Don't HTML encode quotes in REST API callback, to fix ONKI Selector (Skosmos 2)

[osma]

Reasons for creating this PR

ONKI Selector (the legacy JS widget for accessing ONKI/Finto vocabularies) wasn't working, because it uses the callback parameter with a value that includes quote characters. The input sanitizing that was quite recently added to RestController broke this functionality.

The symptom is that the Skosmos REST API, when called with a URL like https://api.finto.fi/rest/v1/yso/?callback=onkiSearch["ysoSearch"].setRestLangs , generates a response like this: onkiSearch["ysoSearch"].setRestLangs(...) and this causes a JS syntax error. (Uncaught SyntaxError: expected expression, got '&')

This PR fixes the problem by preventing the HTML encoding of quote characters.

Link to relevant issue(s), if any

• n/a

Description of the changes in this PR

• when sanitizing the callback parameter, apply the FILTER_FLAG_NO_ENCODE_QUOTES option which prevents encoding quotes

Known problems or uncertainties in this PR

Not sure if the input sanitizing for the callback parameter (which is needed for generating JS, not HTML) is a great idea in the first place, but at least this fixes the issue with quotes.

Checklist

• phpUnit tests pass locally with my changes
• I have added tests that show that the new code works, or tests are not relevant for this PR (e.g. only HTML/CSS changes)
• The PR doesn't reduce accessibility of the front-end code (e.g. tab focus, scaling to different resolutions, use of .sr-only class, color contrast)
• The PR doesn't introduce unintended code changes (e.g. empty lines or useless reindentation)

[sonarcloud]

Quality Gate failed

Failed conditions
E Security Rating on New Code (required ≥ A)

See analysis details on SonarCloud

Catch issues before they fail your Quality Gate with our IDE extension SonarLint