From 509eb96e967939f856d691e0a7fec81de93b4d9e Mon Sep 17 00:00:00 2001
From: Guy Sartorelli <guy.sartorelli@gmail.com>
Date: Mon, 9 Dec 2024 16:44:53 +1300
Subject: [PATCH] FIX Escape user input from an HTML context.

There is no XSS vulnerability here due to other measures to mitigate one
- but user input which includes HTML characters still might not render
  correctly without this fix.
---
 src/Forms/GridField/GridFieldDetailForm_ItemRequest.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/Forms/GridField/GridFieldDetailForm_ItemRequest.php b/src/Forms/GridField/GridFieldDetailForm_ItemRequest.php
index f4294dd949d..5421edc8b1a 100644
--- a/src/Forms/GridField/GridFieldDetailForm_ItemRequest.php
+++ b/src/Forms/GridField/GridFieldDetailForm_ItemRequest.php
@@ -567,13 +567,13 @@ public function doSave($data, $form)
         $this->saveFormIntoRecord($data, $form);
 
         $link = '<a href="' . $this->Link('edit') . '">"'
-            . htmlspecialchars($this->record->Title ?? '', ENT_QUOTES)
+            . Convert::raw2xml($this->record->Title ?? '', ENT_QUOTES)
             . '"</a>';
         $message = _t(
             'SilverStripe\\Forms\\GridField\\GridFieldDetailForm.Saved',
             'Saved {name} {link}',
             [
-                'name' => $this->getModelName(),
+                'name' => Convert::raw2xml($this->getModelName()),
                 'link' => $link
             ]
         );
@@ -834,8 +834,8 @@ public function doDelete($data, $form)
             'SilverStripe\\Forms\\GridField\\GridFieldDetailForm.Deleted',
             'Deleted {type} "{name}"',
             [
-                'type' => $this->getModelName(),
-                'name' => $this->record->Title
+                'type' => Convert::raw2xml($this->getModelName()),
+                'name' => Convert::raw2xml($this->record->Title)
             ]
         );