Custom JS is being Escaped

[SolidX]

Summary

When including custom Javascript in a post, it displays properly on the post edit page but renders with escaped characters when viewing a post. This causes scripts to break.

Reproduction Steps

1. Create a post.
2. Add custom JS via drag and drop
3. Save post.
4. View Post

Expected Behaviour

Should render unescaped javascript when viewing post. ex. var x = 9001 > 42;

Actual Behaviour

Actually renders escaped javascript. ex. var x = 9001 > 42;

Context details (if applicable)

• Anchor version: 0.12.1
• Server setup: Apache, PHP 5.5
• URL https://solidus.systems/blog/posts/image-slider-test

[protomorph]

@SolidX in anchor/functions/article.php replace return Registry::prop('article', 'js'); with return htmlspecialchars_decode(Registry::prop('article', 'js'), ENT_QUOTES); and see if that works.

[SolidX]

@protomorph That solves it! Thanks!

[protomorph]

@SolidX No problem.

[TheBrenny]

@protomorph, reckon you can drop this in a PR? :D

[protomorph]

@TheBrenny I'll get one done in the next few hours.

[frozenpandaman]

@protomorph After making this change, article text is being displayed as-is (e.g. no markdown or HTML rendering) on the main page of my site. Must we change a article_markdown() call to article_html() somewhere?

[protomorph]

@frozenpandaman Making this change doesn't effect anything else, you must of changed somthing to stop markdown from rendering

[frozenpandaman]

@protomorph I don't think so. I changed the line back to how it was originally and blog posts started displaying correctly again… I'll look more into it tonight, though.

[Gerrit0]

Well, here's where the problem was introduced: bc202b5

All input is escaped when first fetched using Input::get, so it needs to be decoded again. I can't say I agree that encoding everything in this function is a good idea... I'll hopefully make PR resolving this (and escaping input where the default escaping was relied on) soon.