From 7cdbea3e3cb3f9be6d5161c7e44995ace2de13a6 Mon Sep 17 00:00:00 2001
From: Francis Whittle <francis@agileware.com.au>
Date: Tue, 21 Nov 2017 15:40:14 +1100
Subject: [PATCH 1/2] CRM-21458: Replace addcslashes call with json_encode when
 creating options

json_encode should ensure that *all* escapes required for JS string values
are present.

----------------------------------------
* CRM-21458: (CIVICRM-742) HTML_QuickForm_hierselect doesn't handle JS escaping properly
  https://issues.civicrm.org/jira/browse/CRM-21458
---
 HTML/QuickForm/hierselect.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/HTML/QuickForm/hierselect.php b/HTML/QuickForm/hierselect.php
index daf56922c..0c0d02ece 100644
--- a/HTML/QuickForm/hierselect.php
+++ b/HTML/QuickForm/hierselect.php
@@ -362,7 +362,7 @@ function _setJSArray($grpName, $options, &$js, $optValue = '')
             if ($js != '') {
                 $js .= ",\n";
             }
-            $js .= '"'.$optValue.'":"'.addcslashes($options,'"').'"';
+            $js .= '"'.$optValue.'":"'.json_encode($options).'"';
         }
     }
 

From dc7e8f56502706b55c568a4806865a6accae8a89 Mon Sep 17 00:00:00 2001
From: Francis Whittle <francis@agileware.com.au>
Date: Tue, 21 Nov 2017 16:41:27 +1100
Subject: [PATCH 2/2] Remove extra quotes around encoded string

---
 HTML/QuickForm/hierselect.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/HTML/QuickForm/hierselect.php b/HTML/QuickForm/hierselect.php
index 0c0d02ece..d2bb07243 100644
--- a/HTML/QuickForm/hierselect.php
+++ b/HTML/QuickForm/hierselect.php
@@ -362,7 +362,7 @@ function _setJSArray($grpName, $options, &$js, $optValue = '')
             if ($js != '') {
                 $js .= ",\n";
             }
-            $js .= '"'.$optValue.'":"'.json_encode($options).'"';
+            $js .= '"'.$optValue.'":'.json_encode($options);
         }
     }