mirror of
https://github.com/apache/superset.git
synced 2026-07-15 19:25:38 +00:00
fix(jinja): apply consistent value handling to url_param across input sources
url_param() returned the request.args value through an early return, skipping the dialect-specific quoting and cache-key handling that the form_data path applies. Funnel both input sources through the same tail so the returned value is handled consistently regardless of where the parameter originated. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -288,11 +288,16 @@ class ExtraCache:
|
||||
from superset.views.utils import get_form_data
|
||||
|
||||
if has_request_context() and request.args.get(param):
|
||||
return request.args.get(param, default)
|
||||
result = request.args.get(param, default)
|
||||
else:
|
||||
form_data, _ = get_form_data()
|
||||
url_params = form_data.get("url_params") or {}
|
||||
result = url_params.get(param, default)
|
||||
|
||||
form_data, _ = get_form_data()
|
||||
url_params = form_data.get("url_params") or {}
|
||||
result = url_params.get(param, default)
|
||||
# Apply the same handling to every input source. Values read from
|
||||
# request.args must go through the dialect-specific quoting below just
|
||||
# like values sourced from form_data, so the result is consistent
|
||||
# regardless of where the parameter originated.
|
||||
if result and escape_result and self.dialect:
|
||||
# use the dialect specific quoting logic to escape string
|
||||
result = String().literal_processor(dialect=self.dialect)(value=result)[
|
||||
|
||||
@@ -438,6 +438,26 @@ def test_url_param_unescaped_default_form_data() -> None:
|
||||
assert cache.url_param("bar", "O'Malley", escape_result=False) == "O'Malley"
|
||||
|
||||
|
||||
def test_url_param_escaped_query() -> None:
|
||||
"""
|
||||
Test that a ``url_param`` value read from the request query string is
|
||||
handled the same way as one sourced from ``form_data`` -- i.e. it goes
|
||||
through the dialect-specific quoting instead of being returned raw.
|
||||
"""
|
||||
with current_app.test_request_context(query_string={"foo": "O'Brien"}):
|
||||
cache = ExtraCache(dialect=dialect())
|
||||
assert cache.url_param("foo") == "O''Brien"
|
||||
|
||||
|
||||
def test_url_param_unescaped_query() -> None:
|
||||
"""
|
||||
Test that ``escape_result=False`` returns the raw query-string value.
|
||||
"""
|
||||
with current_app.test_request_context(query_string={"foo": "O'Brien"}):
|
||||
cache = ExtraCache(dialect=dialect())
|
||||
assert cache.url_param("foo", escape_result=False) == "O'Brien"
|
||||
|
||||
|
||||
def test_safe_proxy_primitive() -> None:
|
||||
"""
|
||||
Test the ``safe_proxy`` helper with a function returning a ``str``.
|
||||
|
||||
Reference in New Issue
Block a user