The way in which Piwik deals w/ sanitizing user data is inconsistent: it is sometimes done on input (data is stored sanitized), sometimes on output (less frequently). For example, website names are stored in the DB sanitized and need to be unsanitized or outputted raw in HTML. Goal names are not sanitized in the DB and need to be escaped when outputting in HTML.

This should be made consistent. Additionally, security best practices recommend:

• filter on input (e.g. cast to an integer if you expect an integer, but don't sanitize strings)
• escape on output

Problems with the current approach:

• escaping on input is done for HTML/XML: that escaping doesn't makes sense for SQL, JavaScript/JSON, … And it needs to be undone for those cases
• double escaping issues if we escape on output (e.g. Twig and Angular do that by default)
  • Ampersand (&) when adding/configuring Website and using & in URL textinput #8496, sanitize tracking code displayed in the UI on output, not input #8123, Scheduled report name is double encoded  #7987, Quotes in goal names are over-escaped #7969, All websites dashboard lists website names double encoded #7806, Special characters in website name not shown correctly #7531, Website name is double encoded in page "No data has been recorded yet" #7528, Truncation of labels on datatables leads to labels changed to '...' #6821, error message in form are html encoded  #6722, Bad encoding title in the list #6325, ecommerce orders with double quotes in product name or category name are not tracked #6068, Improvements for custom events in tables like visitor log #5189, Row evolution: Y axis legend is double URL encoded #5009, Apostrpohes (and maybe other special characters) are shown encoded in page tooltip #4749, Ampersand in page title is not displayed as & in Piwik Dashboard Widgets #4709, Fix inconsistent sanitization: sanitize on output rather than input #4231, regression New and edited annotations are URL encoded #3954, "&" characters are transformed to "&" in pagetitles of tracked goals when editing them #3549, Goals Names containing html entities are displayed double encoded in column names #3503, Double encoding for report name #2519, Inline search: & becomes & #2400, Problem with ampersand in Website Chooser #2386, Swedish characters don't show up properly in UI, graphs #974, Update from 2.3 to 2.4 breaks db password #341
• strings are stored in database escaped (not as their "real" values)

We should try to slowly move to sanitizing on output using native escaping features of Twig or AngularJS for example.