SS-2016-013: Member.Name isn't escaped
- Low (?)
- Versions Affected:
- 3.1.19, 3.2.4, 3.3.2. 3.4.0
- Versions Fixed:
- 3.1.20, 3.2.5, 3.3.3. 3.4.1
- Release Date:
The core template framework/templates/Includes/GridField_print.ss uses "Printed by $Member.Name".
If the currently logged in members first name or surname contain XSS, this prints the raw HTML out, because Member->getName() just returns the raw FirstName + Surname as a string, which is injected directly.
Credit to Matt Peel for reporting.