Re: [pgAdmin4][Patch]: Fixed RM 1603 & RM 1220

On Sat, Oct 15, 2016 at 4:59 AM, Dave Page <dpage@pgadmin.org> wrote:

Hi

On Friday, October 14, 2016, Khushboo Vashi <khushboo.vashi@enterprisedb.com> wrote:

Hi,

Please find the attached patch to fix the below 2 bugs.

RM 1603: [Web Based] Export database failed if object contains double quotes.

RM 1220: Backup database is not working with special characters

The issues which were fixed:

1. Client side data were not unescaped

2. Required command line arguments were quoted twice 

This is not working for me: I tested using Table Export as per Fahar's instructions. As I'm in desktop mode, the first problem was that we get an error at line 210 of import_export/__init__.py, because get_server_directory returned None for the directory. If I fix that, then the job says it's created, but as far as I can see, nothing else happens.

hmm.. 

Secondly, this patch seems to push quoting responsibilty to the front end.

No - that's not the case, we're using _.escape(..) function on the node's label to fix the issue of XSS vulnerability on client side.

Hence - during sending back the data, we're using _.unescape(..) function to return the same data coming sent by the server.

Though - IIRC - we have a original label stored in another variable '_label', which we can use it instead of unescape it again. 

This doesn't seem right, because we might want to use the RESTful APIs for another purpose in the future, which would mean needing to re-implement quoting if something else uses an affected API.

As I explained above, it wont affect the RESTful API.