Escape single quotes in token html output
When rendering message templates with tokens it is reasonable to do something like
{if '{contact.last_name}'}
Dear {contact.prefix_id:label} {contact.last_name}
{else}
Dear {contact.first_name}
{/if}
However, this breaks if the name is "O'Reily" as the single quote breaks the string.
There are 2 aspects to this
- when the token is being rendered in html the text is being parsed through htmlentities. We are doing this without specifying any flags - so we fall back to ENT_COMPAT - switching to ENT_QUOTES solves this in the context of html tokens and I think it's probably more correct and more secure. I'm going to put up a patch for that.
- when the token is being rendered in text the raw result is returned - I'm not quite sure the best approach here. Our principle of using smarty-like escaping would suggest we should support something like
{$articleTitle|escape:'quotes'}