From bd5bd877fdce021e43e239664d487d9f006045fa Mon Sep 17 00:00:00 2001
From: Stig Lindqvist <stojg.lindqvist@gmail.com>
Date: Thu, 31 Jul 2014 09:51:06 +1200
Subject: [PATCH] Security: XSS can be injected in the group edit view

---
 code/extensions/GroupSubsites.php    | 3 +++
 code/extensions/SiteTreeSubsites.php | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/code/extensions/GroupSubsites.php b/code/extensions/GroupSubsites.php
index a852742..4376b46 100644
--- a/code/extensions/GroupSubsites.php
+++ b/code/extensions/GroupSubsites.php
@@ -55,6 +55,9 @@ class GroupSubsites extends DataExtension implements PermissionProvider {
 
 			$subsites = Subsite::accessible_sites(array('ADMIN', 'SECURITY_SUBSITE_GROUP'), true);
 			$subsiteMap = $subsites->map();
+
+			// Prevent XSS injection
+			$subsiteMap = Convert::raw2xml($subsiteMap);
 			
 			// Interface is different if you have the rights to modify subsite group values on
 			// all subsites
diff --git a/code/extensions/SiteTreeSubsites.php b/code/extensions/SiteTreeSubsites.php
index 90f593c..93505b3 100644
--- a/code/extensions/SiteTreeSubsites.php
+++ b/code/extensions/SiteTreeSubsites.php
@@ -65,7 +65,7 @@ class SiteTreeSubsites extends DataExtension {
 		if($subsites && $subsites->Count()) {
 			$subsitesMap = $subsites->map('ID', 'Title');
 			unset($subsitesMap[$this->owner->SubsiteID]);
-		} 
+		}
 
 		// Master page edit field (only allowed from default subsite to avoid inconsistent relationships)
 		$isDefaultSubsite = $this->owner->SubsiteID == 0 || $this->owner->Subsite()->DefaultSite;