Bug #4387 - User can not insert any value on view data if table and column name contains *SELECT '<';*

[Yogesh Mahajan]

Hello,

Please find patch which fixes 2 issues reported in Bug #4387
<https://redmine.postgresql.org/issues/4387>
  1.Incorrect Column name when column name is like *'SELECT
'<<SCRIPT>alert("XSS ");//<</SCRIPT>;*''
  2.Unable to enter data when the above column is primary key.

Thanks,
Yogesh Mahajan
QA - Team
EnterpriseDB Corporation

Phone: +91-9741705709

diff --git a/web/pgadmin/tools/sqleditor/static/js/sqleditor.js b/web/pgadmin/tools/sqleditor/static/js/sqleditor.js
index 61e1f9cf4..b2081b97e 100644
--- a/web/pgadmin/tools/sqleditor/static/js/sqleditor.js
+++ b/web/pgadmin/tools/sqleditor/static/js/sqleditor.js
@@ -786,7 +786,7 @@ define('tools.querytool', [
         c.column_type = _.escape(c.column_type);
 
         var options = {
-          id: c.name,
+          id:  _.escape(c.name),
           pos: c.pos,
           field: c.name,
           name: c.label,
diff --git a/web/pgadmin/tools/sqleditor/templates/sqleditor/sql/default/select.sql b/web/pgadmin/tools/sqleditor/templates/sqleditor/sql/default/select.sql
index 97329cd32..1bf7428b6 100644
--- a/web/pgadmin/tools/sqleditor/templates/sqleditor/sql/default/select.sql
+++ b/web/pgadmin/tools/sqleditor/templates/sqleditor/sql/default/select.sql
@@ -5,5 +5,5 @@ WHERE
   oid = %(oid)s
 {% elif primary_keys|length > 0 %}
   {% for pk in primary_keys %}
-    {% if not loop.first %} AND {% endif %}{{ conn|qtIdent(pk) }} = %({{ pk }})s{% endfor %}
+    {% if not loop.first %} AND {% endif %}{{ conn|qtIdent(pk) }} = %({{ pgadmin_alias[pk] }})s{% endfor %}
 {% endif %};
diff --git a/web/pgadmin/tools/sqleditor/tests/test_view_data_templates.py b/web/pgadmin/tools/sqleditor/tests/test_view_data_templates.py
index 1e927593a..217079d9c 100644
--- a/web/pgadmin/tools/sqleditor/tests/test_view_data_templates.py
+++ b/web/pgadmin/tools/sqleditor/tests/test_view_data_templates.py
@@ -54,6 +54,7 @@ class TestViewDataTemplates(BaseTestGenerator):
                 select_template_path='sqleditor/sql/default/select.sql',
                 select_parameters=dict(
                     object_name='test_table',
+                    pgadmin_alias=pgadmin_alias,
                     nsp_name='test_schema',
                     primary_keys=OrderedDict([('id', 'int4')]),
                     has_oids=False
@@ -87,6 +88,7 @@ class TestViewDataTemplates(BaseTestGenerator):
                 select_parameters=dict(
                     object_name='test_table',
                     nsp_name='test_schema',
+                    pgadmin_alias=pgadmin_alias,
                     primary_keys=OrderedDict([('id', 'int4'),
                                               ('text', 'text')]),
                     has_oids=False
diff --git a/web/pgadmin/tools/sqleditor/utils/save_changed_data.py b/web/pgadmin/tools/sqleditor/utils/save_changed_data.py
index bc30b1395..525095997 100644
--- a/web/pgadmin/tools/sqleditor/utils/save_changed_data.py
+++ b/web/pgadmin/tools/sqleditor/utils/save_changed_data.py
@@ -138,6 +138,7 @@ def save_changed_data(changed_data, columns_info, conn, command_obj,
                     "/".join([command_obj.sql_path, 'select.sql']),
                     object_name=command_obj.object_name,
                     nsp_name=command_obj.nsp_name,
+                    pgadmin_alias=pgadmin_alias,
                     primary_keys=primary_keys,
                     has_oids=command_obj.has_oids()
                 )
@@ -279,8 +280,12 @@ def save_changed_data(changed_data, columns_info, conn, command_obj,
 
                 # Select added row from the table
                 if 'select_sql' in item:
+                    params = {
+                        pgadmin_alias[k] if k in pgadmin_alias else k: v
+                        for k, v in res['rows'][0].items()
+                    }
                     status, sel_res = conn.execute_dict(
-                        item['select_sql'], res['rows'][0])
+                        item['select_sql'], params)
 
                     if not status:
                         return failure_handle(sel_res, item.get('row_id', 0))