From ec9c15917dcd882baedfbe0cd4b0eb8ad0a844b7 Mon Sep 17 00:00:00 2001
From: Ingo Schommer <ingo@silverstripe.com>
Date: Tue, 24 Sep 2013 12:12:21 +0200
Subject: [PATCH] FIX Escaping in "dependent pages" (SS-2013-009)

---
 code/model/SiteTree.php | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/code/model/SiteTree.php b/code/model/SiteTree.php
index c87d15da..4c7df17d 100644
--- a/code/model/SiteTree.php
+++ b/code/model/SiteTree.php
@@ -1850,8 +1850,20 @@ class SiteTree extends DataObject implements PermissionProvider,i18nEntityProvid
 			$dependentTable->getConfig()->getComponentByType('GridFieldDataColumns')
 				->setDisplayFields($dependentColumns)
 				->setFieldFormatting(array(
-				'Title' => '<a href=\"admin/pages/edit/show/$ID\">$Title</a>',
-				'AbsoluteLink' => '<a href=\"$value\">$value</a>',
+					'Title' => function($value, &$item) {
+						return sprintf(
+							'<a href=\"admin/pages/edit/show/%d\">%s</a>',
+							(int)$item->ID,
+							Convert::raw2xml($item->Title)
+						);
+					},
+					'AbsoluteLink' => function($value, &$item) {
+						return sprintf(
+							'<a href=\"%s\">%s</a>',
+							Convert::raw2xml($value),
+							Convert::raw2xml($value)
+						);
+					}
 				));
 		}