tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 12:05:37 +00:00
Code Issues Projects Releases Wiki Activity

FIX Auto-escape titles in TreeDropdownField

Browse Source 
Related to SS-2013-009. While the default "TreeTitle" was escaped
within the SiteTree->TreeTitle() getter, other properties like SiteTree->Title
weren't escaped. The new logic uses the underlying casting helpers
on the processed objects.
This commit is contained in:
Ingo Schommer 2013-09-24 14:28:28 +02:00
parent 81ccb8d78e
commit f69161efef
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
forms/TreeDropdownField.php
View File

@ -233,8 +233,14 @@ class TreeDropdownField extends FormField {
}
}
if($obj->escapeTypeForField($this->labelField) == 'xml') {
$labelFieldEval = '$child->' . $this->labelField;
} else {
$labelFieldEval = 'Convert::raw2xml($child->' . $this->labelField . ')';
}
$eval = '"<li id=\"selector-' . $this->Name() . '-{$child->' . $this->keyField . '}\" class=\"$child->class"' .
' . $child->markingClasses() . "\"><a rel=\"$child->ID\">" . $child->' . $this->labelField . ' . "</a>"';
' . $child->markingClasses() . "\"><a rel=\"$child->ID\">" . ' . $labelFieldEval . ' . "</a>"';
if($isSubTree) {
return substr(trim($obj->getChildrenAsUL('', $eval, null, true)), 4, -5);