Fixes #6068, correctly decode JSON encoded ec_items query parameter values so escaped HTML is properly handled by tracker. Includes tests and a separate fix to tests:run command (command fails when --options is used w/ a group argument).

1 files changed, 3 insertions, 3 deletions

diff --git a/core/Tracker/GoalManager.php b/core/Tracker/GoalManager.php
index 27b3a6f48c..9f989df935 100644
--- a/core/Tracker/GoalManager.php
+++ b/core/Tracker/GoalManager.php
@@ -361,7 +361,7 @@ class GoalManager
      */
     private function getEcommerceItemsFromRequest()
     {
-        $items = Common::unsanitizeInputValue($this->request->getParam('ec_items'));
+        $items = $this->request->getParam('ec_items');
 
         if (empty($items)) {
             Common::printDebug("There are no Ecommerce items in the request");
@@ -369,13 +369,13 @@ class GoalManager
             return array();
         }
 
-        $items = Common::json_decode($items, $assoc = true);
-
         if (!is_array($items)) {
             Common::printDebug("Error while json_decode the Ecommerce items = " . var_export($items, true));
             return false;
         }
 
+        $items = Common::unsanitizeInputValues($items);
+
         $cleanedItems = $this->getCleanedEcommerceItems($items);
         return $cleanedItems;
     }