Forum Discussion

Guide

3 years ago

How to escape user input in built liql query

Escaping id with js_string or any other escape mechanism change the semantics of what was asked from the user, while not doing it will cause invalid syntax in queries. Given the input '123' quotes...

FreeMarker

REST API v2 & LiQL

MattV

Khoros Staff

3 years ago

It certainly depends on the type of input you're expecting.

For integers, I recommend something like this

<#assign id = http.request.parameters.name.get("id", "") />
<#attempt>
    <#assign id = id?number />
<#recover>
    <#assign id = 0 />
</#attempt>

And the reason I wrap that in an attempt/recover is because if id isn't a valid number, Freemarker will throw an exception. But we can catch that and set a default.

You can then check, if id == 0, then don't run the rest of your code because something is wrong.

For strings, if you know to expect a certain set of values, I'd verify it's from the expected set of values. If it's an arbitrary value, you can escape it with ?html which will convert most characters to it's HTML-entity equivalent, and should protect you from the most common problems.

Forum Discussion

How to escape user input in built liql query

Related Content

jQuery not adding to input field

Built a service/status tracker status based on tags

How We Built It: Maia

Colons are sometimes escaped...?

How We Built It: Author Stamps

Recent Discussions

Boosting a User

Google Tag Manager and Google Analytics Setup in Aurora platform

In Aurora, add additional <script> and <meta> tags

Incremental data for attachments in messages and replies

Incremental data for users data