Open bittner opened 2 weeks ago
xresch
commented
2 weeks ago Hi @bittner,
this issue is currently caused by missing permission "Allow HTML". However, I will check if I can disable the HTML sanitation for all Parameters, as in this case it would make sense to not have sanitation for HTML and only for Javascript.
Cheers Reto
iSimsi
commented
2 weeks ago Hi @xresch also "Allow Javascript" permission is needed to avoid error messages while saving the Parameters like: "There is no such method with the name 'CAST'" and "JsonObject".
xresch
commented
2 weeks ago Issue has been addressed in CoreFramework: Query Select Param: https://github.com/xresch/CoreFramework/commit/e036fad0957a343981d12f9d524a4f09d9023b75 Other Params: https://github.com/xresch/CoreFramework/commit/cc09c7680265e3a342f8ed27a72c20a3416b1a2a
The 🎛 Params editor dialog allows to edit an EMP-style SQL query (e.g. for "Query Select" widgets), and it offers both an Execute button on top of each editor textarea and the large Save button at the bottom of the editor dialog screen.
Problem Scenario
When you use a complex query that contains single quotes then pressing the Execute button runs the query just fine, displaying the results at the lower end of the screen in an overlay. But when the Save button is pressed, the content of each textarea is apparently HTML-encoded before saving, which immediately leads to an SQL error, e.g.
Problem Analysis
The "invalid character" is apparently the ampersand ("&"). This can be seen when closing the editor dialog and reopening it again: The single quotes in the SQL have been replaced by a character sequence of "
'".When you now save the content again, the same error pops up again. And when you then close and reopen the editor dialog, you'll see that the occurrences of "
'" have been replaced by "'", which confirms the assumption that HTML encoding is being performed.Expected Behavior
Since brute-force HTML encoding breaks the SQL code, it should not be done on SQL code.
If the SQL code is HTML-encoded for some particular reason (e.g. permissions, security concerns) the application should stop the user from saving the content to avoid prior existing code to break; the user should get appropriate and actionable feedback, instead.