-validation/)

### Security: XSS in CMS "Pages" section (SS-2013-009)

See [announcement](http://www.silverstripe.org/ss-2013-009-xss-in-cms-pages-section/)

### API: Form validation message no longer allow HTML

Due to cross-site scripting concerns when user data is used for form messages,
it is no longer possible to use HTML in `Form->sessionMessage()`, and consequently
in the `FormField->validate()` API.