From f69161efef1adccb0ec3ce7a77f9ecc757a68eba Mon Sep 17 00:00:00 2001
From: Ingo Schommer <ingo@silverstripe.com>
Date: Tue, 24 Sep 2013 14:28:28 +0200
Subject: [PATCH] FIX Auto-escape titles in TreeDropdownField

Related to SS-2013-009. While the default "TreeTitle" was escaped
within the SiteTree->TreeTitle() getter, other properties like SiteTree->Title
weren't escaped. The new logic uses the underlying casting helpers
on the processed objects.
---
 forms/TreeDropdownField.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/forms/TreeDropdownField.php b/forms/TreeDropdownField.php
index b336c71ce..1d281f5cf 100755
--- a/forms/TreeDropdownField.php
+++ b/forms/TreeDropdownField.php
@@ -233,8 +233,14 @@ class TreeDropdownField extends FormField {
 			}
 		}
 		
+		if($obj->escapeTypeForField($this->labelField) == 'xml') {
+			$labelFieldEval = '$child->' . $this->labelField;
+		} else {
+			$labelFieldEval = 'Convert::raw2xml($child->' . $this->labelField . ')';
+		}
+		
 		$eval = '"<li id=\"selector-' . $this->Name() . '-{$child->' . $this->keyField . '}\" class=\"$child->class"' .
-				' . $child->markingClasses() . "\"><a rel=\"$child->ID\">" . $child->' . $this->labelField . ' . "</a>"';
+				' . $child->markingClasses() . "\"><a rel=\"$child->ID\">" . ' . $labelFieldEval . ' . "</a>"';
 		
 		if($isSubTree) {
 			return substr(trim($obj->getChildrenAsUL('', $eval, null, true)), 4, -5);