scinote-eln/scinote-web
1
1
Fork 0
mirror of https://github.com/scinote-eln/scinote-web.git synced 2025-03-04 19:53:19 +08:00
Code Issues Projects Releases Packages Wiki Activity

Fix escaping in global search [SCI-11329]

Browse source
This commit is contained in:
Martin Artnik 2025-01-15 10:36:46 +01:00
parent f00420198b
commit 5d69699aa7
2 changed files with 4 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
app/models/concerns/searchable_by_name_model.rb
View file

@ -40,12 +40,11 @@ module SearchableByNameModel
def self.search_by_search_fields_with_boolean(user, teams = [], query = nil, search_fields = [], options = {})
return if user.blank? || teams.blank?
sanitized_query = ActiveRecord::Base.sanitize_sql_like(query.to_s)
sql_q = if options[:fetch_latest_versions]
viewable_by_user(user, teams, options)
.where_attributes_like_boolean(search_fields, sanitized_query, options)
.where_attributes_like_boolean(search_fields, query, options)
else
viewable_by_user(user, teams).where_attributes_like_boolean(search_fields, sanitized_query, options)
viewable_by_user(user, teams).where_attributes_like_boolean(search_fields, query, options)
end
sql_q.limit(options[:limit] || Constants::SEARCH_LIMIT)

5
app/models/concerns/searchable_model.rb
View file

@ -174,7 +174,6 @@ module SearchableModel
end
def self.create_query_clause(attrs, index, negate, query_clauses, value_hash, phrase, current_operator)
phrase = sanitize_sql_like(phrase)
exact_match = phrase =~ /^".*"$/
like = exact_match ? '~' : 'ILIKE'
@ -205,9 +204,9 @@ module SearchableModel
if DATA_VECTOR_ATTRIBUTES.include?(attribute)
new_phrase = Regexp.escape(new_phrase.gsub(/[!()&|:<]/, ' ').strip).split(/\s+/)
new_phrase.map! { |t| "#{t}:*" } unless exact_match
new_phrase = new_phrase.join('&').tr('\'', '"')
new_phrase = sanitize_sql_like(new_phrase.join('&').tr('\'', '"'))
else
new_phrase = Regexp.escape(new_phrase)
new_phrase = sanitize_sql_like(Regexp.escape(new_phrase))
new_phrase = exact_match ? "(^|\\s)#{new_phrase}(\\s|$)" : "%#{new_phrase}%"
end