Input sanetizer

AlaSQL · Mar 6, 2021 · 8b9223b · 8b9223b
1 parent a947183
commit 8b9223b
Show file tree

Hide file tree

Showing 5 changed files with 8 additions and 6 deletions.
diff --git a/src/40select.js b/src/40select.js
@@ -328,7 +328,7 @@ yy.Select.prototype.compile = function (databaseid, params) {
 			// If this is INTO() function, then call it
 			// with one or two parameters
 			//
-			var qs = "return alasql.into['" + this.into.funcid.toUpperCase() + "'](";
+			var qs = "return alasql.into[" + JSON.stringify(this.into.funcid.toUpperCase()) + "](";
 			if (this.into.args && this.into.args.length > 0) {
 				qs += this.into.args[0].toJS() + ',';
 				if (this.into.args.length > 1) {

diff --git a/src/420from.js b/src/420from.js
@@ -186,7 +186,7 @@ yy.Select.prototype.compileFrom = function (query) {
 			ps += ');if(cb)res=cb(res,idx,query);return res';
 			source.datafn = new Function('query,params,cb,idx,alasql', ps);
 		} else if (tq instanceof yy.FuncValue) {
-			ps = "var res=alasql.from['" + tq.funcid.toUpperCase() + "'](";
+			ps = "var res=alasql.from[" + JSON.stringify(tq.funcid.toUpperCase()) + "](";
 			/*/*
 			// if(tq.args && tq.args.length>0) {
 			// 	s += tq.args.map(function(arg){

diff --git a/src/421join.js b/src/421join.js
@@ -194,7 +194,7 @@ yy.Select.prototype.compileJoins = function (query) {
 			"var res=alasql.prepareFromData(params['"+jnparam+"']);if(cb)res=cb(res, idx, query);return res");
 */
 
-			var s = "var res=alasql.from['" + jn.func.funcid.toUpperCase() + "'](";
+			var s = "var res=alasql.from[" + JSON.stringify(jn.func.funcid.toUpperCase()) + "](";
 			/*/*
 		// if(tq.args && tq.args.length>0) {
 		// 	s += tq.args.map(function(arg){

diff --git a/src/50expression.js b/src/50expression.js
@@ -397,7 +397,7 @@ yy.Op.prototype.toJS = function (context, tableid, defcols) {
 			if (!(!this.right.args || 0 === this.right.args.length)) {
 				var ss = this.right.args.map(ref);
 			}
-			s = '' + ljs + "['" + this.right.funcid + "'](" + ss.join(',') + ')';
+			s = '' + ljs + "[" + JSON.stringify(this.right.funcid) + "](" + ss.join(',') + ')';
 		} else {
 			s = '' + ljs + '[' + rightJS() + ']';
 		}
@@ -979,7 +979,7 @@ yy.AggrValue = function (params) {
 yy.AggrValue.prototype.toString = function (dontas) {
 	var s = '';
 	if (this.aggregatorid === 'REDUCE') {
-		s += this.funcid + '(';
+		s += this.funcid.replace(re_invalidFnNameChars, '') + '(';
 	} else {
 		s += this.aggregatorid + '(';
 	}

diff --git a/src/55functions.js b/src/55functions.js
@@ -9,13 +9,15 @@
 yy.FuncValue = function (params) {
 	return yy.extend(this, params);
 };
+
+var re_invalidFnNameChars = /[^0-9A-Z_$]+/i;
 yy.FuncValue.prototype.toString = function (dontas) {
 	var s = '';
 
 	if (alasql.fn[this.funcid]) s += this.funcid;
 	else if (alasql.aggr[this.funcid]) s += this.funcid;
 	else if (alasql.stdlib[this.funcid.toUpperCase()] || alasql.stdfn[this.funcid.toUpperCase()])
-		s += this.funcid.toUpperCase();
+		s += this.funcid.toUpperCase().replace(re_invalidFnNameChars, '');
 
 	if (this.funcid !== 'CURRENT_TIMESTAMP') {
 		s += '(';