Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mustache templates should escape JSON, not HTML #5473

Closed
clintongormley opened this issue Mar 20, 2014 · 2 comments · Fixed by #5479
Closed

Mustache templates should escape JSON, not HTML #5473

clintongormley opened this issue Mar 20, 2014 · 2 comments · Fixed by #5479
Assignees
@s1monw
Labels
>bug v1.1.0 v2.0.0-beta1

Comments

@clintongormley
Copy link

Currently we're using the default escape method from Mustache, which is intended for escaping HTML, not JSON.

This results in things like " -> "

Instead, we should be using these escapes:

\b  Backspace (ascii code 08)
\f  Form feed (ascii code 0C)
\n  New line
\r  Carriage return
\t  Tab
\v  Vertical tab
\"  Double quote
\\  Backslash
@clintongormley clintongormley mentioned this issue Mar 20, 2014
Closed
@clintongormley
Copy link
Author

Test case:

DELETE /t

PUT /t
{
  "mappings": {
    "foo": {
      "properties": {
        "bar": {
          "type": "string",
          "index": "not_analyzed"
        }
      }
    }
  }
}

PUT /t/foo/1
{
  "foo": "bar&"
}

GET /_search/template
{
  "template": {
    "query": {
      "term": {
        "foo": "{{foo}}"
      }
    }
  },
  "params": {
    "foo": "bar&"
  }
}

@s1monw s1monw self-assigned this Mar 20, 2014
@s1monw
Copy link
Contributor

s1monw commented Mar 20, 2014

cool I will take a look at it

@s1monw s1monw mentioned this issue Mar 20, 2014
Merged
@s1monw s1monw closed this as completed in 9cd3e85 Mar 20, 2014
s1monw added a commit that referenced this issue Mar 20, 2014
@s1monw
Add simple escape method for special characters to template query
902139c 
The default mustache engine was using HTML escaping which breaks queries
if used with JSON etc. This commit adds escaping for:

```
\b  Backspace (ascii code 08)
\f  Form feed (ascii code 0C)
\n  New line
\r  Carriage return
\t  Tab
\v  Vertical tab
\"  Double quote
\\  Backslash
```

Closes #5473
s1monw added a commit that referenced this issue Mar 20, 2014
@s1monw
Add simple escape method for special characters to template query
204a77c 
The default mustache engine was using HTML escaping which breaks queries
if used with JSON etc. This commit adds escaping for:

```
\b  Backspace (ascii code 08)
\f  Form feed (ascii code 0C)
\n  New line
\r  Carriage return
\t  Tab
\v  Vertical tab
\"  Double quote
\\  Backslash
```

Closes #5473
MaineC pushed a commit to MaineC/elasticsearch that referenced this issue Apr 27, 2015
Fix JSON encoding for Mustache templates.
07f62ee 
This pull request replaces the current self-made implementation of JSON encoding special chars with re-using the Jackson JsonStringEncoder. Turns out the previous implementation also missed a few special chars so had to adjust the tests accordingly (looked at RFC 4627 for reference).

Note: There's another JSON String encoder on our classpath (org.apache.commons.lang3.StringEscapeUtils) that essentially does the same thing but adds quoting to more characters than the Jackson Encoder above.

Relates to elastic#5473
@MaineC MaineC mentioned this issue Apr 27, 2015
Closed
MaineC pushed a commit that referenced this issue Apr 28, 2015
Fix JSON encoding for Mustache templates.
f288d24 
This pull request replaces the current self-made implementation of JSON encoding special chars with re-using the Jackson JsonStringEncoder. Turns out the previous implementation also missed a few special chars so had to adjust the tests accordingly (looked at RFC 4627 for reference).

Note: There's another JSON String encoder on our classpath (org.apache.commons.lang3.StringEscapeUtils) that essentially does the same thing but adds quoting to more characters than the Jackson Encoder above.

Relates to #5473
MaineC pushed a commit that referenced this issue Apr 28, 2015
Fix JSON encoding for Mustache templates.
180403f 
This pull request replaces the current self-made implementation of JSON encoding special chars with re-using the Jackson JsonStringEncoder. Turns out the previous implementation also missed a few special chars so had to adjust the tests accordingly (looked at RFC 4627 for reference).

Note: There's another JSON String encoder on our classpath (org.apache.commons.lang3.StringEscapeUtils) that essentially does the same thing but adds quoting to more characters than the Jackson Encoder above.

Relates to #5473
mute pushed a commit to mute/elasticsearch that referenced this issue Jul 29, 2015
@s1monw
Add simple escape method for special characters to template query
fcd9dfb 
The default mustache engine was using HTML escaping which breaks queries
if used with JSON etc. This commit adds escaping for:

```
\b  Backspace (ascii code 08)
\f  Form feed (ascii code 0C)
\n  New line
\r  Carriage return
\t  Tab
\v  Vertical tab
\"  Double quote
\\  Backslash
```

Closes elastic#5473
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@s1monw s1monw

Labels
>bug v1.1.0 v2.0.0-beta1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add simple escape method for special characters to template query s1monw/elasticsearch
2 participants
@clintongormley @s1monw