[Bug]: Form filter - filtering by items with a quote in the text makes illegal request to QGIS Server (security exception)

[u-cav]

What is the bug?

When filtering for a value containing the character ', the results counter is correctly updated, but all results disappear from the map. As far as I can tell, QGIS Server refuses the request for security reasons (see attached logs).

I'm not attaching a test project since a Postgis connection is needed, but I have it on hand.

Steps to reproduce the issue

1. Create a "Filter by form" selecting a column containing one or more rows containing the character ', Unique values, Checkboxes (also happens with Combobox)
2. Access the filter panel in Lizmap
3. Select an item without ' character: results are displayed on map
4. Select an item with ' character: no results are displayed on map

Lizmap version

3.4.6 and 3.5.0

QGIS desktop version

3.16.11

QGIS server version

3.16.12

Operating system

Arch Linux

Browsers

Chrome

Browsers version

Chromium 95.0.4638.69

Relevant log output

lizmap-map    | 2021-11-08 14:28:43,601 WARNING [44]    Qgis: Server: <ServiceExceptionReport version="1.3.0" xmlns="http://www.opengis.net/ogc">
lizmap-map    |  <ServiceException code="Security">The filter string "INSEGNA" IN ( 'ALDI' , 'ALI''' , 'BON MERK' )  has been rejected because of security reasons. Note: Text strings have to be enclosed in single or double quotes. A space between each word / special character is mandatory. Allowed Keywords and special characters are  IS,NOT,NULL,AND,OR,IN,=,&lt;,>=,>,>=,!=,',',(,),DMETAPHONE,SOUNDEX. Not allowed are semicolons in the filter expression.</ServiceException>

[mdouchin]

Hi, I cannot reproduce the issue in the last LWC master version with QGIS 3.16.11

Could you please provide a simple QGIS project and LWC configuration (with a PostgreSQL dump of the needed table and of a small subset of data) ?

[u-cav]

I sent you the project and the dump.
The issue seems to happen when there is a quote followed by a space, or if the quote is at the end of the string.
I'm available if you need any additional info.

[mdouchin]

After some digging, it appears that QGIS Server restricts the possibility to have a simple quote followed by a space.

If the value is for example Œuvres d' art et monuments de l'espace urbain with a space after the first d' QGIS raise the following exception:

Qgis: Server: <ServiceExceptionReport version="1.3.0" xmlns="http://www.opengis.net/ogc"> lizmapmaster_test_qgis | <ServiceException code="Security">The filter string "label" IN ( 'Œuvres d'' art et monuments de l''espace urbain' ) has been rejected because of security reasons. Note: Text strings have to be enclosed in single or double quotes. A space between each word / special character is mandatory. Allowed Keywords and special characters are IS,NOT,NULL,AND,OR,IN,=,&lt;,>=,>,>=,!=,',',(,),DMETAPHONE,SOUNDEX. Not allowed are semicolons in the filter expression.</ServiceException>

It seems to me there is no way to use the combo quote+space in a filter string in a QGIS Server request at present. This is a QGIS related issue (not really a bug, but a restriction).

As a workaround, you could either:

• remove all the spaces after a single quote in your data,
• use the character ’( See this page) as a replacement of the quote ' in your data. This allows to have a space after it, like Œuvres d’ art et monuments de l’ espace urbain

[mdouchin]

Do you want me to create an issue in QGIS Github repository ?

[u-cav]

Got it, thank you! We'll implement a workaround for now.

If you can open the issue you can certainly be more precise than me, otherwise I will open it.

[rldhont]

A try to fix QGIS Server qgis/QGIS#46132

[u-cav]

Thank you @rldhont!

[nboisteault]

I can't reproduce in Lizmap 3.7 w/ QGIS 3.28.
Please reopen if issue still occurs.

[u-cav]

Hi @nboisteault, I can confirm that the issue is fixed in Lizmap 3.7. Thanks