Escape unsafe menu element (#4013)

While most menu elements come from xliff files,
some can be submitted by users,
like the text representation of the subject of an admin.

Admin/BreadcrumbsBuilder.php

@@ -88,6 +88,8 @@ final class BreadcrumbsBuilder implements BreadcrumbsBuilderInterface
                 )
             );
 
+            $menu->setExtra('safe_label', false);
+
             return $this->buildBreadcrumbs($childAdmin, $action, $menu);
         }
 

Resources/views/standard_layout.html.twig

@@ -142,7 +142,13 @@ file that was distributed with this source code.
                                                         {% if not loop.last  %}
                                                             <li>
                                                                 {% if menu.uri is not empty %}
-                                                                    <a href="{{ menu.uri }}">{{ menu.label|raw }}</a>
+                                                                    <a href="{{ menu.uri }}">
+                                                                        {% if menu.extra('safe_label', true) %}
+                                                                            {{- menu.label|raw -}}
+                                                                        {% else %}
+                                                                            {{- menu.label -}}
+                                                                        {% endif %}
+                                                                    </a>
                                                                 {% else %}
                                                                     {{ menu.label }}
                                                                 {% endif %}

Tests/Admin/BreadcrumbsBuilderTest.php

@@ -370,6 +370,7 @@ class BreadcrumbsBuilderTest extends \PHPUnit_Framework_TestCase
         $adminSubjectMenu->addChild('Ma classe fille', array(
             'uri' => '/myadmin/my-object/mychildadmin/list',
         ))->shouldBeCalled()->willReturn($childMenu->reveal());
+        $adminSubjectMenu->setExtra('safe_label', false)->willReturn($childMenu);
 
         $childMenu->addChild('My subject')
             ->shouldBeCalled()->willReturn($leafMenu->reveal());
@@ -482,8 +483,10 @@ class BreadcrumbsBuilderTest extends \PHPUnit_Framework_TestCase
         $menu->addChild('My subject')->willReturn($menu);
         $menu->addChild('My subject', array('uri' => null))->willReturn($menu);
         $menu->addChild('Ma classe fille', array('uri' => null))->willReturn($menu);
+        $menu->setExtra('safe_label', false)->willReturn($menu);
         $menu->addChild('Mon action', array())->willReturn($menu);
 
+
         $breadcrumbsBuilder->buildBreadCrumbs($admin->reveal(), $action);
     }
 }