QT/superset2
1
0
Fork 0
mirror of https://github.com/apache/superset.git synced 2026-04-21 00:54:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(ag-grid): add SQLGlot-based SQL escaping for where and having filter clauses (#36136)

Browse Source
This commit is contained in:
amaannawab923
2025-11-25 13:05:40 +05:30
committed by GitHub
parent ab8352ee66
commit 186693b840
6 changed files with 402 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
superset-frontend/plugins/plugin-chart-ag-grid-table/src/stateConversion.ts
View File

@@ -50,6 +50,11 @@ const NUMBER_FILTER_OPERATORS: Record<string, string> = {
greaterThanOrEqual: '>=',
};
/** Escapes single quotes in SQL strings: O'Hara → O''Hara */
function escapeStringValue(value: string): string {
return value.replace(/'/g, "''");
}
function getTextComparator(type: string, value: string): string {
if (type === 'contains' || type === 'notContains') {
return `%${value}%`;
@@ -134,10 +139,12 @@ function convertFilterToSQL(
if (filter.filterType === 'text' && filter.filter && filter.type) {
const op = TEXT_FILTER_OPERATORS[filter.type];
const val = getTextComparator(filter.type, String(filter.filter));
const escapedFilter = escapeStringValue(String(filter.filter));
const val = getTextComparator(filter.type, escapedFilter);
return op === 'ILIKE' || op === 'NOT ILIKE'
? `${colId} ${op} '${val}'`
: `${colId} ${op} '${filter.filter}'`;
: `${colId} ${op} '${escapedFilter}'`;
}
if (
@@ -151,7 +158,8 @@ function convertFilterToSQL(
if (filter.filterType === 'date' && filter.dateFrom && filter.type) {
const op = NUMBER_FILTER_OPERATORS[filter.type];
return `${colId} ${op} '${filter.dateFrom}'`;
const escapedDate = escapeStringValue(filter.dateFrom);
return `${colId} ${op} '${escapedDate}'`;
}
if (
@@ -159,7 +167,9 @@ function convertFilterToSQL(
Array.isArray(filter.values) &&
filter.values.length > 0
) {
const values = filter.values.map((v: string) => `'${v}'`).join(', ');
const values = filter.values
.map((v: string) => `'${escapeStringValue(v)}'`)
.join(', ');
return `${colId} IN (${values})`;
}