Recent queries display character encoding in view and in query editor

[jpsandiego]

I am testing an upgrade from CDH 5.0.2 to CDH 5.3.2 and Hue 3.5.0 to Hue 3.7.0 (also Hive 0.12.0 to Hive 0.13.0) and within the Query Editor screen (A) I have lost my recent queries history that I thought should have imported/merged during the upgrade and (B) more importantly, I'm getting character encoding showing up in the 'Recent queries' view. So after I run "select * from tablename WHERE UTC = '2015-03-05' LIMIT 10", the recent query will show select * from tablename WHERE UTC = '2015-03-05' LIMIT 10

Questions A) Is the loss of recent history expected? B) Is the encoding a configuration issue?

In the saved config and the new config I see that both had the encoding parameter commented-out: hue.ini: ## default_site_encoding=utf-8 hue.ini.rpmnew: ## default_site_encoding=utf-8

Enabling utf-8 in hue.ini and restarting doesn't change the visual effect

Clicking on the item from recent history so that it populates the Query Editor does cause the correct/valid query to be rendered.

[romainr]

A) Query history should be kept when you upgrade, similarly to all your other saved queries. One possibility could be that Hue is pointing to another DB or you are logged in as another user.

B) This is indeed a bug https://issues.cloudera.org/browse/HUE-2618

[jpsandiego]

As far as I can tell the loss of recent queries may be more related to our use of sqlite than the upgrade to Hue. I just completed the migration from sqlite to MySQL under Hue 3.5.0 and could take that data dump to my Hue 3.7.0 environment and it imported successfully with the history and stored queries.

Now that I have a full production sample of recent query history and saved queries, I can report that the display issue within the 'recent history' does not happen within the actual History "subtab" (where I then click on "Show everyone's queries") - it is unique with the recentQueries table. This really needs fixing.

The bug (https://issues.cloudera.org/browse/HUE-2618) was actually submitted by me as well as I was not certain if I should be submitting to Github or Cloudera's tracker..

[jpsandiego]

The issue lies in /apps/beeswax/src/beeswax/templates/execute.mako and it's call to use hue.htmlEncode - or maybe with the htmlEncode methods.. Looks like that came from "HUE-2396 [beeswax] Fix Cross-site scripting(XSS) vulnerbility".

As a simple test if I remove the hue.htmlEncode() call from line 1101, the SQL displays as expected..

            '<code style="cursor:pointer">' + hue.htmlEncode(item.query) + '</code>',
#replace with
            '<code style="cursor:pointer">' + item.query + '</code>',

Other parts of Hue don't reply upon this htmlEncode method, so maybe there' a newer/better way to handle XSS safely in this context.

[romainr]

Enrico will have a look when he is back. I think the call was there to make sure new queries added without reloading the page are escaped but this is indeed not smart.

[enricoberti]

We don't actually need the hue.htmlEncode there since the values are already encoded by the datatable fnAdd plugin! Pushing the fix now

[enricoberti]

And fixed! Thanks for bringing this up!