Repeater WhereCondition adds extra quotes in the middle of a string.

Lance Keay asked on July 4, 2018 18:57

I'm trying to filter docs by nodeGuids, so I'm making an 'IN' condition using this string:

Alerts = "d001862c-a51f-4dc7-b1a2-69f1787bde9d|15fab1bf-f727-47bc-b713-8624cf9d86e9|e2626bc5-228c-4567-9ff0-51bc359c16e6"

Then I'm using this macro: NodeGUID in ('{% Alerts.Replace("|", "','") #%}')

Which returns: "NodeGUID IN ('d001862c-a51f-4dc7-b1a2-69f1787bde9d'' , ''15fab1bf-f727-47bc-b713-8624cf9d86e9'' , ''e2626bc5-228c-4567-9ff0-51bc359c16e6')"

NOTE the double single quotes in the middle of the string. At first I thought it was a problem with the Replace function, so I tried a double replacement: NodeGUID IN ('{% Alerts.Replace("|", "TEST").Replace("TEST", "', '") #%}') But that gave the same result.

Then I tried making my own custom macro string replacement function. I can see the string is formatted properly when it leaves my custom macro. However, when I interrogate the WhereCondition of the cmsrepeater at this line:

return DataHelper.GetNotEmpty(GetValue("WhereCondition"), repItems.WhereCondition);

The value returned by: GetValue("WhereCondition") has the double single quote thing.

So how do I stop this from happening?

Recent Answers

Brenden Kehren answered on July 4, 2018 19:16

There where fields is a macro field and is automatically sanitized. So add the value as a macro and add a parameter to it to not sanitize it.

Read the documentation here regarding the parameter handlesqlinjection. Yes the docs are for v8 but it applies to atleast v6 and above.

1 votesVote for this answer Mark as a Correct answer

Juraj Ondrus answered on July 4, 2018 21:23

I just want to add to what Brenden posted - in this documentation you can also read few lines on the macro parameter as well as, if you want, there is described how to turn off the protection or alternatively, how to use SQLEspcape

0 votesVote for this answer Mark as a Correct answer

Lance Keay answered on July 4, 2018 21:46

Nice one! Thanks guys!

FYI - I changed the macro to:

NodeGUID in ('{% Alerts.Replace("|", "','")|(handlesqlinjection)false #%}')

And it worked like a charm!

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.