special characters on the data will break subscriptions #43677

paoliniluis · 2024-06-05T17:38:36Z

Describe the bug

Some crazy chars will break the subscriptions since batik can't handle those

To Reproduce

new sql question

select '���������	
�
����������������� ������������������������������ ,',1
union all
select '���������	
�
����������������� ������������������������������ ',2

save it as a bar chart
add it to a dashboard
send as a subscription

Expected behavior

No response

Logs

2024-06-05 13:00:05.497	
2024-06-05 13:00:05,495 ERROR pulse.render :: Pulse card render error
2024-06-05 13:00:04.909	
	... 68 more
2024-06-05 13:00:04.909	
	at org.apache.batik.dom.util.SAXDocumentFactory.createDocument(SAXDocumentFactory.java:453)
2024-06-05 13:00:04.909	
	at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
2024-06-05 13:00:04.909	
	at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
2024-06-05 13:00:04.909	
	at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
2024-06-05 13:00:04.909	
	at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
2024-06-05 13:00:04.909	
	at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
2024-06-05 13:00:04.909	
	at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source)



2024-06-05 13:00:04.909	
	at org.apache.xerces.impl.XMLScanner.reportFatalError(Unknown Source)
2024-06-05 13:00:04.909	
	at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
2024-06-05 13:00:04.909	
	at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
2024-06-05 13:00:04.909	
	at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
2024-06-05 13:00:04.909	
	at org.apache.xerces.util.ErrorHandlerWrapper.fatalError(Unknown Source)
2024-06-05 13:00:04.909	
	at org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(Unknown Source)
2024-06-05 13:00:04.909	
Caused by: org.xml.sax.SAXParseException; systemId: file:///fake.svg; lineNumber: 1; columnNumber: 9159; An invalid XML character (Unicode: 0x1f) was found in the element content of the document.
2024-06-05 13:00:04.909	
	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
2024-06-05 13:00:04.909	
	at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
2024-06-05 13:00:04.909	
	at metabase.task.send_pulses.SendPulses.execute(send_pulses.clj:96)
2024-06-05 13:00:04.909	
	at metabase.models.task_history$do_with_task_history.invoke(task_history.clj:91)
2024-06-05 13:00:04.909	
	at metabase.models.task_history$do_with_task_history.invokeStatic(task_history.clj:96)
2024-06-05 13:00:04.909	
	at metabase.task.send_pulses.SendPulses$fn__107633.invoke(send_pulses.clj:110)
2024-06-05 13:00:04.909	
	at metabase.task.send_pulses$send_pulses_BANG_.invoke(send_pulses.clj:39)
2024-06-05 13:00:04.909	
	at metabase.task.send_pulses$send_pulses_BANG_.invokeStatic(send_pulses.clj:46)
2024-06-05 13:00:04.909	
	at metabase.task.send_pulses$send_pulses_BANG_.invoke(send_pulses.clj:39)
2024-06-05 13:00:04.909	
	at metabase.task.send_pulses$send_pulses_BANG_.invokeStatic(send_pulses.clj:52)
2024-06-05 13:00:04.909	
	at metabase.task.send_pulses$send_pulses_BANG_$fn__107593.invoke(send_pulses.clj:53)
2024-06-05 13:00:04.909	
	at metabase.models.task_history$do_with_task_history.invoke(task_history.clj:91)
2024-06-05 13:00:04.909	
	at metabase.models.task_history$do_with_task_history.invokeStatic(task_history.clj:96)
2024-06-05 13:00:04.909	
	at metabase.task.send_pulses$send_pulses_BANG_$fn__107593$fn__107594.invoke(send_pulses.clj:57)
2024-06-05 13:00:04.909	
	at clojure.lang.RestFn.invoke(RestFn.java:439)
2024-06-05 13:00:04.909	
	at metabase.pulse$send_pulse_BANG_.doInvoke(pulse.clj:576)
2024-06-05 13:00:04.909	
	at metabase.pulse$send_pulse_BANG_.invokeStatic(pulse.clj:595)
2024-06-05 13:00:04.909	
	at metabase.pulse$send_notifications_BANG_.invoke(pulse.clj:567)
2024-06-05 13:00:04.909	
	at metabase.pulse$send_notifications_BANG_.invokeStatic(pulse.clj:568)
2024-06-05 13:00:04.909	
	at clojure.core$seq__5467.invoke(core.clj:139)
2024-06-05 13:00:04.909	
	at clojure.core$seq__5467.invokeStatic(core.clj:139)
2024-06-05 13:00:04.909	
	at clojure.lang.RT.seq(RT.java:535)
2024-06-05 13:00:04.909	
	at clojure.lang.LazySeq.seq(LazySeq.java:51)
2024-06-05 13:00:04.909	
	at clojure.lang.LazySeq.sval(LazySeq.java:42)
2024-06-05 13:00:04.909	
	at metabase.pulse$parts__GT_notifications$iter__99964__99968$fn__99969.invoke(pulse.clj:513)
2024-06-05 13:00:04.909	
	at metabase.pulse$parts__GT_notifications$iter__99964__99968$fn__99969$fn__99970.invoke(pulse.clj:515)
