Merge pull request #151 from stojg/pull/prevent-xss-attacks

Security: XSS can be injected in the group edit view

code/extensions/GroupSubsites.php

@@ -55,6 +55,9 @@ class GroupSubsites extends DataExtension implements PermissionProvider {
 
 			$subsites = Subsite::accessible_sites(array('ADMIN', 'SECURITY_SUBSITE_GROUP'), true);
 			$subsiteMap = $subsites->map();
+
+			// Prevent XSS injection
+			$subsiteMap = Convert::raw2xml($subsiteMap);
 			
 			// Interface is different if you have the rights to modify subsite group values on
 			// all subsites

code/extensions/SiteTreeSubsites.php

@@ -65,7 +65,7 @@ class SiteTreeSubsites extends DataExtension {
 		if($subsites && $subsites->Count()) {
 			$subsitesMap = $subsites->map('ID', 'Title');
 			unset($subsitesMap[$this->owner->SubsiteID]);
-		} 
+		}
 
 		// Master page edit field (only allowed from default subsite to avoid inconsistent relationships)
 		$isDefaultSubsite = $this->owner->SubsiteID == 0 || $this->owner->Subsite()->DefaultSite;