Here too:

https://github.com/PhilETaylor/joomla-cms/blob/4a611a4aef03976b4107ef3e5c1d88ad2d32a42d/administrator/components/com_media/views/medialist/tmpl/details_folder.php#L31-L32

Going by similar code:

Also in the URL: &amp;rm[]=<?php echo $this->escape($this->_tmp_video->name); ?> and rel="<?php echo $this->escape($this->_tmp_video->name); ?>">

In fact that is never used, none of these files are ever used.

These are the only ones ever used.

	echo $this->loadTemplate('up'),
					$this->loadTemplate('folders'),
					$this->loadTemplate('docs'),
					$this->loadTemplate('videos'),
					$this->loadTemplate('imgs');

The doc video and folder files contain very old code and generate PHP issues when included too - best those get deleted. Will fork a PR for that. - Done - see #20630

I have tested this item ✅ successfully on 4a611a4

Create a media custom field.
Edit an article on the backend/frontend.
Under the Fields tab, click on the Select button of the media field.

@Quy test with and -out PR i can select an Image for an Article - test on backend.

Please have a look at http://wohlkoenig.joomla.com/index.php

Now i'm on Github and see its about docs and Video, will have a look.

System information

• 3.8.9-dev
• Template: Protostar
• macOS Sierra, 10.13.5
• Firefox 60 (64-bit)

CloudAccess.net

• PHP 7.0.28
• MySQLi 5.7.18-cll-lve

  ---

  _{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/20616.}

I have tested this item ? unsuccessfully on 4a611a4

After changing allowed Types (mp4, video/mp4) in Media > Option Video-Upload was successfully:

Select Video in Article-Field doesn't work as Video isn't shown:

@franz-wohlkoenig and so what EXACTLY was the result of your test? just saying I have tested this item unsuccessfully is not enough

Thats why i wrote before "Description follows".

Cause i had to mark test in Tracker, switch to Github, create Screenshots and write in English which is not my native language.

This takes its Time, please be patient with an elderly Man.

You will not see a difference in functionality, but only the markup.

Let's create a folder a&b inside the images folder either via FTP or directly if testing locally.
Edit an article.
Click the Image button in the editor.
View the page source of the modal.
Without PR, the folder name is a&b
With PR, folder name is a&b

With the other change, apply escaping to the URL of the folder name on the front end to be consistent with the back end.

@franz-wohlkoenig You are testing something that this PR is not actually changing.

What you are seeing is EXPECTED.

You are clicking on the IMAGE button in the WYSIWYG Editor on the frontend, this loads a url in an iframe of: http://127.0.0.1:1025/index.php?option=com_media&view=imagesList&tmpl=component&folder=&asset=61&author=838

This runs this code

@PhilETaylor Thanks for Explanation, what this Pull Request is about to test. Can you please adopt this in first Comment so Tester gets easier to understand?

I test the bug of the preview of the image and is fixed.

Now, with this PR:

Click the Image button in the editor. View the page source of the modal. Without PR, the folder name is a&b . With PR, folder name is a&b

Without the PR:

With the PR:

This is not the expected result, right?

You have to view the page source of the modal and not with web developer inspector.

I have tested this item ✅ successfully on 9fd42ef

Thank @Quy

I have tested this item ✅ successfully on 9fd42ef

RTC