Don't overly escape Meteor.settings.public

Fixes #3730.

Testing Done:
Manual testing based on the report in #3730. Also confirmed that `</script>` is not a problem.

I would have added a test-packages test but there's no easy way to override Meteor.settings in test-packages.

Bugs closed: 3730

Reviewed at https://rbcommons.com/s/meteor/r/1/

packages/boilerplate-generator/boilerplate_web.browser.html

@@ -3,7 +3,7 @@
 {{#each css}}  <link rel="stylesheet" type="text/css" class="__meteor-css__" href="{{../bundledJsCssPrefix}}{{url}}">{{/each}}
 
 {{#if inlineScriptsAllowed}}
-<script type='text/javascript'>__meteor_runtime_config__ = {{meteorRuntimeConfig}};</script>
+<script type='text/javascript'>__meteor_runtime_config__ = JSON.parse(decodeURIComponent({{meteorRuntimeConfig}}));</script>
 {{else}}
 <script type='text/javascript' src='{{rootUrlPathPrefix}}/meteor_runtime_config.js'></script>
 {{/if}}

packages/boilerplate-generator/boilerplate_web.cordova.html

@@ -8,7 +8,7 @@
 {{#each css}}  <link rel="stylesheet" type="text/css" class="__meteor-css__" href="{{../bundledJsCssPrefix}}{{url}}">{{/each}}
 
   <script type='text/javascript'>
-    __meteor_runtime_config__ = {{meteorRuntimeConfig}};
+    __meteor_runtime_config__ = JSON.parse(decodeURIComponent({{meteorRuntimeConfig}}));
 
     if (/Android/i.test(navigator.userAgent)) {
       // When Android app is emulated, it cannot connect to localhost,

packages/webapp/package.js

@@ -31,4 +31,5 @@ Package.onUse(function (api) {
 Package.onTest(function (api) {
   api.use(['tinytest', 'webapp', 'http']);
   api.addFiles('webapp_tests.js', 'server');
+  api.addFiles('webapp_client_tests.js', 'client');
 });

packages/webapp/webapp_client_tests.js

@@ -0,0 +1,5 @@
+// Regression test for #3730
+Tinytest.add("webapp - runtime config", function (test) {
+  test.equal(__meteor_runtime_config__.WEBAPP_TEST_A, '<p>foo</p>');
+  test.equal(__meteor_runtime_config__.WEBAPP_TEST_B, '</script>');
+});

packages/webapp/webapp_server.js

@@ -289,7 +289,14 @@ WebAppInternals.generateBoilerplateInstance = function (arch,
             };
           }
         ),
-        meteorRuntimeConfig: JSON.stringify(runtimeConfig),
+        // Convert to a JSON string, then get rid of most weird characters, then
+        // wrap in double quotes. (The outermost JSON.stringify really ought to
+        // just be "wrap in double quotes" but we use it to be safe.) This might
+        // end up inside a <script> tag so we need to be careful to not include
+        // "</script>", but normal {{spacebars}} escaping escapes too much! See
+        // https://github.com/meteor/meteor/issues/3730
+        meteorRuntimeConfig: JSON.stringify(
+          encodeURIComponent(JSON.stringify(runtimeConfig))),
         rootUrlPathPrefix: __meteor_runtime_config__.ROOT_URL_PATH_PREFIX || '',
         bundledJsCssPrefix: jsCssPrefix,
         inlineScriptsAllowed: WebAppInternals.inlineScriptsAllowed(),

packages/webapp/webapp_tests.js

@@ -155,3 +155,6 @@ Tinytest.add("webapp - generating boilerplate should not change runtime config",
 
   test.isFalse(__meteor_runtime_config__.WEBAPP_TEST_KEY);
 });
+
+__meteor_runtime_config__.WEBAPP_TEST_A = '<p>foo</p>';
+__meteor_runtime_config__.WEBAPP_TEST_B = '</script>';

tools/commands-cordova.js

@@ -331,7 +331,8 @@ var generateCordovaBoilerplate = function (projectContext, clientDir, options) {
     urlMapper: _.identity,
     pathMapper: function (p) { return files.pathJoin(clientDir, p); },
     baseDataExtension: {
-      meteorRuntimeConfig: JSON.stringify(runtimeConfig)
+      meteorRuntimeConfig: JSON.stringify(
+        encodeURIComponent(JSON.stringify(runtimeConfig)))
     }
   });
   return boilerplate.toHTML();