Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

datadict could not insert special characters #1803

Merged
merged 1 commit into from
May 27, 2016
Merged

datadict could not insert special characters #1803

merged 1 commit into from
May 27, 2016

Conversation

gluneau
Copy link
Contributor

@gluneau gluneau commented May 16, 2016

added unsafe to insert query and phpcs

@gluneau gluneau added the Bug PR or issue introducing/requiring bug fixes (not mutually exclusive with the Feature label) label May 16, 2016
@gluneau gluneau added this to the 16.0 milestone May 16, 2016
@codecov-io
Copy link

Current coverage is 15.09%

Merging #1803 into 17.0-dev will not change coverage

@@           17.0-dev      #1803   diff @@
==========================================
  Files           122        122           
  Lines         19713      19713           
  Methods        1081       1081           
  Messages       7539          0   -7539   
  Branches          0          0           
==========================================
  Hits           2975       2975           
  Misses        16738      16738           
  Partials          0          0

Sunburst

Powered by Codecov. Last updated by 3b4bf6e...14e09e3

@johnsaigle johnsaigle added the Discussion Required PR or issue awaiting the resolution of a discussion between all involved parties label May 17, 2016
@johnsaigle
Copy link
Contributor

The use case here doesn't match the description of the function:

This will insert a row. HTML from any field in the row will not be automatically escaped. This should only be called when we know the source of the input is trustworthy and must contain HTML.

Since this was changed to allow for entering a value of <TEST_NAME>, and this seems to be a placeholder name, it might be better to just use a different pair of delimiters around "TEST_NAME".

@gluneau
Copy link
Contributor Author

gluneau commented May 17, 2016

The front end joins two tables parameter_type and parameter_type_override.

This issue arises when an item is in tables parameter_type and not parameter_type_override.

Therefore this script will try to make the entry in parameter_type_override.

Since the data already made it in parameter_type, it is safe to assume that it is wanted as well in parameter_type_override.

The issue was discovered because the safe insert had transformed < into < and could not join the table, and would try to re-insert it every time. This cause a server error because we cannot insert duplicates in parameter_type_override.

@johnsaigle
Copy link
Contributor

@driusan I think @samirdas wanted you to look at this when you get some time. Basically, whether you think that the trust boundary between parameter_type and parameter_type_override is secure enough to allow for the use of unsafeinsert.

@stellarxo stellarxo added the Needs Work PR awaiting additional changes by the author or contains issues that the author needs to fix label May 24, 2016
@jstirling91 jstirling91 added PassedCodeReview and removed Discussion Required PR or issue awaiting the resolution of a discussion between all involved parties Needs Work PR awaiting additional changes by the author or contains issues that the author needs to fix labels May 27, 2016
@jstirling91
Copy link
Contributor

React is escaping these columns

@samirdas samirdas merged commit 55833c0 into aces:16.04-dev May 27, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@gluneau gluneau

Labels
Bug PR or issue introducing/requiring bug fixes (not mutually exclusive with the Feature label)
Projects
None yet
Milestone
16.0
Development

Successfully merging this pull request may close these issues.
6 participants
@gluneau @codecov-io @johnsaigle @jstirling91 @samirdas @stellarxo