@diosmosis opened this Issue on June 16th 2015 Member

In TrackingCodeGenerator::generate(), htmlentities() is used (improperly) to escape HTML characters. The result is then outputted w/o escaping in _displayJavascriptCode.twig. Instead, TrackingCodeGenerator should return JS code w/o any additional processing/escaping, and it should be escaped only in HTML/XML output.

This is BC breaking since it affects API output. Users of that API currently will have to unsanitize or display the text w/o escaping, so it may break uses.

Refs #4231, #8109

@tsteur commented on June 17th 2015 Owner

This is BC breaking since it affects API output. User of that API currently will have to unsanitize or display the text w/o escaping, so it may break uses.

I'm not quite sure I understand. What exactly will break? Meaning what is the output before and after? Will people still be able to fetch the tracking code from the API and insert it automatically into the website? As it is 3.0.0 it is probably less important re BC but asking as there is already one issue merged. Hope we're not breaking API before :)

@diosmosis commented on June 17th 2015 Member

Right now, TrackingCodeGenerator will return already escaped output, which means SitesManager.getJavascriptTag will return escaped output, even if the format is JSON. After this issue is closed SitesManager.getJavascriptTag should return unescaped output for JSON results. If users are expecting escaped output, then their code may break.

There is no related BC break in 2.14.

@mattab commented on August 13th 2015 Owner

Goals:

  • Remove |raw filters
  • First PR was created and needs to be reviewed: #7997
Powered by GitHub Issue Mirror