Results containing opening bracket (<) are not displayed

[Xangis]

I have this query:

SELECT keywords from recent_searches;

Some of these contain HTML tags or quotes. Like so (output from postgres console):

 keywords      

---

10916<span
11576<span
12739<span
1506'-'1
21666<span
29002<span
30328<span
32710<span
44035<span
04289+and+1=(select+0)--+-
04289+and+1=(select+1)--+-
62244<span
93201<span

(ok markdown chokes a bit on that... I'm not sure how to convey it better)

In the Redash query results, the "keywords" field shows up as blank for those items (which were search log entries from bots trying to perform SQL injection attacks). Every item listed above shows up as blank. Which is better than breaking something, but if that data can be escaped cleanly and displayed it would be an improvement.

[arikfr]

It's probably a matter of configuring the sanitization. Can you share the query results via CSV, so it's easier to debug?

Thanks.

[Xangis]

redash_results.txt

Each of the lines in the file shows up as blank in the table view of the query.

Thank you.

[subodh-malgonde]

This still seems to be an issue. Not just html but even strings like Hi <user> are shown as blank.

[matangover]

Experiencing the same thing. To reproduce, create a new query on re:dash, and type in the following query:

select '<Hello>' as test;

Expected to see <Hello> in the output table, but the cell is empty. In the Inspector there are some Javascript errors that refer to parsing errors in the sanitizer.

[matangover]

@arikfr are we doing something wrong? Is there a way to configure the sanitization?

[arikfr]

@matangover nope, nothing wrong, but for now you will have to escape the angular brackets --

select '<Hello>' as test;

-- OR:

select replace(replace('<Hello>', '<', '&lt;'), '>', '&gt;') as test;

[arikfr]

In new releases, to avoid having this issue all the user needs to do is to uncheck the "Allow HTML content" setting for the column.