Details
-
Bug
-
Resolution: Fixed
-
Medium
-
None
-
4.5.0alpha, 4.5.0beta1, 4.5.0beta2
-
None
Description
Various commits changes the way json data are created (using json_encode) like in:
https://github.com/ezsystems/ezpublish/commit/035e3170c8011569573700b03b36d7d0b75cea97
https://github.com/ezsystems/ezpublish/commit/46f28fece1e1442c770393e9eda94e84a00ae129
https://github.com/ezsystems/ezpublish/commit/d1b3259dc3e2d3d63e022400b85d8594c8c1372a
While the last commit above is fixing this precise bug in admin2, it introduces it for the old admin.
The solution is not to produce json data with embedded html entities encoded, but to escape (wash) it when required (e.g.: when inserting json data in an html attribute like onclick) and to use it unwashed when in raw javascript.