Shane HobanShane Hoban

Shane Hoban

MSc. Computer Science (UCD) · Full Stack Developer

Crosshaven, Cork, Ireland
All Articles

Survais post-migration fixes: widget compatibility and safer output

22 February 2026
ai-assistedsurvaismigrationphpwidgetxssescapinglegacy-data

Right after moving Survais from the old VPS to the new Coolify + Docker deployment, I did a focused pass on the widget because old data and legacy rendering assumptions surfaced a few bugs.

This was a classic post-migration task: the deploy was up, but edge-case content handling needed to be tightened.

Main issues found

  • legacy text values had mixed/over-encoded entities
  • some widget copy was being escaped in ways that hurt display quality
  • JS payload values in widget.php were injected as string literals instead of robust encoded values
  • CTA slide behavior had a bad data-answer value and needed consistent sanitization

What I changed

1. Added legacy decode + safe output helpers

In dist/widget/widget-functions.php I added a few helpers:

  • widget_decode_legacy_text(...)
  • widget_escape_text(...)
  • widget_safe_text(...)
  • widget_linkified_text(...)

The decode function also normalizes malformed entities like &#039 ; before decoding, and loops a few times to unwind nested encoding safely.

2. Normalized rendering across partials

In the widget partials (cta, email, feedback, info, standard) I switched display output to the new helpers so text is:

  • readable for legacy content
  • escaped consistently
  • still linkified where needed

3. Fixed CTA data handling

For CTA slides, I aligned the button data and sanitization behavior:

  • safe text for button URL and button label
  • corrected data-answer handling to the expected CTA value

4. Made JS payload injection safer

In dist/widget/widget.php I replaced raw string interpolation with json_encode(...) for payload values passed into client-side JS.

That avoids subtle quoting/breakage bugs and is a safer default when values can contain special characters.

5. Tightened question/field value handling

I ensured question text and field values are decoded and sanitized before render paths consume them, and initialized field structures explicitly to avoid stale assumptions.

Outcome

The post-migration pass gave me three concrete wins:

  • better rendering for older stored content
  • safer output boundaries in PHP + JS handoff
  • fewer fragile assumptions in widget field processing

Infrastructure migration gets you online; this kind of compatibility pass makes the system dependable in production.