rusackas opened a new pull request, #40633:
URL: https://github.com/apache/superset/pull/40633
### SUMMARY
`ExtraCache.url_param()` escapes values that come from
`form_data["url_params"]` using the dialect's literal processor, but values
read from the request query string took an **early return that skipped that
escaping**. Both sources are interpolated into the rendered SQL, so this routes
them through the same escaping path (still honoring `escape_result=False` for
callers that opt out). It also means request-args values now consistently
participate in the cache key.
### BEFORE / AFTER
`url_param('foo')` with `?foo=O'Brien` on a dialect that doubles quotes:
- **Before:** `O'Brien` (raw, from the request-args early return)
- **After:** `O''Brien` (escaped, same as the form-data path)
### TESTING INSTRUCTIONS
```bash
pytest tests/unit_tests/jinja_context_test.py -k url_param
```
Adds `test_url_param_escaped_request_args` and
`test_url_param_unescaped_request_args` (12/12 url_param tests pass).
### ADDITIONAL INFORMATION
- [ ] Has associated issue: n/a
- [ ] Changes UI: No
- [ ] Includes DB Migration: No
- [ ] Introduces new feature or API: No
- [ ] Removes existing feature or API: No
🤖 Generated with [Claude Code](https://claude.com/claude-code)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
