Superset UI is doesn't escape / quote the search query and currently is not working with special characters

[bkyryliuk]

A clear and concise description of what the bug is.

Expected results

Superset UI e.g. should escape query search parameter for superset objects like charts, dashboards etc
Expected api call:
/api/v1/report/related/dashboard?q=(filter:%27[query]%27,page_size:2000)

Actual API call:
https://superset.pp.dropbox.com/api/v1/report/related/dashboard?q=(filter:[query],page_size:2000)

How to reproduce the bug

1. open superset search
2. search for [query]

Environment

https://github.com/airbnb/superset-fork/tree/release--2021-03-10

Make sure to follow these steps before submitting your issue - thank you!

• I have checked the superset logs for python stacktraces and included it here as text if there are any.
• I have reproduced the issue with at least the latest released version of superset.
• I have checked the issue tracker for the same issue and I haven't found one similar.

Additional context

Add any other context about the problem here.

cc @dpgaspar , @villebro

[nytai]

This seems like a rison encoding as all calls should be going through rison.encode, we may have to fork and make updates to that lib

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. For admin, please label this issue .pinned to prevent stale bot from closing the issue.

[rusackas]

@bkyryliuk is this still an issue?

[rusackas]

Closing this as stale since it's been silent for so long, and we're trying to steer toward a more actionable Issues backlog. If people are still encountering this in current versions (currently 3.x) please re-open this issue, open a new Issue with updated context, or raise a PR to address the problem. Thanks!

[nicmrayce]

Hi @rusackas , just to let you know that apparently, Superset doesn't seem to escape the special characters again when filtering action is attempted.

One of our column values in our dataset has a single quote ' character and it causes error across all charts when that option is picked.

An example here:

And so the only quickest way we could think of is to perform the SQL REPLACE function in order to remove any possible occurrences single quote ' character.

And everything works as usual again:

However, the issue is the user may still have the tendency to type in their own value which may/may not contain special characters (we may never know as we can't predict user behavior).

Therefore, may I suggest considering an option called 'Disabled typing input/user input' into the Superset filter options? This would allow us to have proper control over the possibility of user trying to type in weird characters into the filter.