Elliot Sawyer 205754854c Sanitise domain name field to prevent XSS attack on the CMS ... PWC identified an issue with the subsites module that would allow someone with authenticated access to attack other CMS users, such as "stealing the session ID and hijacking an authenticated user's session". I can't imagine a case where HTML would ever be allowed in the subdomain of a website, so it's a good practice to strip it out anyway. Steps to reproduce the original issue: 1. Enter a subsite name and mark as the default site. 2. Add a new domain named <script>alert(2)</script> and mark it as primary 3. Switch to the new subsite. 4. Make a new Page. This will execute a javascript alert containing "2". MINOR update documentation for onBeforeWrite() MINOR add @property attributes into docblock		2014-07-16 15:43:05 +12:00
..
extensions	Fixes #139 - Broken URL Segment CMS Links	2014-06-04 13:12:28 +01:00
forms	Less intrusive doSave() overwrite of GridFieldDetailForm	2013-07-10 16:15:04 +02:00
model	Sanitise domain name field to prevent XSS attack on the CMS	2014-07-16 15:43:05 +12:00
tasks	SubsiteCopyPagesTask	2013-01-03 14:10:14 +01:00
SubsiteAdmin.php	BUG Move the SubsiteList PJAX request to a dedicated Controller.	2013-10-16 13:20:54 +13:00
SubsiteReportWrapper.php	More globalisation	2013-10-30 13:44:06 +01:00
SubsitesVirtualPage.php	More globalisation	2013-10-30 13:44:06 +01:00
SubsiteXHRController.php	BUG Refactor the access checks and initial subsite redirections.	2013-12-04 17:34:27 +13:00