The Mysterious Case of the Query That Never Ran

Source: Dev.to

Background

Over the past weekend I encountered a weird bug while refactoring code for my personal website. I am a casual runner and I have a page with all my run records. The data for it are stored in a Neon database and I am reading them through my own custom nuxt‑neon module.

I was updating the code to reflect the latest changes in my module, specifically changing the filtering by date (year and/or month). Originally I used a literal string WHERE condition:

r.date BETWEEN '${fromDate}' AND '${toDate}'

I wanted to test a new object‑based syntax:

where.push({
  column: 'r.date',
  condition: '>=',
  value: fromDate,
});
where.push({
  column: 'r.date',
  condition: '`** – I wondered if the literal characters were being stripped or escaped somewhere.

After a day of dead‑ends, I asked Copilot for help. It suggested reproducing the request with curl to bypass any frontend noise. Doing so revealed the real culprit.

Root Cause: Nuxt Security’s XSS Protection

The request was being rejected by the Nuxt Security module due to its XSS attack protection. The offending code lived in:

...\node_modules\.pnpm\nuxt-security@2.4.0_magicast@0.3.5_rollup@4.52.5\
node_modules\nuxt-security\dist\runtime\server\middleware\xssValidator.js:38:18

Nuxt Security treats the “ characters as potentially malicious script injection, causing the request to be swallowed and resulting in the cryptic 500 error.

Mitigation

To work around the issue I added an internal mapping that translates angle brackets to textual abbreviations on the client side and converts them back when constructing the actual SQL query on the server. For user convenience I kept the original symbols available, exposing GT and LT as alternatives.

Lessons Learned

1. Don’t be shy to ask AI for help

Even if you don’t know the exact question, describing the situation (“Why do I have this error?”) can lead to useful clues.

2. Isolate the problem

When the backend seems unresponsive, call the endpoint directly (e.g., with curl) to eliminate interference from the frontend stack.

3. Account for third‑party software

Issues may stem from libraries or middleware you didn’t write. In this case, Nuxt Security’s XSS validator was the hidden blocker.

Closing Thoughts

I’ve been developing software for over two decades and still run into trivial, frustrating bugs. Sharing these experiences helps remind us that even senior developers get stuck, and that systematic debugging—plus a little AI assistance—can get us back on track.

Thank you for reading; I hope this helps someone facing a similar issue in the future.