Merge pull request #12969 from surajshetty3416/fix-sqli-report-get

2021-05-12 12:57:17 +05:30 · 2021-05-12 12:57:17 +05:30 · 0f94407e6d
commit 0f94407e6d
parent 0d0cb8b877 d8e91cae32
1 changed files with 2 additions and 0 deletions
--- a/frappe/utils/data.py
+++ b/frappe/utils/data.py
@ -1278,7 +1278,9 @@ def make_filter_dict(filters):

 def sanitize_column(column_name):
 	from frappe import _
+	import sqlparse
 	regex = re.compile("^.*[,'();].*")
+	column_name = sqlparse.format(column_name, strip_comments=True, keyword_case="lower")
 	blacklisted_keywords = ['select', 'create', 'insert', 'delete', 'drop', 'update', 'case', 'and', 'or']

 	def _raise_exception():