Bug #95579
Updated by Oliver Hader about 3 years ago
When forwarding configuration as JSON encoded data when loading RequireJS modules in form engine, escape sequences need to be handled explicitly. It is not possible to break the serialization by injection techniques, however client-side parsing might fail.
The problem has been discovered, when PHP class names (@\Vendor\Package\Name@) lead to client-side JSON parsing errors, e.g. @JSON.parse('"\\Vendor\\Package\\Name"');@.