"&" is not escaped on output it leads to many problems. For example:
- go to graph creation form, enter graph name as "graph >", click preview button, after refresh graph name converts to "graph >".
- previous leads to two graphs/apps/items... with identical names. Create one with ">" in name, another with ">". In frontend these will look identical.
- in item list subfilter if item has application which name contain ">" subfilter for that app can be enabled but then connot be disabled.
Solution apply sheath function CHtml::encode() to every field which is displaying inside not input element.