Fixed search object issue when the object name contains special characters. Fixes #5401

2025-02-25 18:55:31 -06:00 · 2020-04-20 18:40:40 +05:30
parent 7361470b64
commit dc4571a3c8
4 changed files with 15 additions and 3 deletions
--- a/web/pgadmin/tools/search_objects/static/js/search_objects_dialog_wrapper.js
+++ b/web/pgadmin/tools/search_objects/static/js/search_objects_dialog_wrapper.js
@@ -6,6 +6,7 @@ import 'select2';
 import {DialogWrapper} from 'sources/alertify/dialog_wrapper';
 import Slick from 'sources/../bundle/slickgrid';
 import pgAdmin from 'sources/pgadmin';
+import _ from 'underscore';


 export default class SearchObjectsDialogWrapper extends DialogWrapper {
@@ -202,7 +203,7 @@ export default class SearchObjectsDialogWrapper extends DialogWrapper {
      this.searchResult,
      this.dataview,
      [
-        { id: 'name', name: gettext('Object name'), field: 'name', sortable: true,
+        { id: 'name', name: gettext('Object name'), field: 'name', sortable: true, width: 50,
          formatter: (row, cell, value, columnDef, dataContext) => {
            let ret_el = `<i class='wcTabIcon ${dataContext.icon}'></i>${value}`;

@@ -212,10 +213,9 @@ export default class SearchObjectsDialogWrapper extends DialogWrapper {

            return ret_el;
          },
-          width: 50,
        },
        { id: 'type', name: gettext('Type'), field: 'type_label', sortable: true, width: 35 },
-        { id: 'path', name: gettext('Browser path'), field: 'path', sortable: false },
+        { id: 'path', name: gettext('Browser path'), field: 'path', sortable: false, formatter: (row, cell, value) => value },
      ],
      {
        enableCellNavigation: true,
@@ -354,6 +354,12 @@ export default class SearchObjectsDialogWrapper extends DialogWrapper {
    [datum.path, datum.id_path] = this.translateSearchObjectsPath(datum.path, datum.catalog_level);
    /* id is required by slickgrid dataview */
    datum.id = datum.id_path.join('.');
+
+    /* Esacpe XSS */
+    datum.name = _.escape(datum.name);
+    datum.path = _.escape(datum.path);
+    datum.other_info = datum.other_info ? _.escape(datum.other_info) : datum.other_info;
+
    return datum;
  }

--- a/web/pgadmin/tools/search_objects/utils.py
+++ b/web/pgadmin/tools/search_objects/utils.py
@@ -102,6 +102,9 @@ class SearchObjectsHelper:

        show_node_prefs = self.get_show_node_prefs()
        node_labels = self.get_supported_types(skip_check=True)
+        # escape the single quote from search text
+        text = text.replace("'", "''")
+
        # Column catalog_level has values as
        # N - Not a catalog schema
        # D - Catalog schema with DB support - pg_catalog