-
Notifications
You must be signed in to change notification settings - Fork 620
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(#9480): apply proper quote escapes for the datum access expression #9479
Conversation
Deploying vega-lite with Cloudflare Pages
|
Can you link to the issue? |
Done! (edited the PR description) |
If you say "fixes" or "closes" before it, GitHub will link it and auto close the issue when the pull request is merged. |
src/util.ts
Outdated
@@ -297,6 +297,10 @@ function escapePathAccess(string: string) { | |||
return string.replace(/(\[|\]|\.|'|")/g, '\\$1'); | |||
} | |||
|
|||
export function escapeSingleQuotes(value: string) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems like a code smell that we need to add a new escapeSingleQuotes
utility method.
Shouldn't we already have another escape utility in other places? (Also, shouldn't the escape handle all characters that need escaping, not just "single quotes"?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried other utility functions to re-escape the field name but could not find a good one. Maybe I will try to find again and ping you if I can't find.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There may be some similar logic in Vega (utils).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ended up with creating more generic function, accessWithDatumToUnescapedPath
, to solve this (datum['${field}'], datum["${field}"]) case.
accessWithDatumToUnescapedPath
is taking un-escaped string to build the datum-access expression, where it only escapes the single quotes as datum['${}']
using the single quotes.
fff4bef
to
29a88bc
Compare
@@ -556,7 +559,7 @@ function errorBarAggregationAndCalculation< | |||
for (const postAggregateCalculate of postAggregateCalculates) { | |||
tooltipSummary.push({ | |||
fieldPrefix: postAggregateCalculate.as.substring(0, 6), | |||
titlePrefix: replaceAll(replaceAll(postAggregateCalculate.calculate, 'datum["', ''), '"]', '') | |||
titlePrefix: replaceAll(replaceAll(postAggregateCalculate.calculate, "datum['", ''), "']", '') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do we use accessWithDatumToUnescapedPath here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes.
-
The existing logic peel off
datum["
and"]
from thecalculate
to create a prefix.
E.g.,datum["yh"]
->yh
. -
I replaced the double quote datum expression with
accessWithDatumToUnescapedPath
using the single quote. -
To keep the existing logic, I changed the code to peel off
datum['
and']
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approving provided that you have sufficiently addressed @domoritz's concern.
(I haven't checked if you do, but at least you have sufficiently addressed mine.)
PR Description
Problem
The expression like
which is vulnerable when
str
has double quotes, such as'hello, "world"'
.The expression with single quotes is the same
which is vulnerable when
str
has single quotes, such as"Vega's Favorite"
.Solution
This PR fixes the existing datum access expression to have a proper quote escape by calling
accessWithDatumToUnescapedPath
It fixes the issue of timeunit band position transforms which don't escape the field name correctly.
#9480