Properly escape search queries for links, lists and tags (#163)

2025-04-21 07:22:20 +02:00 · 2020-10-21 11:29:02 +02:00 · 2020-10-21 11:29:02 +02:00 · 1a9312b7e1
commit 1a9312b7e1
parent a65ea1a259
3 changed files with 18 additions and 3 deletions
--- a/app/Helper/functions.php
+++ b/app/Helper/functions.php
@ -213,3 +213,18 @@ function getVersionFromPackage(): ?string

    return isset($package->version) ? 'v' . $package->version : null;
 }
+
+/**
+ * Properly escape symbols used in search queries.
+ *
+ * @param string $query
+ * @return string
+ */
+function escapeSearchQuery(string $query): string
+{
+    return str_replace(
+        ['\\', '%', '_', '*'],
+        ['\\\\', '\\%', '\\_', '\\*'],
+        $query
+    );
+}
--- a/app/Http/Controllers/FetchController.php
+++ b/app/Http/Controllers/FetchController.php
@ -28,7 +28,7 @@ class FetchController extends Controller
        }

        $tags = Tag::byUser(auth()->user()->id)
-            ->where('name', 'like', '%' . $query . '%')
+            ->where('name', 'like', '%' . escapeSearchQuery($query) . '%')
            ->orderBy('name', 'asc')
            ->get();

@ -60,7 +60,7 @@ class FetchController extends Controller
        }

        $tags = LinkList::byUser(auth()->user()->id)
-            ->where('name', 'like', '%' . $query . '%')
+            ->where('name', 'like', '%' . escapeSearchQuery($query) . '%')
            ->orderBy('name', 'asc')
            ->get();

--- a/app/Http/Controllers/Traits/SearchesLinks.php
+++ b/app/Http/Controllers/Traits/SearchesLinks.php
@ -41,7 +41,7 @@ trait SearchesLinks

        // Search for the URL
        if ($this->searchQuery = $request->input('query', false)) {
-            $query = '%' . $this->searchQuery . '%';
+            $query = '%' . escapeSearchQuery($this->searchQuery) . '%';
            $search->where('url', 'like', $query);

            // Also search for the title if applicable