Skip to content

sqlpage.link adds percent-encoded double quotes to list parameters. #879

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ppom0 opened this issue Apr 1, 2025 · 0 comments
Open

sqlpage.link adds percent-encoded double quotes to list parameters. #879

ppom0 opened this issue Apr 1, 2025 · 0 comments
Labels
bug Something isn't working

Comments

@ppom0
Copy link

ppom0 commented Apr 1, 2025
edited
Loading

Introduction

The sqlpage.link function, when passed a list of parameters, serialize the values of the list with their JSON ", which are then percent-encoded.

I think they should not be added to the URL.

To Reproduce

Query this file like this: `/?tags[]=tag_a

select 'debug' component, $tags tags, sqlpage.link('index.sql', json_object('tags', json_insert($tags, '$[#]', 'new_tag'))) link;

Actual behavior

After following these steps, what happened ?
If you saw an error on the command line or inside your page, then paste it here

{"component":"debug","tags":"[\"tag_a\"]","link":"index.sql?tags[]=%22tag%5Fa%22&tags[]=%22new%5Ftag%22"}

Expected behavior

{"component":"debug","tags":"[\"tag_a\"]","link":"index.sql?tags[]=tag%5Fa&tags[]=new%5Ftag"}

Version information

  • Linux
  • SQLite
  • SQLPage Version: main

Additional context

Here's a dirty patch I wrote that indeed fixes the issue in my case:

diff --git i/src/webserver/database/sqlpage_functions/url_parameter_deserializer.rs w/src/webserver/database/sqlpage_functions/url_parameter_deserializer.rs
index 54caa55..6f87427 100644
--- i/src/webserver/database/sqlpage_functions/url_parameter_deserializer.rs
+++ w/src/webserver/database/sqlpage_functions/url_parameter_deserializer.rs
@@ -59,7 +59,7 @@ impl<'de> Deserialize<'de> for URLParameters {
                             out.encode_and_push(&key);
                             out.0.push_str("[]");
                             out.0.push('=');
-                            out.encode_and_push(&val.to_string());
+                            out.encode_and_push(&val.to_string().replace("\"", ""));
                         }
                     } else {
                         out.push_kv(&key, value);

But I suspect a more general solution should be found. Or if only scalars and arrays of scalars are accepted, maybe this is sufficient. I don't know enough about SQLPage internals and assertions to really know.

I'll happily open the PR if you think it's enough, to satisfy my own vanity 😉

Edit: It can be a bit more sophisticated, removing only quotes at the beginning and end of the file, something along:

if val.startswith(") and val.endswith(") then val[1:len-1]
@ppom0 ppom0 added the bug Something isn't working label Apr 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ppom0