From d8d07d971e67e5774172791a7687e0b0bff94e4c Mon Sep 17 00:00:00 2001
From: Ingo Schommer <ingo@silverstripe.com>
Date: Tue, 24 Sep 2013 12:59:05 +0200
Subject: [PATCH] FIX Auto-escape titles in TreeDropdownField

Related to SS-2013-009. While the default "TreeTitle" was escaped
within the SiteTree->TreeTitle() getter, other properties like SiteTree->Title
weren't escaped. The new logic uses the underlying casting helpers
on the processed objects.
---
 forms/TreeDropdownField.php | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/forms/TreeDropdownField.php b/forms/TreeDropdownField.php
index c793b9549..abffad185 100644
--- a/forms/TreeDropdownField.php
+++ b/forms/TreeDropdownField.php
@@ -265,9 +265,23 @@ class TreeDropdownField extends FormField {
 				$obj->markToExpose($this->objectForKey($value));
 			}
 		}
-		$eval = '"<li id=\"selector-' . $this->getName() . '-{$child->' . $this->keyField . '}\" data-id=\"$child->'
-			. $this->keyField . '\" class=\"class-$child->class"' 
-			. ' . $child->markingClasses() . "\"><a rel=\"$child->ID\">" . $child->' . $this->labelField . ' . "</a>"';
+
+		$self = $this;
+		$escapeLabelField = ($obj->escapeTypeForField($this->labelField) != 'xml');
+		$titleFn = function(&$child) use(&$self, $escapeLabelField) {
+			$keyField = $self->keyField;
+			$labelField = $self->labelField;
+			return sprintf(
+				'<li id="selector-%s-%s" data-id="%s" class="class-%s %s"><a rel="%d">%s</a>',
+				Convert::raw2xml($self->getName()),
+				Convert::raw2xml($child->$keyField),
+				Convert::raw2xml($child->$keyField),
+				Convert::raw2xml($child->class),
+				Convert::raw2xml($child->markingClasses()),
+				(int)$child->ID,
+				$escapeLabelField ? Convert::raw2xml($child->$labelField) : $child->$labelField
+			);
+		};
 
 		// Limit the amount of nodes shown for performance reasons.
 		// Skip the check if we're filtering the tree, since its not clear how many children will
@@ -290,7 +304,7 @@ class TreeDropdownField extends FormField {
 		if($isSubTree) {
 			$html = $obj->getChildrenAsUL(
 				"",
-				$eval,
+				$titleFn,
 				null,
 				true, 
 				$this->childrenMethod,
@@ -303,7 +317,7 @@ class TreeDropdownField extends FormField {
 		} else {
 			$html = $obj->getChildrenAsUL(
 				'class="tree"',
-				$eval,
+				$titleFn,
 				null,
 				true, 
 				$this->childrenMethod,