From 067dea45227230430b2869eacf248351a65512fe Mon Sep 17 00:00:00 2001
From: Rich Lott / Artful Robot <forums@artfulrobot.uk>
Date: Mon, 20 Sep 2021 14:52:21 +0100
Subject: [PATCH] APIv4 - Decode output of write operations

CiviCRM regrettably stores most strings as HTML in the database.
This fixes the output of APIv4 write operations to decode them and return non-html
---
 Civi/Api4/Generic/Traits/DAOActionTrait.php |  1 +
 tests/phpunit/api/v4/Action/ResultTest.php  | 33 +++++++++++++++++++++
 2 files changed, 34 insertions(+)

diff --git a/Civi/Api4/Generic/Traits/DAOActionTrait.php b/Civi/Api4/Generic/Traits/DAOActionTrait.php
index 31c889f965..7e0b356ac2 100644
--- a/Civi/Api4/Generic/Traits/DAOActionTrait.php
+++ b/Civi/Api4/Generic/Traits/DAOActionTrait.php
@@ -149,6 +149,7 @@ trait DAOActionTrait {
       }
 
       $result[] = $this->baoToArray($createResult, $item);
+      \CRM_Utils_API_HTMLInputCoder::singleton()->decodeRows($result);
     }
 
     // Use bulk `writeRecords` method if the BAO doesn't have a create or add method
diff --git a/tests/phpunit/api/v4/Action/ResultTest.php b/tests/phpunit/api/v4/Action/ResultTest.php
index a6ecefae73..d9153c07d3 100644
--- a/tests/phpunit/api/v4/Action/ResultTest.php
+++ b/tests/phpunit/api/v4/Action/ResultTest.php
@@ -34,4 +34,37 @@ class ResultTest extends UnitTestCase {
     $this->assertTrue(is_array(json_decode($json)));
   }
 
+  /**
+   * Knowing that the db layer HTML-encodes strings, we want to test
+   * that this ugliness is hidden from us as users of the API.
+   *
+   * @see https://issues.civicrm.org/jira/browse/CRM-11532
+   * @see https://lab.civicrm.org/dev/core/-/issues/1328
+   */
+  public function testNoDataCorruptionThroughEncoding() {
+
+    $original = 'hello < you';
+    $result = Contact::create(FALSE)
+      ->setValues(['display_name' => $original])
+      ->execute()->first();
+    $this->assertEquals($original, $result['display_name'],
+      "The value returned from Contact.create is different to the value sent."
+    );
+
+    $result = Contact::update(FALSE)
+      ->addWhere('id', '=', $result['id'])
+      ->setValues(['display_name' => $original])
+      ->execute()->first();
+    $this->assertEquals($original, $result['display_name'],
+      "The value returned from Contact.update is different to the value sent."
+    );
+
+    $result = Contact::get(FALSE)
+      ->addWhere('id', '=', $result['id'])
+      ->execute()->first();
+    $this->assertEquals($original, $result['display_name'],
+      "The value returned from Contact.get is different to the value sent."
+    );
+  }
+
 }
-- 
2.25.1