Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Database Extension: input validation for database connection data #2151

Merged
merged 3 commits into from
Sep 27, 2019
Merged

Database Extension: input validation for database connection data #2151

merged 3 commits into from
Sep 27, 2019

Conversation

tcbuzor
Copy link
Contributor

@tcbuzor tcbuzor commented Sep 9, 2019

Validate Connection input data from frontend and backend. Sanitize database connection information before adding to the DOM.

wetneb
wetneb reviewed Sep 9, 2019
View reviewed changes
Copy link
Sponsor Member

@wetneb wetneb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot Tonio for tackling this!

I would have intuitively gone for a different approach: HTML-sanitize the DB credentials before rendering them to the DOM, directly in the JS frontend. Did I miss any reason why this would not work? See the comments inline.

extensions/database/module/scripts/index/database-source-ui.js Outdated Show resolved Hide resolved
extensions/database/module/scripts/index/database-source-ui.js Outdated Show resolved Hide resolved
extensions/database/src/com/google/refine/extension/database/cmd/SavedConnectionCommand.java Outdated Show resolved Hide resolved
.../database/tests/src/com/google/refine/extension/database/cmd/SavedConnectionCommandTest.java Outdated Show resolved Hide resolved
.../database/tests/src/com/google/refine/extension/database/cmd/SavedConnectionCommandTest.java Outdated Show resolved Hide resolved
@thadguidry
Copy link
Member

@tcbuzor Thanks Tony for continuing to work on this! Much appreciated!

wetneb
wetneb reviewed Sep 22, 2019
View reviewed changes
extensions/database/module/scripts/index/database-source-ui.js
var a = $('<a href="#" class="pure-menu-link context-menu-one"></a>').appendTo(li);
$('<span class="context-menu-text"></span>').text(savedConnection.connectionName)
.appendTo(a);
$('<span class="sc-context-more-vert pull-right"> </span>').appendTo(a);
Copy link
Sponsor Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a better way to construct DOM elements in jQuery: just use the text() method of a jQuery element, which already does the escaping for you.
In general, all user-supplied text should be inserted in this way in the UI. Manually concatenating HTML code in JavaScript is a bad sign.

@wetneb wetneb merged commit 1a79176 into OpenRefine:master Sep 27, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wetneb wetneb wetneb left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tcbuzor @thadguidry @wetneb