crowdmap-basic icon indicating copy to clipboard operation
crowdmap-basic copied to clipboard

Published 20 hours ago verified publisher icon radumas

Data isn't saved if user input contains quotes

Open radumas opened this issue 4 years ago • 2 comments

Discovered this with some feedback from a fork of this. From https://github.com/mentalhealthawhereness/map/issues/1

I tried inserting a note that read I'm here... and the console revealed an error message

POST https://anditabinas.carto.com/api/v2/sql 400 (Bad Request)
(index):206 Problem saving the data

The sql that is being generated here is something like `SELECT insert_data('I'm here');' The issue is in where the sql string to get passed to the Carto sql API is being generated by simple string manipulation https://github.com/mentalhealthawhereness/map/blob/master/index.html#L199-210

A simple fix would be to replace any single-quote with the Postgresql-friendly doubled single quote SELECT insert_data('I''m here'); (see ex below) but I wonder if there's a.... better way of solving more cases of user-input that could break this. So I asked on StackOverflow

sanitized_input = user_input.replace("'", "''")

radumas avatar Sep 30 '19 02:09 radumas

Single quotes works, saves successfully. image

Not super certain what to do about double quotes (did not save)

Screenshot 2019-10-07 at 22 04 20

radumas avatar Oct 08 '19 02:10 radumas

JSON.stringify() fixes double-quotes. Dunno how to handle double single-quotes though

radumas avatar Oct 08 '19 02:10 radumas