valuepairs option of UpdateListItems expects all values to be Strings

Nov 22, 2011 at 10:44 PM

Operation: UpdateListItems

Version: 0.6.2

Looks like SPServices throws a javascript exception if you attempt to use the 'valuepairs' option with values defined that are not strings (ex. an integer).  The example below shows the problem. Column "Order0" is being updated with a value of 4, but defined in the array as javascript integer. If I change the 4 to "4", then it works fine.

The exception is thrown by function escapeColumnValue() which assumes that the input parameter is always a string.  It fails when it attempts to use the .replace method of the String() object.  (note: this vulnerability seems to exist for a few functions at the end of the library.

Here is an example of an input that causes the problem:

    operation: "UpdateListItems",
    async:		false,
    listName:	"Reports",
    batchCmd:   "Update",
    ID:	      7,
    valuepairs: [
         ["Title", "Documents by Type"],
         ["Order0", 4]
   completefunc: function(xData, status){



Possible Fix:

Inure that the input parameter is always a string.

function escapeColumnValue(s) {
    return new String(s).replace(/&(?![a-zA-Z]{1,8};)/g, "&");


Paul T.




Nov 23, 2011 at 1:13 AM

Thanks for the report. I knew about this one and have fixed it in the upcoming release:

Nov 23, 2011 at 4:08 PM

Thanks Marc.