Embedded quote in restapi plugin html message

I am using the restapi AddCampaign call to automate campaign creation.

I have discovered that when the message argument contains HTML with quotes, the quotes get escaped with backslashes when written to the database, and this then breaks the email messages that are sent.

A simple example:

<div id="myData">
auto generated stuff

is stored in the database as:

<div id=\"myData\">
auto generated stuff

When the same data is entered via phpList Send a campaign page, the HTML is saved in the database without the quotes being escaped.

I am hoping there is something simple I can do with the data passed to the API to prevent this, but nothing I have tried makes a positive difference.

Any ideas or suggestions?


@tdgjrb I found the same problem and made a small change to one of the plugin files to remove backslashes at the start of the processing, see

Thanks Duncan! You’re the best.

I was actually looking at doing that just for the following line, but I am always a little reluctant to modify the distributed code for fear of unintended consequences.


public static function campaignAdd()
        $sql = 'INSERT INTO '.$GLOBALS['tables']['message'].' (subject, fromfield, replyto, message, textmessage, footer, entered, status, sendformat, template, embargo, rsstemplate, owner, htmlformatted ) VALUES ( :subject, :fromfield, :replyto, :message, :textmessage, :footer, now(), :status, :sendformat, :template, :embargo, :rsstemplate, :owner, :htmlformatted );';
        try {
            $db = PDO::getConnection();
            $stmt = $db->prepare($sql);
            $stmt->bindParam('subject', $_REQUEST['subject'], PDO::PARAM_STR);
            $stmt->bindParam('message', stripslashes($_REQUEST['message']), PDO::PARAM_STR);
            $stmt->bindParam('textmessage', $_REQUEST['textmessage'], PDO::PARAM_STR);
            $stmt->bindParam('htmlformatted', $_REQUEST['htmlformatted'], PDO::PARAM_STR);
            $id = $db->lastInsertId();
            $db = null;
        } catch (\Exception $e) {

I will go with your more global fix under the presumption that it has been in use without issues and that it may also prevent a similar issue with a different attribute.

Happy Christmas!