crowdmap-basic
crowdmap-basic copied to clipboard
Data isn't saved if user input contains quotes
Discovered this with some feedback from a fork of this. From https://github.com/mentalhealthawhereness/map/issues/1
I tried inserting a note that read
I'm here...
and the console revealed an error messagePOST https://anditabinas.carto.com/api/v2/sql 400 (Bad Request) (index):206 Problem saving the data
The sql that is being generated here is something like `SELECT insert_data('I'm here');' The issue is in where the sql string to get passed to the Carto sql API is being generated by simple string manipulation https://github.com/mentalhealthawhereness/map/blob/master/index.html#L199-210
A simple fix would be to replace any single-quote with the Postgresql-friendly doubled single quote
SELECT insert_data('I''m here');
(see ex below) but I wonder if there's a.... better way of solving more cases of user-input that could break this. So I asked on StackOverflowsanitized_input = user_input.replace("'", "''")
Single quotes works, saves successfully.
Not super certain what to do about double quotes (did not save)
JSON.stringify()
fixes double-quotes.
Dunno how to handle double single-quotes though