Skip to content

strings in the output of highlight function with html: true maybe malformed #90

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
SidneyTTW opened this issue Jan 13, 2023 · 3 comments · Fixed by #91
Closed

strings in the output of highlight function with html: true maybe malformed #90

SidneyTTW opened this issue Jan 13, 2023 · 3 comments · Fixed by #91

Comments

@SidneyTTW
Copy link

Describe the bug
strings in the output of highlight function with html: true maybe malformed when the sql query contains special characters in hardcoded string
It seems that the special characters should be escaped in the output

To Reproduce
Steps to reproduce the behavior:

  • Use code below
const { highlight } = require('sql-highlight')
let sqlString = "select * from a where b = 'array<map<string,string>>';"
let highlighted = highlight(sqlString, { html: true })
console.log(highlighted)
  • And execute it with nodejs

Actual behavior

  • It prints
    <span class="sql-hl-keyword">select</span> <span class="sql-hl-special">*</span> <span class="sql-hl-keyword">from</span> a <span class="sql-hl-keyword">where</span> b <span class="sql-hl-special">=</span> <span class="sql-hl-string">'array<map<string,string>>'</span><span class="sql-hl-special">;</span>
  • And if I try to put the 'array<map<string,string>>' into html
    The browser will treat it as
    image
    And user will see
    image

Expected behavior

  • It prints
    <span class="sql-hl-keyword">select</span> <span class="sql-hl-special">*</span> <span class="sql-hl-keyword">from</span> a <span class="sql-hl-keyword">where</span> b <span class="sql-hl-special">=</span> <span class="sql-hl-string">'array&ltmap&ltstring,string&gt&gt'</span><span class="sql-hl-special">;</span>
  • And if I put the 'array&ltmap&ltstring,string&gt&gt' into html
    The browser will treat it as
    image
    And user will see
    image

Node.js (please complete the following information):

  • Version v16.17.1

Browser (please complete the following information):

  • OS: MacOS
  • Browser Chrome
  • Version 108.0.5359.124
scriptcoded added a commit that referenced this issue Jan 13, 2023
@scriptcoded
feat: escape HTML entities
672fc9c 
Escape HTML entities within generated HTML tags.

Add option to allow user to provide custom escaper. Could be used to
disable escaping completely.

While this is considered a bug the solution requires a feature
implementation to integrate nicely, hence the feat and not fix label.

Refs: #90
@github-actions github-actions bot mentioned this issue Jan 13, 2023
Merged
@scriptcoded
Copy link
Owner

scriptcoded commented Jan 13, 2023
edited
Loading

Thank you for reporting this! I agree that escaping should be considered expected behavior.

I've added basic HTML entity escaping in v4.3.0 which is now live on NPM. It uses a basic escaper based on escape-html. This can be configured using options.

I opted to escape quotes on top of brackets and ampersands as you suggested in your issue.

Please verify that this fix resolves your issue.

Have a nice weekend!
Malcolm

@SidneyTTW
Copy link
Author

Looks great. Thanks for the quick response!

@scriptcoded
Copy link
Owner

P.S. to anyone interested, explanation for why this is a minor release and not a patch can be found in 672fc9c

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore(master): release 4.3.0 scriptcoded/sql-highlight
2 participants
@SidneyTTW @scriptcoded