2024-06-05 13:00:04.909	
	at clojure.lang.MultiFn.invoke(MultiFn.java:239)
2024-06-05 13:00:04.909	
	at metabase.pulse$fn__99889.invoke(pulse.clj:433)
2024-06-05 13:00:04.909	
	at metabase.pulse$fn__99889.invokeStatic(pulse.clj:444)
2024-06-05 13:00:04.909	
	at metabase.email.messages$render_pulse_email.invoke(messages.clj:520)
2024-06-05 13:00:04.909	
	at metabase.email.messages$render_pulse_email.invokeStatic(messages.clj:523)
2024-06-05 13:00:04.909	
	at metabase.email.messages$render_message_body.invoke(messages.clj:494)
2024-06-05 13:00:04.909	
	at metabase.email.messages$render_message_body.invokeStatic(messages.clj:496)
2024-06-05 13:00:04.909	
	at metabase.email.messages$render_message_body$fn__76480.invoke(messages.clj:497)
2024-06-05 13:00:04.909	
	at clojure.core$mapv.invoke(core.clj:6971)
2024-06-05 13:00:04.909	
	at clojure.core$mapv.invokeStatic(core.clj:6971)
2024-06-05 13:00:04.909	
	at clojure.core$reduce.invokeStatic(core.clj:6887)
2024-06-05 13:00:04.909	
	at clojure.core.protocols$fn__8178$G__8173__8191.invoke(protocols.clj:13)
2024-06-05 13:00:04.909	
	at clojure.core.protocols$fn__8236.invoke(protocols.clj:75)
2024-06-05 13:00:04.909	
	at clojure.core.protocols$fn__8236.invokeStatic(protocols.clj:75)
2024-06-05 13:00:04.909	
	at clojure.core.protocols$seq_reduce.invokeStatic(protocols.clj:31)
2024-06-05 13:00:04.909	
	at clojure.core.protocols$fn__8204$G__8199__8213.invoke(protocols.clj:19)
2024-06-05 13:00:04.909	
	at clojure.core.protocols$fn__8249.invoke(protocols.clj:124)
2024-06-05 13:00:04.909	
	at clojure.core.protocols$fn__8249.invokeStatic(protocols.clj:168)
2024-06-05 13:00:04.909	
	at clojure.core$mapv$fn__8535.invoke(core.clj:6980)
2024-06-05 13:00:04.909	
	at metabase.email.messages$render_message_body$fn__76480$fn__76481.invoke(messages.clj:497)
2024-06-05 13:00:04.909	
	at metabase.email.messages$render_part.invoke(messages.clj:440)
2024-06-05 13:00:04.909	
	at metabase.email.messages$render_part.invokeStatic(messages.clj:444)
2024-06-05 13:00:04.909	
	at metabase.pulse.render$fn__75440$render_pulse_section__75445.invoke(render.clj:198)
2024-06-05 13:00:04.909	
	at metabase.pulse.render$fn__75440$render_pulse_section__75445$fn__75449.invoke(render.clj:201)
2024-06-05 13:00:04.909	
	at metabase.pulse.render$fn__75440$render_pulse_section__75445$fn__75449$fn__75452.invoke(render.clj:203)
2024-06-05 13:00:04.909	
	at metabase.pulse.render$fn__75407$render_pulse_card__75412.invoke(render.clj:151)
2024-06-05 13:00:04.908	
	at metabase.pulse.render$fn__75407$render_pulse_card__75412$fn__75413.invoke(render.clj:169)
2024-06-05 13:00:04.908	
	at metabase.pulse.render$fn__75367$render_pulse_card_body__75372.invoke(render.clj:130)
2024-06-05 13:00:04.908	
	at metabase.pulse.render$fn__75367$render_pulse_card_body__75372$fn__75376.invoke(render.clj:140)
2024-06-05 13:00:04.908	
	at clojure.lang.MultiFn.invoke(MultiFn.java:261)
2024-06-05 13:00:04.908	
	at metabase.pulse.render.body$fn__74566$render__74554__74571.invoke(body.clj:840)
2024-06-05 13:00:04.908	
	at metabase.pulse.render.body$fn__74566$render__74554__74571$fn__74572.invoke(body.clj:842)
2024-06-05 13:00:04.908	
	at metabase.pulse.render.body$lab_image_bundle.invoke(body.clj:798)
2024-06-05 13:00:04.908	
	at metabase.pulse.render.body$lab_image_bundle.invokeStatic(body.clj:823)
2024-06-05 13:00:04.908	
	at metabase.pulse.render.js_svg$combo_chart.invoke(js_svg.clj:146)
2024-06-05 13:00:04.908	
	at metabase.pulse.render.js_svg$combo_chart.invokeStatic(js_svg.clj:154)
2024-06-05 13:00:04.908	
	at metabase.pulse.render.js_svg$svg_string__GT_bytes.invoke(js_svg.clj:111)
2024-06-05 13:00:04.908	
	at metabase.pulse.render.js_svg$svg_string__GT_bytes.invokeStatic(js_svg.clj:114)
2024-06-05 13:00:04.908	
	at metabase.pulse.render.js_svg$parse_svg_string.invoke(js_svg.clj:81)
2024-06-05 13:00:04.908	
	at metabase.pulse.render.js_svg$parse_svg_string.invokeStatic(js_svg.clj:85)
2024-06-05 13:00:04.908	
	at org.apache.batik.anim.dom.SAXSVGDocumentFactory.createDocument(SAXSVGDocumentFactory.java:226)
2024-06-05 13:00:04.908	
	at org.apache.batik.dom.util.SAXDocumentFactory.createDocument(SAXDocumentFactory.java:357)
2024-06-05 13:00:04.908	
	at org.apache.batik.dom.util.SAXDocumentFactory.createDocument(SAXDocumentFactory.java:459)
2024-06-05 13:00:04.908	
org.apache.batik.dom.util.SAXIOException: An invalid XML character (Unicode: 0x1f) was found in the element content of the document.

