$OpenBSD: patch-framework_forms_TreeDropdownField_php,v 1.1 2013/10/01 18:58:21 jasper Exp $

commit f3ef04a432571a787722d840d99d6ca26750e28e
Author: Ingo Schommer <ingo@silverstripe.com>
Date:   Tue Sep 24 12:59:05 2013 +0200
Subject: FIX Auto-escape titles in TreeDropdownField
    
    Related to SS-2013-009. While the default "TreeTitle" was escaped
    within the SiteTree->TreeTitle() getter, other properties like SiteTree->Title
    weren't escaped. The new logic uses the underlying casting helpers
    on the processed objects.

--- framework/forms/TreeDropdownField.php.orig	Wed Feb 20 02:02:44 2013
+++ framework/forms/TreeDropdownField.php	Tue Oct  1 20:56:22 2013
@@ -263,14 +263,28 @@ class TreeDropdownField extends FormField {
 				$obj->markToExpose($this->objectForKey($value));
 			}
 		}
-		$eval = '"<li id=\"selector-' . $this->getName() . '-{$child->' . $this->keyField . '}\" data-id=\"$child->'
-			. $this->keyField . '\" class=\"class-$child->class"' 
-			. ' . $child->markingClasses() . "\"><a rel=\"$child->ID\">" . $child->' . $this->labelField . ' . "</a>"';
 
+		$self = $this;
+		$escapeLabelField = ($obj->escapeTypeForField($this->labelField) != 'xml');
+		$titleFn = function(&$child) use(&$self, $escapeLabelField) {
+			$keyField = $self->keyField;
+			$labelField = $self->labelField;
+			return sprintf(
+				'<li id="selector-%s-%s" data-id="%s" class="class-%s %s"><a rel="%d">%s</a>',
+				Convert::raw2xml($self->getName()),
+				Convert::raw2xml($child->$keyField),
+				Convert::raw2xml($child->$keyField),
+				Convert::raw2xml($child->class),
+				Convert::raw2xml($child->markingClasses()),
+				(int)$child->ID,
+				$escapeLabelField ? Convert::raw2xml($child->$labelField) : $child->$labelField
+			);
+		};
+
 		if($isSubTree) {
-			return substr(trim($obj->getChildrenAsUL('', $eval, null, true, $this->childrenMethod)), 4, -5);
+			return substr(trim($obj->getChildrenAsUL('', $titleFn, null, true, $this->childrenMethod)), 4, -5);
 		} else {
-			return $obj->getChildrenAsUL('class="tree"', $eval, null, true, $this->childrenMethod);
+			return $obj->getChildrenAsUL('class="tree"', $titleFn, null, true, $this->childrenMethod);
 		}
 	}
 
