Unverified Commit 06236b49 authored by Ahmad Farhat's avatar Ahmad Farhat Committed by GitHub
Browse files

Sanitize search for users and rooms (#1784)

parent cf794db5
......@@ -40,8 +40,7 @@ class Room < ApplicationRecord
search_query = "rooms.name LIKE :search OR rooms.uid LIKE :search OR users.email LIKE :search" \
" OR users.#{created_at_query} LIKE :search"
search_param = "%#{string}%"
search_param = "%#{sanitize_sql_like(string)}%"
where(search_query, search: search_param)
end
......
......@@ -85,7 +85,7 @@ class User < ApplicationRecord
search_query = "users.name LIKE :search OR email LIKE :search OR username LIKE :search" \
" OR users.#{created_at_query} LIKE :search OR users.provider LIKE :search" \
" OR roles.name LIKE :roles_search"
role_search_param = "%#{string}%"
role_search_param = "%#{sanitize_sql_like(string)}%"
else
search_query = "(users.name LIKE :search OR email LIKE :search OR username LIKE :search" \
" OR users.#{created_at_query} LIKE :search OR users.provider LIKE :search)" \
......@@ -93,7 +93,7 @@ class User < ApplicationRecord
role_search_param = role.name
end
search_param = "%#{string}%"
search_param = "%#{sanitize_sql_like(string)}%"
where(search_query, search: search_param, roles_search: role_search_param)
end
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment