From b21ca118b0005fdaa76f24d715bf3dc6a0a7d101 Mon Sep 17 00:00:00 2001 From: mark_story Date: Sat, 28 Sep 2013 10:28:26 -0400 Subject: [PATCH] Fix missing escaping in sort() --- .../View/Helper/PaginatorHelperTest.php | 24 +++++++++++++++++++ Cake/View/Helper/PaginatorHelper.php | 9 ++++--- 2 files changed, 30 insertions(+), 3 deletions(-) diff --git a/Cake/Test/TestCase/View/Helper/PaginatorHelperTest.php b/Cake/Test/TestCase/View/Helper/PaginatorHelperTest.php index ff76467e0b4..542af16a45a 100644 --- a/Cake/Test/TestCase/View/Helper/PaginatorHelperTest.php +++ b/Cake/Test/TestCase/View/Helper/PaginatorHelperTest.php @@ -247,6 +247,30 @@ public function testSortLinks() { $this->assertTags($result, $expected); } +/** + * test sort() with escape option + */ + public function testSortEscape() { + $result = $this->Paginator->sort('title', 'TestTitle >'); + $expected = array( + 'a' => array('href' => '/index?sort=title&direction=asc'), + 'TestTitle >', + '/a' + ); + $this->assertTags($result, $expected); + + $result = $this->Paginator->sort('title', 'TestTitle >', ['escape' => true]); + $this->assertTags($result, $expected); + + $result = $this->Paginator->sort('title', 'TestTitle >', ['escape' => false]); + $expected = array( + 'a' => array('href' => '/index?sort=title&direction=asc'), + 'TestTitle >', + '/a' + ); + $this->assertTags($result, $expected); + } + /** * test that sort() works with virtual field order options. * diff --git a/Cake/View/Helper/PaginatorHelper.php b/Cake/View/Helper/PaginatorHelper.php index 507334d7b29..a9b91c9262f 100644 --- a/Cake/View/Helper/PaginatorHelper.php +++ b/Cake/View/Helper/PaginatorHelper.php @@ -383,8 +383,11 @@ public function next($title = 'Next >>', $options = []) { * key the returned link will sort by 'desc'. * @link http://book.cakephp.org/2.0/en/core-libraries/helpers/paginator.html#PaginatorHelper::sort */ - public function sort($key, $title = null, $options = array()) { - $options = array_merge(array('url' => array(), 'model' => null), $options); + public function sort($key, $title = null, $options = []) { + $options = array_merge( + ['url' => array(), 'model' => null, 'escape' => true], + $options + ); $url = $options['url']; unset($options['url']); @@ -423,7 +426,7 @@ public function sort($key, $title = null, $options = array()) { ['order' => null] ); $vars = [ - 'text' => $title, + 'text' => $options['escape'] ? h($title) : $title, 'url' => $this->url($url), ]; return $this->_templater->format($template, $vars);