Clean JSON output of user-controlled strings

JSON has some strict rules about what can be escaped, and we should have
been scrubbing to entities all along.

docs/CHANGELOG

@@ -4,6 +4,8 @@
 
 --------------------------------------------------------------------------
   v.3.6-Alpha2
+        - Fixed JSON escaping issue that broke search in some cases
+                (reported by XeeNiX)
         - Added admin_enable_required option to user registration
         - Fixed session issue preventing some users from streaming
                 (reported by miir01)

lib/javascript/search-data.php

@@ -29,7 +29,9 @@ function arrayToJSON($array) {
 			$json .= arrayToJSON($value);
 		}
 		else {
-			$json .= '"' . $value . '"';
+			// Make sure to strip backslashes and convert things to
+			// entities in our output
+			$json .= '"' . scrub_out(str_replace('\\', '', $value)) . '"';
 		}
 		$json .= ' , ';
 	}