Describe the bug
The web console runs every result cell through unescapeHtml() before rendering, and the copy paths reuse the same text. But the server does not HTML-encode values in /exec JSON responses, so any stored value that legitimately contains an entity sequence (&, <, >, ", ', ) is silently altered, both in the grid display and in the copied value.
This affects the legacy grid (src/js/console/grid.js), the new ResultGrid (src/components/ResultGrid/inlineGridUtils.ts), and the markdown copy (src/components/ResultGrid/resultPageMarkdown.ts).
Steps to reproduce
On https://demo.questdb.io (QuestDB 9.4.3, console 2.0.0):
SELECT '&' AS literal_entity, 'a=1&b=2' AS url_query, '<tag>' AS escaped_html;
The grid shows &, a=1&b=2 and <tag> instead of the stored values. Copying a cell copies the altered value too.
The server returns the values unmodified, so the decode has nothing to undo:
$ curl 'https://demo.questdb.io/exec?query=SELECT%20%27%26amp%3B%27%20lit'
{"query":"SELECT '&' lit", ..., "dataset":[["&"]],"count":1}
(Same raw output with version=1 and version=2 request params.)
Where it came from
Realistic hits: URL query strings stored after HTML-escaping upstream, HTML fragments in varchar columns, scraped or event payloads.
If some older server versions do escape entities in query responses (which would explain #525), the unescape would need to be gated on that rather than applied unconditionally.
Happy to submit a PR removing the unconditional unescape (grid.js, inlineGridUtils, resultPageMarkdown, plus their tests) if you can confirm the intended behavior.
Describe the bug
The web console runs every result cell through
unescapeHtml()before rendering, and the copy paths reuse the same text. But the server does not HTML-encode values in/execJSON responses, so any stored value that legitimately contains an entity sequence (&,<,>,",', ) is silently altered, both in the grid display and in the copied value.This affects the legacy grid (
src/js/console/grid.js), the new ResultGrid (src/components/ResultGrid/inlineGridUtils.ts), and the markdown copy (src/components/ResultGrid/resultPageMarkdown.ts).Steps to reproduce
On https://demo.questdb.io (QuestDB 9.4.3, console 2.0.0):
The grid shows
&,a=1&b=2and<tag>instead of the stored values. Copying a cell copies the altered value too.The server returns the values unmodified, so the decode has nothing to undo:
(Same raw output with
version=1andversion=2request params.)Where it came from
innerHTMLtotextContent. As a side effect that also fixed Decode special characters when copying grid cells #320, since the cell copy path now readstextContent.unescapeHtml()on top, on the assumption that the server sends HTML entities. As far as I can tell from/execresponses on 9.4.3 it doesn't, so the unescape only ever fires on user data that happens to look like an entity.Realistic hits: URL query strings stored after HTML-escaping upstream, HTML fragments in varchar columns, scraped or event payloads.
If some older server versions do escape entities in query responses (which would explain #525), the unescape would need to be gated on that rather than applied unconditionally.
Happy to submit a PR removing the unconditional unescape (grid.js, inlineGridUtils, resultPageMarkdown, plus their tests) if you can confirm the intended behavior.