API Escaping Single Quote When Assigned_User Key is Used in Request Body #11805
Comments
|
👋 Thanks for opening your first issue here! If you're reporting a 🐞 bug, please make sure you include steps to reproduce it. We get a lot of issues on this repo, so please be patient and we will get back to you as soon as we can. |
|
The data in the database is likely not escaped - we escape on the way out, to prevent XSS attacks. |
|
I did notice that there is escaped data on the way out during some other calls and have worked around that. Unfortunately, that's not it in this case. In this case the data really is modified in the database; please see below
|
|
This is still an issue. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Debug mode
Describe the bug
When making a POST request via the API on the hardware endpoint, and a single quote (') is in the name of the asset, this single quote sometimes (but not always) appears as &# 039; in the created asset name. This escaped character does not happen if the request body contains only the keys asset-tag, status_id, model_id, and name. It does happen though if the assigned_user key is in the request body.
Reproduction steps
Expected behavior
Data should be entered into the database as it is submitted to the API.
Screenshots
Snipe-IT Version
v6.0.9 - build 8515
Operating System
ubuntu
Web Server
Apache
PHP Version
PHP 8.1.2
Operating System
N/A: Postman and PowerShell Invoke-WebRequest
Browser
N/A: Postman and PowerShell Invoke-WebRequest
Version
N/A: Postman and PowerShell Invoke-WebRequest
Device
N/A: Postman and PowerShell Invoke-WebRequest
Operating System
N/A: Postman and PowerShell Invoke-WebRequest
Browser
N/A: Postman and PowerShell Invoke-WebRequest
Version
N/A: Postman and PowerShell Invoke-WebRequest
Error messages
No response
Additional context
No response
The text was updated successfully, but these errors were encountered: