CSV Export - encode quotes #808

2025-12-07 09:36:05 -08:00 · 2024-09-29 08:18:00 +10:00
parent e3b2039257
commit 02077d4654
4 changed files with 51 additions and 14 deletions
--- a/front/deviceDetails.php
+++ b/front/deviceDetails.php
@@ -1288,7 +1288,7 @@ function getDeviceData (readAllData=false) {
        if (deviceData['dev_Favorite'] == 1)         {$('#chkFavorite').iCheck('check');}    else {$('#chkFavorite').iCheck('uncheck');}
        $('#txtGroup').val                           (deviceData['dev_Group']);
        $('#txtLocation').val                        (deviceData['dev_Location']);
-        $('#txtComments').val                        (deviceData['dev_Comments']);        
+        $('#txtComments').val                        (decodeSpecialChars(deviceData['dev_Comments']));        
        $('#txtNetworkNodeMac').val                  ( networkParentMacName) ;
        $('#txtNetworkNodeMac').attr                 ('data-mynodemac', deviceData['dev_Network_Node_MAC_ADDR']);        
        $('#txtNetworkPort').val                     (deviceData['dev_Network_Node_port']);
@@ -1429,7 +1429,7 @@ function setDeviceData (direction='', refreshCallback='') {
    + '&favorite='       + ($('#chkFavorite')[0].checked * 1)
    + '&group='          + encodeURIComponent($('#txtGroup').val())
    + '&location='       + encodeURIComponent($('#txtLocation').val())
-    + '&comments='       + encodeURIComponent($('#txtComments').val())
+    + '&comments='       + encodeURIComponent(encodeSpecialChars($('#txtComments').val()))
    + '&networknode='    + $('#txtNetworkNodeMac').attr('data-mynodemac')
    + '&networknodeport=' + $('#txtNetworkPort').val()
    + '&ssid='            + $('#txtSSID').val()
--- a/front/js/common.js
+++ b/front/js/common.js
@@ -383,6 +383,26 @@ function isValidJSON(jsonString) {
  }
 }

+// method to sanitize input so that HTML and other things don't break
+function encodeSpecialChars(str) {
+  return str
+      .replace(/&/g, '&amp;')
+      .replace(/</g, '&lt;')
+      .replace(/>/g, '&gt;')
+      .replace(/"/g, '&quot;')
+      .replace(/'/g, '&#039;');
+}
+
+function decodeSpecialChars(str) {
+  return str
+      .replace(/&amp;/g, '&')
+      .replace(/&lt;/g, '<')
+      .replace(/&gt;/g, '>')
+      .replace(/&quot;/g, '"')
+      .replace(/&#039;/g, '\'');
+}
+
+
 // -----------------------------------------------------------------------------
 // General utilities
 // -----------------------------------------------------------------------------
--- a/front/php/server/devices.php
+++ b/front/php/server/devices.php
@@ -428,41 +428,39 @@ function ExportCSV() {
  $func_result = $db->query("SELECT * FROM Devices");        

  // prepare CSV header row
-  // header array with column names 
  $columns = getDevicesColumns();

  // wrap the headers with " (quotes) 
-  $resultCSV = '"'.implode('","', $columns).'"';  
-
-  //and append a new line
-  $resultCSV = $resultCSV."\n";
+  $resultCSV = '"'.implode('","', $columns).'"'."\n";

  // retrieve the devices from the DB
-  while ($row = $func_result -> fetchArray (SQLITE3_ASSOC)) {   
+  while ($row = $func_result->fetchArray(SQLITE3_ASSOC)) {   

    // loop through columns and add values to the string 
    $index = 0;
    foreach ($columns as $columnName) {
+      // Escape special chars (e.g.quotes) inside fields by replacing them with html definitions
+      $fieldValue = encodeSpecialChars($row[$columnName]);

      // add quotes around the value to prevent issues with commas in fields
-      $resultCSV = $resultCSV.'"'.$row[$columnName].'"';
+      $resultCSV .= '"'.$fieldValue.'"';

      // detect last loop - skip as no comma needed
-      if ($index != count($columns) - 1  )
-      {
-        $resultCSV = $resultCSV.',';
+      if ($index != count($columns) - 1) {
+        $resultCSV .= ',';
      }
      $index++;
    } 

-    //$resultCSV = $resultCSV.implode(",", [$row["dev_MAC"], $row["dev_Name"]]);
-    $resultCSV = $resultCSV."\n";
+    // add a new line for the next row
+    $resultCSV .= "\n";
  }

  //write the built CSV string
  echo $resultCSV;    
 }

+
 //------------------------------------------------------------------------------
 //  Import CSV of devices
 //------------------------------------------------------------------------------
--- a/front/php/server/util.php
+++ b/front/php/server/util.php
@@ -524,6 +524,25 @@ function handleNull ($text, $default = "") {
  
 }

+// -------------------------------------------------------------------------------------------
+// Encode special chars
+function encodeSpecialChars($str) {
+  return str_replace(
+      ['&', '<', '>', '"', "'"],
+      ['&amp;', '&lt;', '&gt;', '&quot;', '&#039;'],
+      $str
+  );
+}
+
+// -------------------------------------------------------------------------------------------
+// Decode special chars
+function decodeSpecialChars($str) {
+  return str_replace(
+      ['&amp;', '&lt;', '&gt;', '&quot;', '&#039;'],
+      ['&', '<', '>', '"', "'"],
+      $str
+  );
+}


 // -------------------------------------------------------------------------------------------