Fixed search object issue when the object name contains special characters. Fixes #5401

docs/en_US/release_notes_4_21.rst

@@ -69,5 +69,6 @@ Bug fixes
 | `Issue #5387 <https://redmine.postgresql.org/issues/5387>`_ -  Fixed an issue where the mode is not shown in the properties dialog of functions/procedures if all the arguments are "IN" arguments.
 | `Issue #5396 <https://redmine.postgresql.org/issues/5396>`_ -  Fixed an issue where the search object module unable to locate the object in the browser tree.
 | `Issue #5400 <https://redmine.postgresql.org/issues/5400>`_ -  Fixed internal server error when the database server is logged in with non-super user.
+| `Issue #5401 <https://redmine.postgresql.org/issues/5401>`_ -  Fixed search object issue when the object name contains special characters.
 | `Issue #5409 <https://redmine.postgresql.org/issues/5409>`_ -  Fixed validation issue in Synonyms node.
 | `Issue #5410 <https://redmine.postgresql.org/issues/5410>`_ -  Fixed an issue while removing the package body showing wrong modified SQL.

web/pgadmin/tools/search_objects/static/js/search_objects_dialog_wrapper.js

@@ -6,6 +6,7 @@ import 'select2';
 import {DialogWrapper} from 'sources/alertify/dialog_wrapper';
 import Slick from 'sources/../bundle/slickgrid';
 import pgAdmin from 'sources/pgadmin';
+import _ from 'underscore';
 
 
 export default class SearchObjectsDialogWrapper extends DialogWrapper {
@@ -202,7 +203,7 @@ export default class SearchObjectsDialogWrapper extends DialogWrapper {
       this.searchResult,
       this.dataview,
       [
-        { id: 'name', name: gettext('Object name'), field: 'name', sortable: true,
+        { id: 'name', name: gettext('Object name'), field: 'name', sortable: true, width: 50,
           formatter: (row, cell, value, columnDef, dataContext) => {
             let ret_el = `<i class='wcTabIcon ${dataContext.icon}'></i>${value}`;
 
@@ -212,10 +213,9 @@ export default class SearchObjectsDialogWrapper extends DialogWrapper {
 
             return ret_el;
           },
-          width: 50,
         },
         { id: 'type', name: gettext('Type'), field: 'type_label', sortable: true, width: 35 },
-        { id: 'path', name: gettext('Browser path'), field: 'path', sortable: false },
+        { id: 'path', name: gettext('Browser path'), field: 'path', sortable: false, formatter: (row, cell, value) => value },
       ],
       {
         enableCellNavigation: true,
@@ -354,6 +354,12 @@ export default class SearchObjectsDialogWrapper extends DialogWrapper {
     [datum.path, datum.id_path] = this.translateSearchObjectsPath(datum.path, datum.catalog_level);
     /* id is required by slickgrid dataview */
     datum.id = datum.id_path.join('.');
+
+    /* Esacpe XSS */
+    datum.name = _.escape(datum.name);
+    datum.path = _.escape(datum.path);
+    datum.other_info = datum.other_info ? _.escape(datum.other_info) : datum.other_info;
+
     return datum;
   }
 

web/pgadmin/tools/search_objects/utils.py

@@ -102,6 +102,9 @@ class SearchObjectsHelper:
 
         show_node_prefs = self.get_show_node_prefs()
         node_labels = self.get_supported_types(skip_check=True)
+        # escape the single quote from search text
+        text = text.replace("'", "''")
+
         # Column catalog_level has values as
         # N - Not a catalog schema
         # D - Catalog schema with DB support - pg_catalog

web/regression/javascript/search_objects/search_objects_dialog_wrapper_spec.js

@@ -428,6 +428,7 @@ describe('SearchObjectsDialogWrapper', () => {
         type_label: 'Some types coll',
         path: ':some.123:/path',
         show_node: true,
+        other_info: null,
       });
       expect(data).toEqual({
         id: 'obj1/123.obj2/432',
@@ -438,6 +439,7 @@ describe('SearchObjectsDialogWrapper', () => {
         path: 'disp/path',
         id_path: ['obj1/123', 'obj2/432'],
         show_node: true,
+        other_info: null,
       });
     });