fix csv escapes

sqlpage · Aug 11, 2024 · c5392c7 · c5392c7
1 parent b6bb982
commit c5392c7
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,7 @@
 - Fixed a bug where in very specific conditions, sqlpage functions could mess up the order of the arguments passed to a sql query. This would happen when a sqlpage function was called with both a column from the database and a sqlpage variable in its arguments, and the query also contained references to other sqlpage variables **after** the sqlpage function call. An example would be `select sqlpage.exec('xxx', some_column = $a) as a, $b as b from t`. A test was added for this case.
 - added a new `url_encode` helper for [custom components](https://sql.ophir.dev/custom_components.sql) to encode a string for use in a URL.
 - fixed a bug where the CSV component would break when the data contained a `#` character.
+- properly escape fields in the CSV component to avoid generating invalid CSV files.
 
 ## 0.26.0 (2024-08-06)
 ### Components

diff --git a/sqlpage/templates/csv.handlebars b/sqlpage/templates/csv.handlebars
@@ -3,15 +3,14 @@
 {{~#each_row~}}
         {{~#if (eq @row_index 0)~}}{{! header }}
             {{~#each this~}}
-                %22{{! %22 = double-quote}}
-                {{~url_encode @key~}}
-                %22
+                {{~url_encode (csv_escape @key ../../separator)~}}
                 {{~default ../../separator ","~}}
             {{~/each~}}
         %0A{{! %0A = newline}}
         {{~/if~}}
         {{~#each this~}}
-        %22{{url_encode this}}%22{{default ../../separator ","}}
+            {{~url_encode (csv_escape this ../../separator)~}}
+            {{~default ../../separator ","~}}
         {{~/each~}}
     %0A
 {{~/each_row~}}

diff --git a/src/template_helpers.rs b/src/template_helpers.rs
@@ -52,6 +52,7 @@ pub fn register_all_helpers(h: &mut Handlebars<'_>, config: &AppConfig) {
     register_helper(h, "typeof", typeof_helper as H);
     register_helper(h, "rfc2822_date", rfc2822_date_helper as EH);
     register_helper(h, "url_encode", url_encode_helper as H);
+    register_helper(h, "csv_escape", csv_escape_helper as HH);
 }
 
 fn stringify_helper(v: &JsonValue) -> JsonValue {
@@ -282,6 +283,20 @@ fn url_encode_helper(v: &JsonValue) -> JsonValue {
         .into()
 }
 
+// Percent-encode a string
+fn csv_escape_helper(v: &JsonValue, separator: &JsonValue) -> JsonValue {
+    let as_str = match v {
+        JsonValue::String(s) => s,
+        other => &other.to_string(),
+    };
+    let separator = separator.as_str().unwrap_or(",");
+    if as_str.contains(separator) || as_str.contains('"') || as_str.contains('\n') {
+        format!(r#""{}""#, as_str.replace('"', r#""""#)).into()
+    } else {
+        as_str.to_owned().into()
+    }
+}
+
 fn with_each_block<'a, 'reg, 'rc>(
     rc: &'a mut handlebars::RenderContext<'reg, 'rc>,
     mut action: impl FnMut(&mut handlebars::BlockContext<'rc>, bool) -> Result<(), RenderError>,