Cwe
1
I have a query which is built from url parameters.
If I send in double quotes the query ends up being:
field LIKE """"
And you end up with:
500 Internal Server Error
line 1, column 91: AND, OR or EOF expected, encountered. (com.enonic.xp.resource.ResourceProblemException)
Is there a escape/sanitize query function, or perhaps I should just use some native js function?
Cwe
2
bhj
3
One quick and dirty solution could be to have regexp with a list of allowed characters, and replace all other characters with space?
var whitelistRegEx = /[^\s\w()?!]+/g;
exports.whitelist = function(data) {
return data.replace(whitelistRegEx, ' ');
};
(the code suggestion above was provided by @rfo )