Information about your Metabase installation

since the beginning

Severity

P2

Additional context

The text was updated successfully, but these errors were encountered:

WIP Fixes: #43677 There are characters that are invalid according to the Batik XML Parser. This sanitizes the svg string to strip out some of those characters so that the render can continue.

…n invalid characters are in the SVG content (#44516) * Add Temporal Units List to Dashboard Parameters Schema Closes: #44361 This adds an entry to the Dashboard Parameter schema so that we can validate the list of temporal_units that might be passed from the frontend when adding or updating the `Unit of Time` type parameters. * Sanitize the SVG before parsing it with Batik WIP Fixes: #43677 There are characters that are invalid according to the Batik XML Parser. This sanitizes the svg string to strip out some of those characters so that the render can continue. * Use the xml 1.0 spec allowed unicode chars list for the regex * Remove accidentally merged code * still miseed a line

…n invalid characters are in the SVG content (#44516) (#44646) * Add Temporal Units List to Dashboard Parameters Schema Closes: #44361 This adds an entry to the Dashboard Parameter schema so that we can validate the list of temporal_units that might be passed from the frontend when adding or updating the `Unit of Time` type parameters. * Sanitize the SVG before parsing it with Batik WIP Fixes: #43677 There are characters that are invalid according to the Batik XML Parser. This sanitizes the svg string to strip out some of those characters so that the render can continue. * Use the xml 1.0 spec allowed unicode chars list for the regex * Remove accidentally merged code * still miseed a line Co-authored-by: adam-james <21064735+adam-james-v@users.noreply.github.com>

paoliniluis added Type:Bug Product defects Priority:P1 Security holes w/o exploit, crashing, setup/upgrade, login, broken common features, correctness Reporting/Pulses Now called Subscriptions .Backend labels Jun 5, 2024

dosubot bot added the Notifications/Slack label Jun 5, 2024

cdeweyx added the .Team/DashViz Dashboard and Viz team label Jun 10, 2024

cdeweyx assigned adam-james-v Jun 14, 2024

adam-james-v mentioned this issue Jun 21, 2024

Sanitize SVG before parsing with Batik to prevent render failures when invalid characters are in the SVG content #44516

Merged

adam-james-v closed this as completed in #44516 Jun 24, 2024

adam-james-v closed this as completed in a27c151 Jun 24, 2024

adam-james-v added this to the 0.50.7 milestone Jun 24, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

special characters on the data will break subscriptions #43677

special characters on the data will break subscriptions #43677

paoliniluis commented Jun 5, 2024

special characters on the data will break subscriptions #43677

special characters on the data will break subscriptions #43677

Comments

paoliniluis commented Jun 5, 2024

Describe the bug

To Reproduce

Expected behavior

Logs

Information about your Metabase installation

Severity

Additional context