Merge Syntax not HTML-escaping in page include query string

  • 2
  • Problem
  • Updated 3 months ago
  • Solved
I'm passing a name field into a query string used on a page include, and the page fails to load the name contains the % sign. 

According to skuid documentation on merge syntax, using double-braces should HTML-escape the data in the merge, so using % in the merge field it should spit out &percnt instead or something similar. 

We can work around this by guiding users not to use the % sign in their record naming, but seems like this is a bug that could be fixed. 
Photo of Jack Sanford

Jack Sanford, Champion

  • 9,714 Points 5k badge 2x thumb

Posted 3 months ago

  • 2
Photo of Emily Davis

Emily Davis, Employee

  • 3,610 Points 3k badge 2x thumb
Jack,
As far as I can tell, we don't HTML-escape the % sign, since it doesn't really bear significance in HTML like the &, <, >, and " characters do (i.e., there's not a risk of XSS with including this character in a field value and not HTML-escaping it). However, it sounds like you are hitting an issue with loading a page include where the record name contains the % character, right?

I believe I'm seeing the same issue as you, and think this is an issue with of URL-encoding/decoding (not HTML escaping)... specifically, with how Skuid is trying to URL-encode/decode that value. To provide a little more info here, do you mind sharing the query string that you're using for your Page Include?
Thanks,
Emily
Photo of Jack Sanford

Jack Sanford, Champion

  • 9,714 Points 5k badge 2x thumb
snap={{$Model.SnapInclude.data.0.Snapshot_Name__c}}

which resolves to:
snap=Risk Adjustment % PVD 2019-06-03

and in the console shows up as:
https://c.cs65.visual.force.com/apex/include?snap=Risk%20Adjustment%20%%20PVD%202019-06-03&isinc...

It looks like the URL code for a space is %20 


I can change it to pass a record id and query the model for the record name, but I'm not needing to query the model for any other reason, we just use the text from the name for display on the page include, so it'd be faster to not have to query. 
Photo of Jack Sanford

Jack Sanford, Champion

  • 9,714 Points 5k badge 2x thumb
That works! Thanks so much. 
Photo of Zach McElrath

Zach McElrath, Employee

  • 53,310 Points 50k badge 2x thumb
Official Response
Jack, have you tried using {{#urlEncode}} function? That function is specifically designed for passing non-URL-safe merge data into URLs, like you're doing here.

snap={{#urlEncode}}{{$Model.SnapInclude.data.0.Snapshot_Name__c}}{{/urlEncode}}