SS-2014-011: Folder filename injection

Severity:
Low (?)
Identifier:
 
SS-2014-011
Versions Affected:
 
3.0.10, 3.1.4, master
Versions Fixed:
 
3.0.11, 3.1.5, master
Release Date:
 
2014-05-07

When editing files and assets in the CMS it was possible to rename a folder using invalid characters, allowing the resulting filename to be injected directly into the HTML of the page. Although the folder itself would have these invalid characters stripped, the `Title` field of folders would not be cleaned using the same method.

The fix to this issue is to ensure that the Name and Title of Folder objects are now both correctly cleaned of invalid characters.

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.