tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 12:05:37 +00:00
Code Issues Projects Releases Wiki Activity

FIX Auto-escape titles in TreeDropdownField

Browse Source 
Related to SS-2013-009. While the default "TreeTitle" was escaped
within the SiteTree->TreeTitle() getter, other properties like SiteTree->Title
weren't escaped. The new logic uses the underlying casting helpers
on the processed objects.
This commit is contained in:
Ingo Schommer 2013-09-24 12:59:05 +02:00
parent b383a07f90
commit 114fb59107
1 changed files with 20 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
forms/TreeDropdownField.php
View File

@ -263,14 +263,28 @@ class TreeDropdownField extends FormField {
$obj->markToExpose($this->objectForKey($value));
}
}
$eval = '"<li id=\"selector-' . $this->getName() . '-{$child->' . $this->keyField . '}\" data-id=\"$child->'
. $this->keyField . '\" class=\"class-$child->class"'
. ' . $child->markingClasses() . "\"><a rel=\"$child->ID\">" . $child->' . $this->labelField . ' . "</a>"';
$self = $this;
$escapeLabelField = ($obj->escapeTypeForField($this->labelField) != 'xml');
$titleFn = function(&$child) use(&$self, $escapeLabelField) {
$keyField = $self->keyField;
$labelField = $self->labelField;
return sprintf(
'<li id="selector-%s-%s" data-id="%s" class="class-%s %s"><a rel="%d">%s</a>',
Convert::raw2xml($self->getName()),
Convert::raw2xml($child->$keyField),
Convert::raw2xml($child->$keyField),
Convert::raw2xml($child->class),
Convert::raw2xml($child->markingClasses()),
(int)$child->ID,
$escapeLabelField ? Convert::raw2xml($child->$labelField) : $child->$labelField
);
};
if($isSubTree) {
return substr(trim($obj->getChildrenAsUL('', $eval, null, true, $this->childrenMethod)), 4, -5);
return substr(trim($obj->getChildrenAsUL('', $titleFn, null, true, $this->childrenMethod)), 4, -5);
} else {
return $obj->getChildrenAsUL('class="tree"', $eval, null, true, $this->childrenMethod);
return $obj->getChildrenAsUL('class="tree"', $titleFn, null, true, $this->childrenMethod);
}
}
@ -290,7 +304,7 @@ class TreeDropdownField extends FormField {
return true;
}
/**
* Populate $this->searchIds with the IDs of the pages matching the searched parameter and their parents.
* Reverse-constructs the tree starting from the leaves. Initially taken from CMSSiteTreeFilter, but modified