SS-2016-013: Member.Name isn't escaped

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Severity:: Low (?)
Identifier:: ss-2016-013
Versions Affected:: 3.1.19, 3.2.4, 3.3.2. 3.4.0
Versions Fixed:: 3.1.20, 3.2.5, 3.3.3. 3.4.1
Release Date:: 2016-08-15

The core template framework/templates/Includes/GridField_print.ss uses "Printed by $Member.Name".

If the currently logged in members first name or surname contain XSS, this prints the raw HTML out, because Member->getName() just returns the raw FirstName + Surname as a string, which is injected directly.

Credit to Matt Peel for reporting.