New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: always escape string attributes #15374
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ephys
added
the
breaking change
For issues and PRs. Changes that break compatibility and require a major version increment.
label
Dec 2, 2022
ephys
changed the title
fix: always escape non-literal attributes
fix: always escape attributes (unless using Dec 2, 2022
literal
, or col
)
ephys
changed the title
fix: always escape attributes (unless using
fix: always escape string attributes
Dec 2, 2022
literal
, or col
)
WikiRik
reviewed
Dec 2, 2022
WikiRik
previously approved these changes
Dec 2, 2022
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Small comment, but great work! Also bit weird to see that one of our deprecations is really removed now
WikiRik
approved these changes
Dec 2, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
breaking change
For issues and PRs. Changes that break compatibility and require a major version increment.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull Request Checklist
Description Of Change
This removes a security vulnerability we have where attributes would not be escaped if they included
(
and)
, or where equal to*
, and were split if they included the character.
Users must always use
literal
orcol
to inline something without escaping.The special syntax is still available when using
col
. We'll need to provide something likeidentifier()
that only escapes, and thoroughly documentcol
.The following
used to return this:
now it returns this:
The previous behavior can be restored by writing this instead:
This is also the case for the "returning" option. The following, which previously was equivalent to
returning: true
, now only returns the column"*"
.If you want to return
*
, do this instead: