FormField validation messages generated by the Validator class will now be automatically XML encoded before being rendered alongside an invalid field.

If a validation message in a custom Validator instance should be rendered as literal HTML, then the $message parameter for Validator::validationError should be passed as an instance of HTMLText

For example:

class MyCustomValidator extends Validator {
	public function php($data) { 
			DBField::create_field('HTMLText', "Invalid email. Please sign up at <a href='signup'>this page</a>")

Change Log


  • 2015-11-11 245e0aa Fix FormField error messages not being encoded safely (Damian Mooyman) - See ss-2015-026
  • 2015-11-09 53b3bc7 Dont expose class on error (Hamish Friedlander) - See ss-2015-025
  • 2015-11-01 ac4342d XML escape RSSFeed $link parameter (Ingo Schommer) - See ss-2015-022
  • 2015-10-28 97f21fd Fix rewrite hash links XSS (Damian Mooyman) - See ss-2015-021


  • 2015-10-20 b857bdf Fix duplicate files being included in case of flush (Damian Mooyman)
  • 2015-10-08 ff6c0a3 (v3.1) for #1294 to workaround ErrorPage fatal errors (and undefined var) when publishing. (Patrick Nelson)