paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-10-31 20:13:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

pgroonga: Fix issues with HTML escaping in queries.

Browse Source
This commit is contained in:
Sampriti Panda
2018-05-19 09:09:13 +05:30
committed by Tim Abbott
parent 0bc272fc86
commit 250015a5d5
4 changed files with 68 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
zerver/views/messages.py
View File

@@ -359,12 +359,13 @@ class NarrowBuilder:
maybe_negate: ConditionTransform) -> Query:
match_positions_character = func.pgroonga.match_positions_character
query_extract_keywords = func.pgroonga.query_extract_keywords
keywords = query_extract_keywords(operand)
operand_escaped = func.escape_html(operand)
keywords = query_extract_keywords(operand_escaped)
query = query.column(match_positions_character(column("rendered_content"),
keywords).label("content_matches"))
query = query.column(match_positions_character(column("subject"),
query = query.column(match_positions_character(func.escape_html(column("subject")),
keywords).label("subject_matches"))
condition = column("search_pgroonga").op("@@")(operand)
condition = column("search_pgroonga").op("@@")(operand_escaped)
return query.where(maybe_negate(condition))
def _by_search_tsearch(self, query: Query, operand: str,