@mattab opened this Issue on December 11th 2018 Member

Reproduce

  • Create a goal called hello ' world and also use this text as the Goal description
  • Then see the goal appear as hello &<a href='/039'>#039</a>; world

in Goals

See the below screenshots of Goal overview and Manage goals showing the double encoding:

new goal

hello world

in Forms

Similar issue in Form Analytics:
form description

Maybe a regression from https://github.com/matomo-org/matomo/pull/13715

Would be valuable to add some UI tests that would catch the issue.

@sgiehl commented on December 21st 2018 Member

That's a more global and general issue of our input sanitize.

For goals we send the values using encodeURIComponent. That kind of circumvents the automatic input sanitize for all chars expect - _ . ! ~ * ' ( ), which keep untouched. Thus the ' is stored as &<a href='/039'>#039</a>; in the database. Will create a PR to fix that partially. But imho it would make most sense to finally get rid of the global input sanitize

@tsteur commented on December 21st 2018 Member

But imho it would make most sense to finally get rid of the global input sanitize

That would be awesome. Also causes issues eg in tag mananger https://github.com/matomo-org/tag-manager/issues/134 . Not sure if it will be ever possible to fully get rid of it though as it could cause so many issues. Best might be to support it slowly and refactor it step by step. Like if a variable starts with underscore _ in API, it gets it unserialized or something like that. Or maybe it can be configured somehow.

@diosmosis commented on December 25th 2018 Member

Should be fixed in 3.x-dev

This Issue was closed on December 25th 2018
Powered by GitHub Issue Mirror