Doesn't look like this has been logged as an issue before, so I'm documenting it here.
In the style of xkcd, I tried plating a specimen with the ID ');console.log('hi');. Fortunately, this doesn't result in hi being printed to the console; unfortunately, it does cause a 500 internal server error:
GET https://127.0.0.1:8181/study/1/samples?term=%27);console.log(%27hi%27); 500 (Internal Server Error)
Looks like it's the ' character (which gets converted to %27) that's problematic.
I don't imagine this is a common use case, but it might be worth addressing?
Edit: also, if this behavior is expected (i.e. the server throws an error if it detects a wacky specimen ID like ');console.log('hi');) then sorry, and feel free to close this.
Doesn't look like this has been logged as an issue before, so I'm documenting it here.
In the style of xkcd, I tried plating a specimen with the ID
');console.log('hi');. Fortunately, this doesn't result inhibeing printed to the console; unfortunately, it does cause a 500 internal server error:Looks like it's the
'character (which gets converted to%27) that's problematic.I don't imagine this is a common use case, but it might be worth addressing?
Edit: also, if this behavior is expected (i.e. the server throws an error if it detects a wacky specimen ID like
');console.log('hi');) then sorry, and feel free to close this.