Why are escape characters being added to the value of the hidden input

Answer 1

Check whether your PHP configuration has magic_quotes_gpc activated, in such case the PHP server automatically adds slashes to GET/POST/cookie values...

Answer 2

If the information is correct when it leaves the client, then dojo must be doing some wizardry before sending the info over to $_POST, no? Are there any flags that you can set for the dojo.toJson() method that will allow you to control the level of input string manipulation / escaping? If not, I think using stripslashes() (or whatever, depending on where this information is headed) is the only answer.

Answer 3

Most probably you hav magic_quotes_gpc enabled on your server. This configuration option and feature is deprecated in php5.3. Until you upgrade:

if (get_magic_quotes_gpc()) {
    set_magic_quotes_runtime(0);
    foreach (array('POST', 'GET', 'REQUEST', 'COOKIE') as $gpc)
        $GLOBALS["_$gpc"] = array_map('dequote', $GLOBALS["_$gpc"]);
}

function dequote($v) {
        return is_array($v) ? array_map('dequote', $v) : stripslashes($v);
}

The above solution is based on someone's code i've found somewhere a few years ago.

Answer 4

check if magic quotes is enabled on your host

Answer 5

I believe the problem is just one of escaping done by the tools you are using to output the string. For example:

var msg = dojo.toJson({field1: 'string', field2: 84, field3: 'another string'});
alert(msg);

will show the double quotes as unescaped. Similarly, running your first example while the browser is hooked up to a proxy like Charles, shows the double qoutes as unescaped.

So I believe this is just an auto-escape that Firebug/PHP does when showing you strings.