@diosmosis opened this Pull Request on June 26th 2015 Member

As title. Previously, goal names and patterns were escaped in the Goals controller by calling the Common::sanitizeInputValue() method, and then outputted w/ |raw in twig. This PR removes the manual escaping in the Goals controller and removes the |raw filters in related twig files. It also makes sure jqplot evolution graphs escape series and metric names before displaying tooltips.

This fixes #7969, because goal data is used in the JSON jqplot graph data, and since it was escaped in the PHP, it ended up escaped in the JSON. Then jqplot escaped it again.

Fixes #7969

@mnapoli commented on June 26th 2015 Member

Awesome :+1: An update script might be needed to unsanitize existing values in database?

@diosmosis commented on June 26th 2015 Member

Goal names are stored unsanitized. And they were sanitized in PHP, and outputted w/o escaping in twig. Different from every other part of Piwik, and yet, still wrong. Hooray for inconsistency :)

@mnapoli commented on June 26th 2015 Member

Haha ok I wasn't expecting that :)

@mattab commented on July 12th 2015 Owner

This is how to kill some technical debt, nice one @diosmosis

This Pull Request was closed on July 12th 2015
Powered by GitHub Issue Mirror