From db24d3e53e8cb0b886ff3fc58af855e03fe61a9c Mon Sep 17 00:00:00 2001
From: Matias Griese <matias@trilbymedia.com>
Date: Wed, 9 Dec 2020 15:28:48 +0200
Subject: [PATCH] Fixed `pages` field escaping issues, needs admin update, too

---
 CHANGELOG.md                          | 6 ++++++
 system/src/Grav/Common/Page/Pages.php | 6 +++---
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 96edf58e6..e48b89d83 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,9 @@
+# v1.6.31
+## mm/dd/2020
+
+1. [](#bugfix)
+    * Fixed `pages` field escaping issues, needs admin update, too [admin#1990](https://github.com/getgrav/grav-plugin-admin/issues/1990)
+
 # v1.6.30
 ## 12/03/2020
 
diff --git a/system/src/Grav/Common/Page/Pages.php b/system/src/Grav/Common/Page/Pages.php
index 513a7ba2e..fa274b3d3 100644
--- a/system/src/Grav/Common/Page/Pages.php
+++ b/system/src/Grav/Common/Page/Pages.php
@@ -688,7 +688,7 @@ class Pages
     }
 
     /**
-     * Get list of route/title of all pages.
+     * Get list of route/title of all pages. Title is in HTML.
      *
      * @param PageInterface $current
      * @param int $level
@@ -721,10 +721,10 @@ class Pages
             }
 
             if ($showFullpath) {
-                $option = $current->route();
+                $option = htmlspecialchars($current->route());
             } else {
                 $extra  = $showSlug ? '(' . $current->slug() . ') ' : '';
-                $option = str_repeat('&mdash;-', $level). '&rtrif; ' . $extra . $current->title();
+                $option = str_repeat('&mdash;-', $level). '&rtrif; ' . $extra . htmlspecialchars($current->title());
 
 
             }