Skip to main content

I’m passing a name field into a query string used on a page include, and the page fails to load the name contains the % sign. 

According to skuid documentation on merge syntax, using double-braces should HTML-escape the data in the merge, so using % in the merge field it should spit out &percnt instead or something similar. 

We can work around this by guiding users not to use the % sign in their record naming, but seems like this is a bug that could be fixed. 

Jack,

As far as I can tell, we don’t HTML-escape the % sign, since it doesn’t really bear significance in HTML like the &, <, >, and " characters do (i.e., there’s not a risk of XSS with including this character in a field value and not HTML-escaping it). However, it sounds like you are hitting an issue with loading a page include where the record name contains the % character, right?


I believe I’m seeing the same issue as you, and think this is an issue with of URL-encoding/decoding (not HTML escaping)… specifically, with how Skuid is trying to URL-encode/decode that value. To provide a little more info here, do you mind sharing the query string that you’re using for your Page Include?

Thanks,

Emily


snap={{$Model.SnapInclude.data.0.Snapshot_Name__c}}


which resolves to:

snap=Risk Adjustment % PVD 2019-06-03


and in the console shows up as:
https://c.cs65.visual.force.com/apex/include?snap=Risk%20Adjustment%20%%20PVD%202019-06-03&isinc…

It looks like the URL code for a space is %20 


I can change it to pass a record id and query the model for the record name, but I’m not needing to query the model for any other reason, we just use the text from the name for display on the page include, so it’d be faster to not have to query. 


Jack, have you tried using {{#urlEncode}} function? That function is specifically designed for passing non-URL-safe merge data into URLs, like you’re doing here.

snap={{#urlEncode}}{{$Model.SnapInclude.data.0.Snapshot_Name__c}}{{/urlEncode}}


That works! Thanks so much. 


Reply