From 49b139bb75b251b3107cfc6250a510d0ea51dc79 Mon Sep 17 00:00:00 2001
From: Khushboo Vashi <khushboo.vashi@enterprisedb.com>
Date: Mon, 12 Oct 2020 16:20:33 +0530
Subject: [PATCH] Added escape and unescape for the strings used in query tool
 and new connection support. Fixes #5899.

---
 .../static/js/sqleditor/new_connection_dialog.js     | 10 +++++-----
 .../tools/datagrid/static/js/datagrid_panel_title.js |  2 +-
 web/pgadmin/tools/sqleditor/static/js/sqleditor.js   | 12 ++++++------
 3 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/web/pgadmin/static/js/sqleditor/new_connection_dialog.js b/web/pgadmin/static/js/sqleditor/new_connection_dialog.js
index 13267ab96..dbce9d7b3 100644
--- a/web/pgadmin/static/js/sqleditor/new_connection_dialog.js
+++ b/web/pgadmin/static/js/sqleditor/new_connection_dialog.js
@@ -208,7 +208,7 @@ let NewConnectionDialog = {
 
               let is_create_connection = true;
 
-              handler.gridView.connection_list.forEach(function(connection_data){
+              handler.gridView.connection_list.forEach(function(connection_data) {
                 if(parseInt(connection_data['server']) == newConnCollectionModel['server']
                 && parseInt(connection_data['database']) == newConnCollectionModel['database']
                 && connection_data['user'] == newConnCollectionModel['user'] && connection_data['role'] == newConnCollectionModel['role']) {
@@ -225,17 +225,17 @@ let NewConnectionDialog = {
               if(!is_create_connection) {
                 let errmsg = 'Connection with this configuration already present.';
                 Alertify.info(errmsg);
-              }else {
+              } else {
                 let connection_details = {
                   'server_group': handler.gridView.handler.url_params.sgid,
                   'server': newConnCollectionModel['server'],
                   'database': newConnCollectionModel['database'],
-                  'title': tab_title,
+                  'title': _.escape(tab_title),
                   'user': newConnCollectionModel['user'],
                   'role': newConnCollectionModel['role'],
                   'password': response.password,
-                  'server_name': response.server_name,
-                  'database_name': selected_database_name,
+                  'server_name': _.escape(response.server_name),
+                  'database_name': _.escape(selected_database_name),
                 };
                 handler.gridView.on_change_connection(connection_details, self);
               }
diff --git a/web/pgadmin/tools/datagrid/static/js/datagrid_panel_title.js b/web/pgadmin/tools/datagrid/static/js/datagrid_panel_title.js
index e74cbc5eb..b802a40b2 100644
--- a/web/pgadmin/tools/datagrid/static/js/datagrid_panel_title.js
+++ b/web/pgadmin/tools/datagrid/static/js/datagrid_panel_title.js
@@ -32,7 +32,7 @@ export function getPanelTitle(pgBrowser, selected_item=null) {
 
   const db_label = getDatabaseLabel(parentData);
 
-  return `${db_label}/${parentData.server.user.name}@${parentData.server.label}`;
+  return `${db_label}/${_.escape(parentData.server.user.name)}@${parentData.server.label}`;
 }
 
 export function setQueryToolDockerTitle(panel, is_query_tool, panel_title, is_file) {
diff --git a/web/pgadmin/tools/sqleditor/static/js/sqleditor.js b/web/pgadmin/tools/sqleditor/static/js/sqleditor.js
index cb1f8a2f6..058e21a2f 100644
--- a/web/pgadmin/tools/sqleditor/static/js/sqleditor.js
+++ b/web/pgadmin/tools/sqleditor/static/js/sqleditor.js
@@ -246,7 +246,7 @@ define('tools.querytool', [
     },
 
     set_editor_title: function(title) {
-      this.$el.find('.editor-title').text(title);
+      this.$el.find('.editor-title').text(_.unescape(title));
       this.render_connection(this.connection_list);
     },
 
@@ -2158,9 +2158,9 @@ define('tools.querytool', [
                 'sid': connection_details['server'],
                 'title': connection_details['title'],
               };
-              self.set_editor_title(self.handler.url_params.title);
-              self.handler.setTitle(self.handler.url_params.title);
-              let success_msg = connection_details['server_name'] + '/' + connection_details['database_name']+ '- Database connected';
+              self.set_editor_title(_.unescape(self.handler.url_params.title));
+              self.handler.setTitle(_.unescape(self.handler.url_params.title));
+              let success_msg = connection_details['server_name'] + '/' + connection_details['database_name'] + '- Database connected';
               alertify.success(success_msg);
               if(ref){
                 let connection_data = {
@@ -2527,8 +2527,8 @@ define('tools.querytool', [
             'role': null,
             'title': _.unescape(url_params.title),
             'is_allow_new_connection': false,
-            'database_name': url_params.title.split('/')[0],
-            'server_name': url_params.title.split('@')[1],
+            'database_name': _.unescape(url_params.title.split('/')[0]),
+            'server_name': _.unescape(url_params.title.split('@')[1]),
           };
           self.gridView.connection_list.unshift(connection_data);
           self.gridView.render_connection(self.gridView.connection_list);