Summary: | JSAPI: javascript error when DATA statement contains ' | ||
---|---|---|---|
Product: | Chameleon | Reporter: | Bart van den Eijnden <bartvde@osgis.nl> |
Component: | Widget | Assignee: | Bart van den Eijnden <bartvde@osgis.nl> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | P2 | ||
Version: | 2.0 | ||
Target Milestone: | --- | ||
Hardware: | PC | ||
OS: | Windows 2000 | ||
Whiteboard: |
Ouch! Sounds scary to see that SQL statements are exposed to the JSAPI... even just exposing the DATA statement seems dangerous to me. I know it's possible to set DATA via the mapserv CGI and I'm not in favour of that either, but at least I thinkit's been made very restrictive to prevent security issues. I think I made that comment before but couldn't track the bug where I made it.
Daniel, I do agree with you that the DATA statements shouldn't be transferred to the client app. Previously also the CONNECTION was transferred if I recall correctly. I don't see any current use of DATA in the Chameleon code but I could be overseeing something. Paul is it actually used? Anyway, for the quick fix, adding an addslashes solves the problem: $szLayerInfo .="aLayerdata[".$i."] = '" . addslashes($poLayer->data) . "';\n"; Bart
Bart, I don't think DATA should be in the output. If you have a fix for this, please apply it to cvs.
I will take care of this today.
Okay, this required changes to: -cwcjsapi.widget.php -cwcjsapi.js I removed the DATA part. Fixed in both 2.0 and 2.2 2.2: revision 1.6 of cwcjsapi.widget.php; cwcjsapi.js: revision 1.66 2.0: revision 1.5.2.1 of cwcjsapi.widget.php; cwcjsapi.js: revision 1.64.2.1