The mustache quote helper is used to escape quotes when inserting variables into JSON notation. It was introduced in MDL-52136. Unfortunately, to escape a string for use in JSON, more characters than just the double quote have to be escaped. To be exact:

• Backspace to be replaced with \b
• Form feed to be replaced with \f
• Newline to be replaced with \n
• Carriage return to be replaced with \r
• Tab to be replaced with \t
• Double quote to be replaced with \"
• Backslash to be replaced with \\

Source: https://www.tutorialspoint.com/json_simple/json_simple_escape_characters.htm

This leads to some bugs: MDL-67640, MDL-68865 and MDL-69398 to name a few.

In MDL-65203 and MDL-65183, some of these special characters (\t, \n and \r) were added to the list of characters that the JS implementation of the quote helper replaces. It's still incomplete, though. And the PHP implementation hasn't been updated to match the Javascript one.

Most importantly, the backslash character is not being escaped, yet. This means that the escaping of other characters (like double quotes) can be undone easily. For example, the string

foo\"bar

is "escaped" to

foo\\"bar

by the current implementation of the quote helper. As you can see, the "escaped" version contains an unescaped double quote because of the extra backslash.

Suggested solution

Fortunately, there is a function in both Javascript and PHP that takes care of escaping all these special characters correctly: JSON encoding!

Just passing the input of the quote helper to json_encode in PHP and JSON.stringify in Javascript yields a string with all special JSON characters being escaped. The resulting string also starts and ends with an extra quote, but adding quotes is exactly what the quote helper is supposed to do anyway. So we don't even have to remove them.