XSS security hole in Oil generated admin templates

[ichilton]

Hi,

I've found an XSS security problem with the oil generated admin screens.

If you do: oil generate admin posts title:string slug:string summary:text body:text user_id:int

The generated code uses: $this->template->set_global('post', $post, false);

Setting false as the 3rd parameter means that it's not filtered.

But then it's used as follows - and Form::input doesn't escape the values either: Form::input('title', Input::post('title', isset($post) ? $post->title : ''), array('class' => 'span6'));

Thanks,

Ian