From 8e9b9e3bbe7a87032595b94a41df341eb76a476b Mon Sep 17 00:00:00 2001
From: Guy Sartorelli <guy.sartorelli@gmail.com>
Date: Mon, 9 Dec 2024 16:28:00 +1300
Subject: [PATCH] FIX Escape user input from an HTML context.

There is no XSS vulnerability here due to other measures to mitigate one
- but user input which includes HTML characters still might not render
  correctly without this fix.
---
 src/RestoreAction.php                 |  3 ++-
 src/VersionedGridFieldItemRequest.php | 10 +++++-----
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/src/RestoreAction.php b/src/RestoreAction.php
index a9739edc..4be5d40b 100644
--- a/src/RestoreAction.php
+++ b/src/RestoreAction.php
@@ -2,6 +2,7 @@
 
 namespace SilverStripe\Versioned;
 
+use SilverStripe\Core\Convert;
 use SilverStripe\ORM\Hierarchy\Hierarchy;
 use SilverStripe\ORM\ValidationException;
 use SilverStripe\Versioned\Versioned;
@@ -86,7 +87,7 @@ public static function restore($item)
     public static function getRestoreMessage($originalItem, $restoredItem, $changedLocation = false)
     {
         $restoredID = $restoredItem->Title ?: $restoredItem->ID;
-        $restoredType = strtolower($restoredItem->i18n_singular_name() ?? '');
+        $restoredType = Convert::raw2xml(strtolower($restoredItem->i18n_singular_name() ?? ''));
 
         if (method_exists($restoredItem, 'CMSEditLink') &&
         $restoredItem->CMSEditLink()) {
diff --git a/src/VersionedGridFieldItemRequest.php b/src/VersionedGridFieldItemRequest.php
index 9f23d801..f09699bd 100644
--- a/src/VersionedGridFieldItemRequest.php
+++ b/src/VersionedGridFieldItemRequest.php
@@ -132,8 +132,8 @@ public function doArchive($data, $form)
             __CLASS__ . '.Archived',
             'Archived {name} "{title}"',
             [
-                'name' => $record->i18n_singular_name(),
-                'title' => $title
+                'name' => Convert::raw2xml($record->i18n_singular_name()),
+                'title' => Convert::raw2xml($title)
             ]
         );
         $this->setFormMessage($form, $message);
@@ -174,7 +174,7 @@ public function doPublish($data, $form)
             __CLASS__ . '.Published',
             'Published {name} {link}',
             [
-                'name' => $record->i18n_singular_name(),
+                'name' => Convert::raw2xml($record->i18n_singular_name()),
                 'link' => $link
             ]
         );
@@ -218,8 +218,8 @@ public function doUnpublish($data, $form)
             __CLASS__ . '.Unpublished',
             'Unpublished {name} "{title}"',
             [
-                'name' => $record->i18n_singular_name(),
-                'title' => $title
+                'name' => Convert::raw2xml($record->i18n_singular_name()),
+                'title' => Convert::raw2xml($title)
             ]
         );
         $this->setFormMessage($form, $message);