Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mustache templates should escape JSON, not HTML #5473

Closed
clintongormley opened this issue Mar 20, 2014 · 2 comments

Comments

Projects
None yet
2 participants
@clintongormley
Copy link
Member

commented Mar 20, 2014

Currently we're using the default escape method from Mustache, which is intended for escaping HTML, not JSON.

This results in things like " -> "

Instead, we should be using these escapes:

\b  Backspace (ascii code 08)
\f  Form feed (ascii code 0C)
\n  New line
\r  Carriage return
\t  Tab
\v  Vertical tab
\"  Double quote
\\  Backslash 
@clintongormley

This comment has been minimized.

Copy link
Member Author

commented Mar 20, 2014

Test case:

DELETE /t

PUT /t
{
  "mappings": {
    "foo": {
      "properties": {
        "bar": {
          "type": "string",
          "index": "not_analyzed"
        }
      }
    }
  }
}

PUT /t/foo/1
{
  "foo": "bar&"
}

GET /_search/template
{
  "template": {
    "query": {
      "term": {
        "foo": "{{foo}}"
      }
    }
  },
  "params": {
    "foo": "bar&"
  }
}

@s1monw s1monw self-assigned this Mar 20, 2014

@s1monw

This comment has been minimized.

Copy link
Contributor

commented Mar 20, 2014

cool I will take a look at it

@s1monw s1monw closed this in 9cd3e85 Mar 20, 2014

s1monw added a commit that referenced this issue Mar 20, 2014

Add simple escape method for special characters to template query
The default mustache engine was using HTML escaping which breaks queries
if used with JSON etc. This commit adds escaping for:

```
\b  Backspace (ascii code 08)
\f  Form feed (ascii code 0C)
\n  New line
\r  Carriage return
\t  Tab
\v  Vertical tab
\"  Double quote
\\  Backslash
```

Closes #5473

s1monw added a commit that referenced this issue Mar 20, 2014

Add simple escape method for special characters to template query
The default mustache engine was using HTML escaping which breaks queries
if used with JSON etc. This commit adds escaping for:

```
\b  Backspace (ascii code 08)
\f  Form feed (ascii code 0C)
\n  New line
\r  Carriage return
\t  Tab
\v  Vertical tab
\"  Double quote
\\  Backslash
```

Closes #5473

MaineC pushed a commit to MaineC/elasticsearch that referenced this issue Apr 27, 2015

Isabel Drost-Fromm
Fix JSON encoding for Mustache templates.
This pull request replaces the current self-made implementation of JSON encoding special chars with re-using the Jackson JsonStringEncoder. Turns out the previous implementation also missed a few special chars so had to adjust the tests accordingly (looked at RFC 4627 for reference).

Note: There's another JSON String encoder on our classpath (org.apache.commons.lang3.StringEscapeUtils) that essentially does the same thing but adds quoting to more characters than the Jackson Encoder above.

Relates to elastic#5473

MaineC pushed a commit that referenced this issue Apr 28, 2015

Isabel Drost-Fromm
Fix JSON encoding for Mustache templates.
This pull request replaces the current self-made implementation of JSON encoding special chars with re-using the Jackson JsonStringEncoder. Turns out the previous implementation also missed a few special chars so had to adjust the tests accordingly (looked at RFC 4627 for reference).

Note: There's another JSON String encoder on our classpath (org.apache.commons.lang3.StringEscapeUtils) that essentially does the same thing but adds quoting to more characters than the Jackson Encoder above.

Relates to #5473

MaineC pushed a commit that referenced this issue Apr 28, 2015

Isabel Drost-Fromm
Fix JSON encoding for Mustache templates.
This pull request replaces the current self-made implementation of JSON encoding special chars with re-using the Jackson JsonStringEncoder. Turns out the previous implementation also missed a few special chars so had to adjust the tests accordingly (looked at RFC 4627 for reference).

Note: There's another JSON String encoder on our classpath (org.apache.commons.lang3.StringEscapeUtils) that essentially does the same thing but adds quoting to more characters than the Jackson Encoder above.

Relates to #5473

mute pushed a commit to mute/elasticsearch that referenced this issue Jul 29, 2015

Add simple escape method for special characters to template query
The default mustache engine was using HTML escaping which breaks queries
if used with JSON etc. This commit adds escaping for:

```
\b  Backspace (ascii code 08)
\f  Form feed (ascii code 0C)
\n  New line
\r  Carriage return
\t  Tab
\v  Vertical tab
\"  Double quote
\\  Backslash
```

Closes elastic#5473
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.