Security: XSS can be injected in the group edit view

code/extensions/GroupSubsites.php

@@ -56,6 +56,9 @@ class GroupSubsites extends DataExtension implements PermissionProvider {
 			$subsites = Subsite::accessible_sites(array('ADMIN', 'SECURITY_SUBSITE_GROUP'), true);
 			$subsiteMap = $subsites->map();
 
+			// Prevent XSS injection
+			$subsiteMap = Convert::raw2xml($subsiteMap);
+			
 			// Interface is different if you have the rights to modify subsite group values on
 			// all subsites
 			if(isset($subsiteMap[0])) {