sanitize tracking code displayed in the UI on output, not input

[diosmosis]

In TrackingCodeGenerator::generate(), htmlentities() is used (improperly) to escape HTML characters. The result is then outputted w/o escaping in _displayJavascriptCode.twig. Instead, TrackingCodeGenerator should return JS code w/o any additional processing/escaping, and it should be escaped only in HTML/XML output.

This is BC breaking since it affects API output. Users of that API currently will have to unsanitize or display the text w/o escaping, so it may break uses.

Refs #4231, #8109

[tsteur]

This is BC breaking since it affects API output. User of that API currently will have to unsanitize or display the text w/o escaping, so it may break uses.

I'm not quite sure I understand. What exactly will break? Meaning what is the output before and after? Will people still be able to fetch the tracking code from the API and insert it automatically into the website? As it is 3.0.0 it is probably less important re BC but asking as there is already one issue merged. Hope we're not breaking API before :)

[diosmosis]

Right now, TrackingCodeGenerator will return already escaped output, which means SitesManager.getJavascriptTag will return escaped output, even if the format is JSON. After this issue is closed SitesManager.getJavascriptTag should return unescaped output for JSON results. If users are expecting escaped output, then their code may break.

There is no related BC break in 2.14.

[mattab]

Goals:

• Remove |raw filters
• First PR was created and needs to be reviewed: #7997