Add HTML escaping.

Add an escape option to toggle HTML escaping of attributes and node text.

Cake/View/Input/SelectBox.php

@@ -53,12 +53,21 @@ public function __construct($templates) {
 	}
 
 	public function render($data) {
+		$data += [
+			'name' => '',
+			'empty' => false,
+			'escape' => true,
+			'options' => [],
+			'disabled' => null,
+			'value' => null,
+		];
+
 		if (empty($data['name'])) {
 			throw new \RuntimeException('Cannot make inputs with empty name attributes.');
 		}
 		$options = $this->_renderContent($data);
 		$name = $data['name'];
-		unset($data['name'], $data['options'], $data['empty'], $data['value']);
+		unset($data['name'], $data['options'], $data['empty'], $data['value'], $data['escape']);
 		if (isset($data['disabled']) && is_array($data['disabled'])) {
 			unset($data['disabled']);
 		}
@@ -73,9 +82,6 @@ public function render($data) {
 
 	protected function _renderContent($data) {
 		$out = [];
-		if (!isset($data['options'])) {
-			$data['options'] = [];
-		}
 		$options = $data['options'];
 
 		if (!empty($data['empty'])) {
@@ -92,15 +98,15 @@ protected function _renderContent($data) {
 		if (isset($data['disabled']) && is_array($data['disabled'])) {
 			$disabled = $data['disabled'];
 		}
-		return $this->_renderOptions($options, $disabled, $selected);
+		return $this->_renderOptions($options, $disabled, $selected, $data['escape']);
 	}
 
-	protected function _renderOptions($options, $disabled, $selected) {
+	protected function _renderOptions($options, $disabled, $selected, $escape) {
 		foreach ($options as $key => $val) {
 			if (is_array($val)) {
-				$groupOptions = $this->_renderOptions($val, $disabled, $selected);
+				$groupOptions = $this->_renderOptions($val, $disabled, $selected, $escape);
 				$out[] = $this->_templates->format('optgroup', [
-					'label' => $key,
+					'label' => $escape ? h($key) : $key,
 					'content' => implode('', $groupOptions)
 				]);
 			} else {
@@ -115,8 +121,8 @@ protected function _renderOptions($options, $disabled, $selected) {
 				}
 
 				$out[] = $this->_templates->format($template, [
-					'name' => $key,
-					'value' => $val
+					'name' => $escape ? h($key) : $key,
+					'value' => $escape ? h($val) : $val,
 				]);
 			}
 		}

Test/TestCase/View/Input/SelectBoxTest.php

@@ -389,7 +389,51 @@ public function testRenderEmptyOption() {
  * @return void
  */
 	public function testRenderEscapingOption() {
-		$this->markTestIncomplete('Not done');
+		$select = new SelectBox($this->templates);
+		$data = [
+			'name' => 'Birds[name]',
+			'options' => [
+				'a' => '>Albatross',
+				'b' => '>Budgie',
+				'c' => '>Canary',
+			]
+		];
+		$result = $select->render($data);
+		$expected = [
+			'select' => [
+				'name' => 'Birds[name]',
+			],
+			['option' => ['value' => 'a']],
+			'>Albatross',
+			'/option',
+			['option' => ['value' => 'b']],
+			'>Budgie',
+			'/option',
+			['option' => ['value' => 'c']],
+			'>Canary',
+			'/option',
+			'/select'
+		];
+		$this->assertTags($result, $expected);
+
+		$data = [
+			'escape' => false,
+			'name' => 'Birds[name]',
+			'options' => [
+				'>a' => '>Albatross',
+			]
+		];
+		$result = $select->render($data);
+		$expected = [
+			'select' => [
+				'name' => 'Birds[name]',
+			],
+			['option' => ['value' => '>a']],
+			'>Albatross',
+			'/option',
+			'/select'
+		];
+		$this->assertTags($result, $expected);
 	}
 
 }