Sanitizing input text for "get" queries?

[fedarko]

Doesn't look like this has been logged as an issue before, so I'm documenting it here.

In the style of xkcd, I tried plating a specimen with the ID ');console.log('hi');. Fortunately, this doesn't result in hi being printed to the console; unfortunately, it does cause a 500 internal server error:

GET https://127.0.0.1:8181/study/1/samples?term=%27);console.log(%27hi%27); 500 (Internal Server Error)

Looks like it's the ' character (which gets converted to %27) that's problematic.

I don't imagine this is a common use case, but it might be worth addressing?

Edit: also, if this behavior is expected (i.e. the server throws an error if it detects a wacky specimen ID like ');console.log('hi');) then sorry, and feel free to close this.