I can confirm it on the menu tab but not the article tab and only when using the ' but not the `

In article tab, chain translation is not javascript safe.

administrator\components\com_content\views\article\tmpl\edit.php line 123
<?php echo JHtml::_('bootstrap.addTab', 'myTab', 'images', JText::_('COM_CONTENT_FIELDSET_URLS_AND_IMAGES')); ?>

But possibly same problem in :
administrator\components\com_plugins\views\plugin\tmpl\edit_options.php line 16
administrator\components\com_weblinks\views\weblink\tmpl\edit.php line 38 - 52 - 64
components\com_contact\views\contact\tmpl\default.php line 174

There are many occurences of bootstrap.addTab and none has addslashes added before the JText:: Good find!

it only concerns ' and not ` as this last one is not a quote in the php sense of the term.

I'm confused because I showed that the URLS and IMAGES tab works ok

issue is that we have 81 bootstrap.addTab in core and adding addslashes() everywhere is not the perfect solution. We may need a better one that would be global. Don't know if possible.

Let me check further

in \layouts\libraries\cms\html\bootstrap\addtabscript.php line 19 , there is "json_encode" apply on title.
Maybe a change must be made on this file.

I confirm that reverting the part of #3922 concerning \layouts\libraries\cms\html\bootstrap\addtabscript.php solves the issue

@vinespie

To solve the issue I changed the line 17 to

$li = '<li class="' . $active . '"><a href="#' . $id . '" data-toggle="tab">' . stripslashes($title) . '</a></li>';

can you test this?

Yes it solve the issue but for example you also can change "layouts\joomla\edit\params.php" line 52
$label = JText::_($fieldSet->label, true);
by
$label = JText::_($fieldSet->label);

what is the best/correct solution ?

Maybe better in params.php:
If we use the second proposal I guess we also have to change the rest, i.e.

        if (!empty($fieldSet->label))
        {
            $label = JText::_($fieldSet->label);
        }
        else
        {
            $label = strtoupper('JGLOBAL_FIELDSET_' . $name);
            if (JText::_($label) == $label)
            {
                $label = strtoupper($app->input->get('option') . '_' . $name . '_FIELDSET_LABEL');
            }
            $label = JText::_($label);
        }

Can you make a PR?

Yes I can do a PR.
It will also correct the problems in other files.

What I find very odd is that it doesn't happen on all views. Does this mean we render tabs in different ways in different places?

The jsSafe parameter should only be used if the text string is going to be used in Javascript code which is not the case for tabs.

I agree the fix in the params.php file should be good enough as we don't need Javascript escaping here.

Yes I agree
Do not escape the title to add tabs
What I found is that in some views using JText with jsSafe on tab title.

Same issue with jsSafe parameter in components/com_contact/views/contact/tmpl/default.php line 174
<?php echo JHtml::_('bootstrap.addTab', 'myTab', 'display-profile', JText::_('COM_CONTACT_PROFILE', true)); ?>

@vinespie That may just be copy-paste rather than a conscious decision. As far as I know is the title not used for any Javascript related functions, that is what the ID is for.

@roland-d ok, should I do a pull request for each files or all in one ?

@vinespie How many files are there?

@roland-d 4 files

administrator\components\com_admin\views\profile\tmpl\edit.php
administrator\components\com_plugins\views\plugin\tmpl\edit_options.php
components\com_contact\views\contact\tmpl\default.php
joomla-cms\layouts\joomla\edit\params.php

@vinespie Since there are only 4, do it in 1 PR but provide test details per file as that will help testers to see what they need to check. Thanks.

That will be great - thanks

@vinespie
Can you make the PR towards staging please

If you have no time, I will do.
Take off the part concerning .gitignore

@infograf768 Yes you can do it.
I have 3 problems and I block :

• commit with unknow user
• go on .gitignore
• why my PR contains old commits ?

I can write test process.
Thanks

OK, on it now

@vinespie Please add the test instructions in #11409

Set to "closed" on behalf of @infograf768 by The JTracker Application at issues.joomla.org/joomla-cms/11400

Closing as we have a PR (Thanks @vinespie