Silverstripe silverstripe/framework up to and including 4.11 allows XSS (issue 2 of 3).
silverstripe framework