From be25c302ac10dce2e0e512aea203894b2121c230 Mon Sep 17 00:00:00 2001
From: Simon Welsh <simon@simon.geek.nz>
Date: Fri, 10 May 2013 14:05:06 +1200
Subject: [PATCH] FIX Escape the sitetree_link shortcode return value

---
 code/model/SiteTree.php      |  6 ++++--
 tests/model/SiteTreeTest.php |  8 ++++++++
 tests/model/SiteTreeTest.yml | 10 +++++++++-
 3 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/code/model/SiteTree.php b/code/model/SiteTree.php
index 264da89f..bd8558f4 100644
--- a/code/model/SiteTree.php
+++ b/code/model/SiteTree.php
@@ -400,11 +400,13 @@ class SiteTree extends DataObject implements PermissionProvider,i18nEntityProvid
 		) {
 			 return; // There were no suitable matches at all.
 		}
+
+		$link = Convert::raw2att($page->Link());
 		
 		if($content) {
-			return sprintf('<a href="%s">%s</a>', $page->Link(), $parser->parse($content));
+			return sprintf('<a href="%s">%s</a>', $link, $parser->parse($content));
 		} else {
-			return $page->Link();
+			return $link;
 		}
 	}
 	
diff --git a/tests/model/SiteTreeTest.php b/tests/model/SiteTreeTest.php
index 18b07c4d..863e290b 100644
--- a/tests/model/SiteTreeTest.php
+++ b/tests/model/SiteTreeTest.php
@@ -554,6 +554,7 @@ class SiteTreeTest extends SapphireTest {
 	public function testLinkShortcodeHandler() {
 		$aboutPage = $this->objFromFixture('Page', 'about');
 		$errorPage = $this->objFromFixture('ErrorPage', '404');
+		$redirectPage = $this->objFromFixture('RedirectorPage', 'external');
 		
 		$parser = new ShortcodeParser();
 		$parser->register('sitetree_link', array('SiteTree', 'link_shortcode_handler'));
@@ -580,6 +581,13 @@ class SiteTreeTest extends SapphireTest {
 		
 		$this->assertEquals($aboutShortcodeExpected, $parser->parse($aboutShortcode), 'Test link to 404 page if no suitable matches.');
 		$this->assertEquals($aboutEnclosedExpected, $parser->parse($aboutEnclosed));
+
+		$redirectShortcode = sprintf('[sitetree_link,id=%d]', $redirectPage->ID);
+		$redirectEnclosed  = sprintf('[sitetree_link,id=%d]Example Content[/sitetree_link]', $redirectPage->ID);
+		$redirectExpected = 'http://www.google.com?a&amp;b';
+
+		$this->assertEquals($redirectExpected, $parser->parse($redirectShortcode));
+		$this->assertEquals(sprintf('<a href="%s">Example Content</a>', $redirectExpected), $parser->parse($redirectEnclosed));
 		
 		$this->assertEquals('', $parser->parse('[sitetree_link]'), 'Test that invalid ID attributes are not parsed.');
 		$this->assertEquals('', $parser->parse('[sitetree_link,id="text"]'));
diff --git a/tests/model/SiteTreeTest.yml b/tests/model/SiteTreeTest.yml
index f4fe7275..f76c1be5 100644
--- a/tests/model/SiteTreeTest.yml
+++ b/tests/model/SiteTreeTest.yml
@@ -79,4 +79,12 @@ SiteTreeTest_Conflicted:
 ErrorPage:
     404:
         Title: Page not Found
-        ErrorCode: 404
\ No newline at end of file
+        ErrorCode: 404
+
+RedirectorPage:
+   external:
+      Title: External
+      URLSegment: external
+      RedirectionType: External
+      ExternalURL: "http://www.google.com?a&b"
+