From 31a99604c3ec97feeda38dd3be0467cd45f0f9ad Mon Sep 17 00:00:00 2001
From: dbauszus-glx <dennis.bauszus@geolytix.co.uk>
Date: Mon, 30 Oct 2023 18:04:26 +0000
Subject: [PATCH] review sqlfilter json as url param encoding

---
 api/api.js                |  7 -------
 lib/utils/paramString.mjs | 12 +++++-------
 mod/utils/sqlFilter.js    |  9 +++------
 3 files changed, 8 insertions(+), 20 deletions(-)

diff --git a/api/api.js b/api/api.js
index 58e24a793..cec0926d6 100644
--- a/api/api.js
+++ b/api/api.js
@@ -111,13 +111,6 @@ module.exports = async (req, res) => {
 
   req.params.template = req.params._template || req.params.template
 
-  // Decode string params.
-  Object.entries(req.params)
-    .filter(entry => typeof entry[1] === 'string')
-    .forEach(entry => {
-      req.params[entry[0]] = decodeURIComponent(entry[1])
-    })
-
   // Short circuit login view or post request.
   if (req.params.login || req.body && req.body.login) return login(req, res)
 
diff --git a/lib/utils/paramString.mjs b/lib/utils/paramString.mjs
index f9466e469..b3e92e067 100644
--- a/lib/utils/paramString.mjs
+++ b/lib/utils/paramString.mjs
@@ -1,6 +1,10 @@
 // Create param string for XHR request.
 export default params => Object.entries(params)
+
+  // Value should be 0 or truthy
   .filter(entry => entry[1] === 0 || !!entry[1])
+
+  // Value must not be empty functional brackets.
   .filter(entry => entry[1] !== '{}')
 
   // Filter out zero length array and objects with empty object values.
@@ -10,16 +14,10 @@ export default params => Object.entries(params)
 
   .map(entry => {
 
-    // if (Array.isArray(entry[1])) {
-
-    //   return entry[1].map(val => `${entry[0]}=${val}`).join('&')
-    // }
-
     // Stringify non array objects.
     if (typeof entry[1] === 'object' && !Array.isArray(entry[1])) {
 
-      entry[1] = JSON.stringify(entry[1])
-
+      return `${entry[0]}=${encodeURIComponent(JSON.stringify(entry[1]))}`
     }
 
     return encodeURI(`${entry[0]}=${entry[1]}`)
diff --git a/mod/utils/sqlFilter.js b/mod/utils/sqlFilter.js
index 9f1d10373..259083e98 100644
--- a/mod/utils/sqlFilter.js
+++ b/mod/utils/sqlFilter.js
@@ -21,7 +21,7 @@ const filterTypes = {
     `(${val
       .split(',')
       .filter((val) => val.length > 0)
-      .map((val) => `"${col}" ILIKE \$${addValues(`${val}%`, true)}`)
+      .map((val) => `"${col}" ILIKE \$${addValues(`${val}%`)}`)
       .join(' OR ')})`,
 
   match: (col, val) => `"${col}"::text ILIKE \$${addValues(val)}`
@@ -29,12 +29,9 @@ const filterTypes = {
 
 let SQLparams
 
-function addValues(val, skip) {
+function addValues(val) {
 
-  SQLparams.push(Array.isArray(val)
-    && val[0].map(v=>decodeURIComponent(v))
-    || skip && val
-    || decodeURIComponent(val))
+  SQLparams.push(val)
 
   return SQLparams.length
 }