Double quotes in text fields prevent JSON parsing when editing scoresheet

CIA-Homebrew / BJCP-Scoresheet

Digital form of BJCP scoresheet for beer judging.

GNU General Public License v3.0

8 stars 5 forks source link

Double quotes in text fields prevent JSON parsing when editing scoresheet #89

Closed prphntm63 closed 4 years ago

prphntm63 commented 4 years ago

Double quotes in block text need to be escaped before sending data.

Heck, the whole thing should be sanitized before sending.

PH-Lazurous commented 4 years ago

(going off memory) Sequelize at a minimum escapes all strings to help with things like this, but there is an additional layer we can add that would sanitize even further. I'll have to do a bit of digging on this just to double check but that was what I remembered. However I do not think we are doing anything in the update routine on the client side besides creating a JSON string and then posting to the backend, not sure if that is where we are having the break in things as well.

prphntm63 commented 4 years ago

It's a stupid issue based quote escaping purely due to how we load the object data into the script in the pug template. We should revisit this and do it properly - with a POST fetch. Lol.