diff --git a/docs/en_US/release_notes_4_21.rst b/docs/en_US/release_notes_4_21.rst index b43b66a3e..1e055980c 100644 --- a/docs/en_US/release_notes_4_21.rst +++ b/docs/en_US/release_notes_4_21.rst @@ -69,5 +69,6 @@ Bug fixes | `Issue #5387 `_ - Fixed an issue where the mode is not shown in the properties dialog of functions/procedures if all the arguments are "IN" arguments. | `Issue #5396 `_ - Fixed an issue where the search object module unable to locate the object in the browser tree. | `Issue #5400 `_ - Fixed internal server error when the database server is logged in with non-super user. +| `Issue #5401 `_ - Fixed search object issue when the object name contains special characters. | `Issue #5409 `_ - Fixed validation issue in Synonyms node. | `Issue #5410 `_ - Fixed an issue while removing the package body showing wrong modified SQL. \ No newline at end of file diff --git a/web/pgadmin/tools/search_objects/static/js/search_objects_dialog_wrapper.js b/web/pgadmin/tools/search_objects/static/js/search_objects_dialog_wrapper.js index 7a14b3247..fbb381f20 100644 --- a/web/pgadmin/tools/search_objects/static/js/search_objects_dialog_wrapper.js +++ b/web/pgadmin/tools/search_objects/static/js/search_objects_dialog_wrapper.js @@ -6,6 +6,7 @@ import 'select2'; import {DialogWrapper} from 'sources/alertify/dialog_wrapper'; import Slick from 'sources/../bundle/slickgrid'; import pgAdmin from 'sources/pgadmin'; +import _ from 'underscore'; export default class SearchObjectsDialogWrapper extends DialogWrapper { @@ -202,7 +203,7 @@ export default class SearchObjectsDialogWrapper extends DialogWrapper { this.searchResult, this.dataview, [ - { id: 'name', name: gettext('Object name'), field: 'name', sortable: true, + { id: 'name', name: gettext('Object name'), field: 'name', sortable: true, width: 50, formatter: (row, cell, value, columnDef, dataContext) => { let ret_el = `${value}`; @@ -212,10 +213,9 @@ export default class SearchObjectsDialogWrapper extends DialogWrapper { return ret_el; }, - width: 50, }, { id: 'type', name: gettext('Type'), field: 'type_label', sortable: true, width: 35 }, - { id: 'path', name: gettext('Browser path'), field: 'path', sortable: false }, + { id: 'path', name: gettext('Browser path'), field: 'path', sortable: false, formatter: (row, cell, value) => value }, ], { enableCellNavigation: true, @@ -354,6 +354,12 @@ export default class SearchObjectsDialogWrapper extends DialogWrapper { [datum.path, datum.id_path] = this.translateSearchObjectsPath(datum.path, datum.catalog_level); /* id is required by slickgrid dataview */ datum.id = datum.id_path.join('.'); + + /* Esacpe XSS */ + datum.name = _.escape(datum.name); + datum.path = _.escape(datum.path); + datum.other_info = datum.other_info ? _.escape(datum.other_info) : datum.other_info; + return datum; } diff --git a/web/pgadmin/tools/search_objects/utils.py b/web/pgadmin/tools/search_objects/utils.py index cf858d6e2..a3c3d5ac9 100644 --- a/web/pgadmin/tools/search_objects/utils.py +++ b/web/pgadmin/tools/search_objects/utils.py @@ -102,6 +102,9 @@ class SearchObjectsHelper: show_node_prefs = self.get_show_node_prefs() node_labels = self.get_supported_types(skip_check=True) + # escape the single quote from search text + text = text.replace("'", "''") + # Column catalog_level has values as # N - Not a catalog schema # D - Catalog schema with DB support - pg_catalog diff --git a/web/regression/javascript/search_objects/search_objects_dialog_wrapper_spec.js b/web/regression/javascript/search_objects/search_objects_dialog_wrapper_spec.js index b6b5d2894..7121a2951 100644 --- a/web/regression/javascript/search_objects/search_objects_dialog_wrapper_spec.js +++ b/web/regression/javascript/search_objects/search_objects_dialog_wrapper_spec.js @@ -428,6 +428,7 @@ describe('SearchObjectsDialogWrapper', () => { type_label: 'Some types coll', path: ':some.123:/path', show_node: true, + other_info: null, }); expect(data).toEqual({ id: 'obj1/123.obj2/432', @@ -438,6 +439,7 @@ describe('SearchObjectsDialogWrapper', () => { path: 'disp/path', id_path: ['obj1/123', 'obj2/432'], show_node: true, + other_info: null, }); });