From 5cfbeb9b97d831ad5195e74b8f29cf264a40e10d Mon Sep 17 00:00:00 2001
From: Michael Polidori <spatiumestabsolutum@gmail.com>
Date: Fri, 1 Oct 2021 18:08:37 -0400
Subject: [PATCH] Fix/apostrophe in filters (#501)

---
 .../javascript/dist/modules/viz-preview.js       | 16 ++++++++++++++--
 ckanext/querytool/helpers.py                     |  5 +++++
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/ckanext/querytool/fanstatic/javascript/dist/modules/viz-preview.js b/ckanext/querytool/fanstatic/javascript/dist/modules/viz-preview.js
index f0c350ad..f904c00f 100644
--- a/ckanext/querytool/fanstatic/javascript/dist/modules/viz-preview.js
+++ b/ckanext/querytool/fanstatic/javascript/dist/modules/viz-preview.js
@@ -1423,7 +1423,19 @@
                     r = !0 === this.options.static_reference_columns ? [] : this.options.static_reference_columns,
                     o = this.getStaticReferenceColumn(r, i);
                 !0 === this.options.category_name || this.options.category_name;
-                e && n && (t += ' AND ("' + this.options.filter_name + "\" = '" + this.options.filter_value + "')");
+
+                var tmp_filter_value = n;
+                var tmp_filter_name = e;
+
+                if (tmp_filter_value.includes('\'')) {
+                  tmp_filter_value = tmp_filter_value.replaceAll('\'', '\'\'')
+                }
+
+                if (tmp_filter_value.includes('&')) {
+                  tmp_filter_value = tmp_filter_value.replaceAll('&', '\\0026')
+                }
+
+                e && n && (t += ' AND ("' + tmp_filter_name + "\" = '" + tmp_filter_value + "')");
                 var sql,
                     ub = this.options.upper_bounds,
                     lb = this.options.lower_bounds;
@@ -1465,7 +1477,7 @@
                     d = {};
                 s && c && (d = {
                     name: s,
-                    value: c
+                    value: c.replaceAll('&', '\\0026')
                 }), t("querytool_get_chart_data", {
                     category: n,
                     sql_string: e,
diff --git a/ckanext/querytool/helpers.py b/ckanext/querytool/helpers.py
index 6d03c2cc..723ea91e 100644
--- a/ckanext/querytool/helpers.py
+++ b/ckanext/querytool/helpers.py
@@ -508,9 +508,14 @@ def get_resource_data(sql_string):
     if not c.userobj or get_is_admin_or_editor_of_any_group(c.userobj):
         context['ignore_auth'] = True
 
+    # We need to un-escape the "&" replacement or else charts won't render
+    if '\\0026' in sql_string:
+        sql_string = sql_string.replace('\\0026', '&')
+
     response = toolkit.get_action('datastore_search_sql')(
         {}, {'sql': sql_string}
     )
+
     records_to_lower = []
     for record in response['records']:
         records_to_lower.append({k.lower(): v for k, v in record.items()})