Hi,
in this topic: Escaping ' for MySQL there is a recommendation to use JSON.stringify to escape strings for the MySQL connector. However, this is not the proper solution since JSON.stringify behaves a bit different than the official mysql_real_escape_string function.
Is there a function to escape other formats like: mysql-strings, mysql-identifiers, html-entities, xml-entities, too?
You are commenting on a thread that is over 2 years old. The point of the answers on that thread were just to help get the SQL working, with embedded quotes and other special characters, not lock it down to prevent vulnerabilities that might arise if you were allowing SQL fragments as untrusted, external input to the workflow. When SQL text, and/or string values embedded into SQL text, come from a trusted source, failing to properly escape it isn’t a “massive security” issue, but just a challenge for getting things to work.
If you feel that the MySQL node itself doesn’t properly defend against SQL injection, you could propose an enhancement to how the node is coded.
yep, I dug through some portions of n8n’s internal implementation already.
at first, n8n should ship template-accessible escaping functions for all relevant data formats:
For the consistent use of these functions, I would suggest a more user-friendly UI for template snippets: add an additional “FILTER” argument in the top-right corner of the green template snippet like you see in angular.js: {{ my_text | html }} to prevent XSS; a click on the word “html” could open a dropdown to select a filter from the list so the user dosen’t have to read documentation about available escaping functions.
Last but not least, when dragging a JSON field into a HTML field, the escaping filter {{ $.json.Fieldname | html } should be set automatically, same for JSON fields: automatically add {{ … | json }} filter
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.