Bug: setAsWho fails when surname contains a single quote

+4 votes
109 views
How to reproduce:

1. Go to any profile. Click any of "add parent/spouse/child"

2. Input "First Name at Birth" = Jacques Bonaventure

3. Input "Last Name at Birth" = L'Italien

4. Enter "Birth Date" = 1718-11-17

The system will suggest a profile (L'Italien-3) but the link [set as father] will not work.

The HTML generated:

<span class="pseudolink" onclick="setAsWho(&quot;L" italien-3");'="">set as father]</span>
in WikiTree Tech by PB Côté G2G4 (4.5k points)
retagged by Jamie Nelson
That looks like the classic SQL gotcha with unescaped single quotes, and I'm amazed that the WikiTree software doesn't catch it. It's a potential security bug.

1 Answer

+2 votes
Thanks for reporting this, PB.
by Jamie Nelson G2G6 Pilot (607k points)

Related questions

+2 votes
2 answers
+12 votes
1 answer
+11 votes
2 answers
411 views asked Feb 21, 2022 in WikiTree Tech by Rob Wilson G2G6 Mach 2 (22.4k points)
+12 votes
1 answer
+2 votes
2 answers
54 views asked 2 days ago in WikiTree Tech by LaMyra Morton G2G6 Mach 4 (42.5k points)
+6 votes
1 answer
187 views asked Jul 21, 2023 in WikiTree Tech by Jason Rennie G2G6 Mach 1 (11.4k points)
+2 votes
2 answers
100 views asked Mar 11 in Policy and Style by Mari-Lyn Harris G2G6 Mach 2 (26.5k points)
+6 votes
1 answer
122 views asked Feb 11 in WikiTree Tech by Vojta Miklín G2G Crew (800 points)
+10 votes
2 answers
180 views asked Dec 15, 2023 in WikiTree Tech by Kent Smith G2G6 Mach 1 (13.6k points)

WikiTree  ~  About  ~  Help Help  ~  Search Person Search  ~  Surname:

disclaimer - terms - copyright

...