Silverstripe silverstripe/framework up to and including 4.11 allows XSS vulnerability via href attribute of a link (issue 2 of 2).
silverstripe framework