url decode not working in version 12

Tami_Lust · December 10, 2019, 5:47pm

We updated from version 10 to version 12 and we have a field that gets populated via an Apex class with some html.

We display the field contents in a template field with the following code:
{{#urlDecode}}{{{Tracking_Info__c}}}{{/urlDecode}}

In Version 10 the
are honored and the "
" text is not displayed.

In version 12 the
are not honored and the "
" are displayed.

Should I be using something other than {{#urlDecode}}{{/urlDecode}} to honor the html?

Zach_McElrath · December 10, 2019, 6:13pm

What page API version is this happening in? V1 or V2?

Tami_Lust · December 10, 2019, 6:30pm

V1

Tami_Lust · December 12, 2019, 7:09pm

^^bump^^

Khamla_Phimmachack · December 12, 2019, 10:01pm

Hi Tami, I found another post related to using
in a formula field returning text:
https://community.skuid.com/t/include-html-in-a-text-formula?topic-reply-list%5Bsettings%5D%5Bfilter_by%5D=all
Not sure if this would apply to your template field, but worth a shot.

Tami_Lust · December 13, 2019, 8:23pm

Hi Khamla,

Thanks for your response. I don’t think that is the issue that I am experiencing because I am not using a formula field.

I am using a text field that gets populated with html via Apex Class. We then display the contents of that field in a Skuid template field using the {{#urlDecode}}{{/urlDecode}} code so that the html is shown properly.

The above mentioned method works fine in version 10 but it doesn’t work in version 12.

Jackson_Stone · January 10, 2020, 7:37pm

This behavior of urlDecode was patched as of 12.0. It presented an unintended XSS vulnerability we wanted to protect our customers from. But I’m sorry it has bitten you!

We are researching better ways we can offer a supported method of inserting raw HTML for both V1 and V2, but in the interim if you are in a V1 skuid page our recommendation is to achieve similar behavior with a custom renderer for that field in V1 (see below for the custom render code you can use)

var field = arguments[0],
    // Note: The value below (arguments[1]) will be HTML-escaped, since this is what is returned in the snippet.
    // If you want the unescaped value, use model.getFieldValue(fieldId, row, noEscape) with noEscape set to true (see below)
    // value = arguments[1],
    fieldId = field.id,
    model = field.model,
    row = field.row,
    element = field.element,
    mode = field.mode,
 fieldValue = model.getFieldValue(row, fieldId, true), // The third argument here is noEscape. Setting it to true specifies that we DON’T want an HTML-escaped result for the model field value
 uriDecodedValue = decodeURIComponent(fieldValue); element.html(uriDecodedValue);```

Tami_Lust · January 10, 2020, 8:10pm

This works perfectly in V1 pages. Thank you!