Fields in Device Details in UI need escaping for SQL query

[ingoratsdorf]

Is there an existing issue for this?

• I have searched the existing open and closed issues and I checked the docs https://github.com/jokob-sk/NetAlertX/tree/main/docs

The issue occurs in the following browsers. Select at least 2.

• Firefox
• Chrome
• Edge
• Safari (unsupported) - PRs welcome
• N/A - This is an issue with the backend

Current Behavior

"Error executing query (attempts: 10), query: UPDATE Devices SET\n devName = 'X20-DSL',\n devOwner = 'System',\n devType = 'Router',\n devVendor = 'TP-Link Limited',\n devIcon = '',\n devFavorite = '0',\n devGroup = 'System',\n devLocation = 'Ingo's Office',\n devComments = 'New Device',\n devParentMAC = 'Internet',\n devParentPort = '0',\n devSSID = '',\n devSite = '',\n devStaticIP = '0',\n devScan = '1',\n devAlertEvents = '0',\n devAlertDown = '0',\n devSkipRepeated = '1',\n devIsNew = '0',\n devIsArchived = '0'\n WHERE devMac = '28:87:ba:8a:6c:d0'"

Expected Behavior

UPDATE Devices SET\n devName = 'X20-DSL',\n devOwner = 'System',\n devType = 'Router',\n devVendor = 'TP-Link Limited',\n devIcon = '',\n devFavorite = '0',\n devGroup = 'System',\n devLocation = 'Ingo's Office',\n devComments = 'New Device',\n devParentMAC = 'Internet',\n devParentPort = '0',\n devSSID = '',\n devSite = '',\n devStaticIP = '0',\n devScan = '1',\n devAlertEvents = '0',\n devAlertDown = '0',\n devSkipRepeated = '1',\n devIsNew = '0',\n devIsArchived = '0'\n WHERE devMac = '28:87:ba:8a:6c:d0'"

Steps To Reproduce

Open device details page /deviceDetails.php?mac=28:87:ba:8a:6c:d0 and enter a name with a single quote " ' " as location.
SQL times out with error above upon save.

Looks like in EditDeviceDetails.php, name , owner and vendor are having any " ' " removed, but locations (and other fields) have not.

+ '&name=' + encodeURIComponent($('#NEWDEV_devName').val().replace(/'/g, ""))
+ '&owner=' + encodeURIComponent($('#NEWDEV_devOwner').val().replace(/'/g, ""))
+ '&type=' + $('#NEWDEV_devType').val()
+ '&vendor=' + encodeURIComponent($('#NEWDEV_devVendor').val().replace(/'/g, ""))
+ '&icon=' + encodeURIComponent($('#NEWDEV_devIcon').val())
+ '&favorite=' + ($('#NEWDEV_devFavorite')[0].checked * 1)
+ '&group=' + encodeURIComponent($('#NEWDEV_devGroup').val())
+ '&location=' + encodeURIComponent($('#NEWDEV_devLocation').val())

app.conf

No response

docker-compose.yml

No response

What branch are you running?

Production

app.log

No response

Debug enabled

• I have read and followed the steps in the wiki link above and provided the required debug logs and the log section covers the time when the issue occurs.

[jokob-sk]

Hey @ingoratsdorf ,

Thanks for the report. This should be fixed in the next release and available in the netalertx-dev image in ~15min.