From 5e1512e777ec2fe056f227920b0748808f6a632b Mon Sep 17 00:00:00 2001
From: Levko Kravets <levko.ne@gmail.com>
Date: Thu, 8 Nov 2018 22:54:08 +0200
Subject: [PATCH] Mustache: don't html-escape query parameters values (#3058)

---
 client/app/services/query.js     | 4 +++-
 redash/handlers/embed.py         | 5 ++---
 redash/handlers/query_results.py | 8 ++++----
 redash/tasks/queries.py          | 5 ++---
 redash/utils/__init__.py         | 5 +++++
 5 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/client/app/services/query.js b/client/app/services/query.js
index 9f525caf..eea95a74 100644
--- a/client/app/services/query.js
+++ b/client/app/services/query.js
@@ -3,9 +3,11 @@ import debug from 'debug';
 import Mustache from 'mustache';
 import {
   each, zipObject, isEmpty, map, filter, includes, union, uniq, has,
-  isNull, isUndefined, isArray, isObject,
+  isNull, isUndefined, isArray, isObject, identity,
 } from 'lodash';
 
+Mustache.escape = identity; // do not html-escape values
+
 const logger = debug('redash:services:query');
 
 const DATETIME_FORMATS = {
diff --git a/redash/handlers/embed.py b/redash/handlers/embed.py
index 27421e61..07c8fb7c 100644
--- a/redash/handlers/embed.py
+++ b/redash/handlers/embed.py
@@ -2,7 +2,6 @@ from __future__ import absolute_import
 import logging
 import time
 
-import pystache
 from flask import request
 
 from .authentication import current_org
@@ -14,7 +13,7 @@ from redash.handlers.base import (get_object_or_404, org_scoped_rule,
                                   record_event)
 from redash.handlers.query_results import collect_query_parameters
 from redash.handlers.static import render_index
-from redash.utils import gen_query_hash
+from redash.utils import gen_query_hash, mustache_render
 
 
 #
@@ -30,7 +29,7 @@ def run_query_sync(data_source, parameter_values, query_text, max_age=0):
         raise Exception('Missing parameter value for: {}'.format(", ".join(missing_params)))
 
     if query_parameters:
-        query_text = pystache.render(query_text, parameter_values)
+        query_text = mustache_render(query_text, parameter_values)
 
     if max_age <= 0:
         query_result = None
diff --git a/redash/handlers/query_results.py b/redash/handlers/query_results.py
index 85a95488..40d5fd7f 100644
--- a/redash/handlers/query_results.py
+++ b/redash/handlers/query_results.py
@@ -1,7 +1,6 @@
 import logging
 import time
 
-import pystache
 from flask import make_response, request
 from flask_login import current_user
 from flask_restful import abort
@@ -13,7 +12,8 @@ from redash.utils import (collect_query_parameters,
                           collect_parameters_from_request,
                           gen_query_hash,
                           json_dumps,
-                          utcnow)
+                          utcnow,
+                          mustache_render)
 from redash.tasks.queries import enqueue_query
 
 
@@ -34,7 +34,7 @@ def run_query_sync(data_source, parameter_values, query_text, max_age=0):
         raise Exception('Missing parameter value for: {}'.format(", ".join(missing_params)))
 
     if query_parameters:
-        query_text = pystache.render(query_text, parameter_values)
+        query_text = mustache_render(query_text, parameter_values)
 
     if max_age <= 0:
         query_result = None
@@ -85,7 +85,7 @@ def run_query(data_source, parameter_values, query_text, query_id, max_age=0):
         return error_response(message)
 
     if query_parameters:
-        query_text = pystache.render(query_text, parameter_values)
+        query_text = mustache_render(query_text, parameter_values)
 
     if max_age == 0:
         query_result = None
diff --git a/redash/tasks/queries.py b/redash/tasks/queries.py
index 6ef20726..b9f471fa 100644
--- a/redash/tasks/queries.py
+++ b/redash/tasks/queries.py
@@ -2,7 +2,6 @@ import logging
 import signal
 import time
 
-import pystache
 import redis
 from celery.exceptions import SoftTimeLimitExceeded, TimeLimitExceeded
 from celery.result import AsyncResult
@@ -12,7 +11,7 @@ from six import text_type
 from redash import models, redis_connection, settings, statsd_client
 from redash.query_runner import InterruptException
 from redash.tasks.alerts import check_alerts_for_query
-from redash.utils import gen_query_hash, json_dumps, json_loads, utcnow
+from redash.utils import gen_query_hash, json_dumps, json_loads, utcnow, mustache_render
 from redash.worker import celery
 
 logger = get_task_logger(__name__)
@@ -285,7 +284,7 @@ def refresh_queries():
                 if query.options and len(query.options.get('parameters', [])) > 0:
                     query_params = {p['name']: p.get('value')
                                     for p in query.options['parameters']}
-                    query_text = pystache.render(query.query_text, query_params)
+                    query_text = mustache_render(query.query_text, query_params)
                 else:
                     query_text = query.query_text
 
diff --git a/redash/utils/__init__.py b/redash/utils/__init__.py
index 607c1c91..fdca1680 100644
--- a/redash/utils/__init__.py
+++ b/redash/utils/__init__.py
@@ -98,6 +98,11 @@ def json_dumps(data, *args, **kwargs):
     return simplejson.dumps(data, *args, **kwargs)
 
 
+def mustache_render(template, context=None, **kwargs):
+    renderer = pystache.Renderer(escape=lambda u: u)
+    return renderer.render(template, context, **kwargs)
+
+
 def build_url(request, host, path):
     parts = request.host.split(':')
     if len(parts) > 1: