5a1d1a25ff3a7a7001e5dd98e1e4879b6f3ebe9d
chmalee
  Tue Dec 16 16:15:02 2025 -0800
Fix up jsOnEventById calls to javascript literal encode the id's, so the ids can have parens, single quotes, double quotes, etc in them and still be selected. Fix up the matrix checkbox code to htmlEncode the subgroups so subgroups can have parens, single quotes, etc in them and still work as class names and selectors, refs #36841

diff --git src/lib/cheapcgi.c src/lib/cheapcgi.c
index 07788267d9e..b9bce63b35f 100644
--- src/lib/cheapcgi.c
+++ src/lib/cheapcgi.c
@@ -184,53 +184,53 @@
 /* check if it is lowercase and a known valid event name */
 {
 char *temp = cloneString(event);
 tolowers(temp);
 if (!sameString(temp, event))
     warn("jsInline: javascript event %s should be given in lower-case", event);
 event = temp; 
 if (!findJsEvent(event))
     warn("jsInline: unknown javascript event %s", event);
 freeMem (event);
 }
 
 void jsAddEventForId(char *eventName, char *idText, char *jsText)
 {
 checkValidEvent(eventName);
-jsInlineF("document.getElementById('%s').addEventListener('%s', %s);\n", idText, eventName, jsText);
+jsInlineF("document.getElementById('%s').addEventListener('%s', %s);\n", javaScriptLiteralEncode(idText), eventName, jsText);
 }
 
 void jsOnEventById(char *eventName, char *idText, char *jsText)
 /* Add js mapping for inline event */
 {
 checkValidEvent(eventName);
-jsInlineF("document.getElementById('%s').on%s = function(event) {if (!event) {event=window.event}; %s};\n", idText, eventName, jsText);
+jsInlineF("document.getElementById('%s').on%s = function(event) {if (!event) {event=window.event}; %s};\n", javaScriptLiteralEncode(idText), eventName, jsText);
 }
 
 void jsOnEventBySelector(char *query, char *eventName, char *jsText)
 /* Add js mapping for inline event given a query selector, e.g. '.className' */
 {
 checkValidEvent(eventName);
 jsInlineF("document.querySelectorAll('%s').forEach(function (el) { el.addEventListener( '%s', function(event) { %s })});\n", query, eventName, jsText);
 }
 
 
 void jsOnEventByIdF(char *eventName, char *idText, char *format, ...)
 /* Add js mapping for inline event with printf formatting */
 {
 checkValidEvent(eventName);
-jsInlineF("document.getElementById('%s').on%s = function(event) {if (!event) {event=window.event}; ", idText, eventName);
+jsInlineF("document.getElementById('%s').on%s = function(event) {if (!event) {event=window.event}; ", javaScriptLiteralEncode(idText), eventName);
 va_list args;
 va_start(args, format);
 dyStringVaPrintf(jsInlineLines, format, args);
 va_end(args);
 jsInlineF("};\n");
 }
 
 
 //============ END of javascript inline-separation routines ===============
 
 
 /* These three variables hold the parsed version of cgi variables. */
 static char *inputString = NULL;
 static unsigned long inputSize;
 static struct hash *inputHash = NULL;