hello ' worldand also use this text as the Goal description
hello &<a href='/039'>#039</a>; world
See the below screenshots of Goal overview and Manage goals showing the double encoding:
Similar issue in Form Analytics:
Maybe a regression from https://github.com/matomo-org/matomo/pull/13715
Would be valuable to add some UI tests that would catch the issue.
That's a more global and general issue of our input sanitize.
For goals we send the values using
encodeURIComponent. That kind of circumvents the automatic input sanitize for all chars expect
- _ . ! ~ * ' ( ), which keep untouched. Thus the
' is stored as
&<a href='/039'>#039</a>; in the database. Will create a PR to fix that partially. But imho it would make most sense to finally get rid of the global input sanitize
But imho it would make most sense to finally get rid of the global input sanitize
That would be awesome. Also causes issues eg in tag mananger https://github.com/matomo-org/tag-manager/issues/134 . Not sure if it will be ever possible to fully get rid of it though as it could cause so many issues. Best might be to support it slowly and refactor it step by step. Like if a variable starts with
underscore _ in API, it gets it unserialized or something like that. Or maybe it can be configured somehow.
Should be fixed in 3.x-dev