From 10e939d0126cde262f58b705e8692acd70792f6f Mon Sep 17 00:00:00 2001 From: "Chinmay D. Pai" Date: Mon, 30 Mar 2020 10:46:00 +0530 Subject: [PATCH] chore: update global_search and add test Signed-off-by: Chinmay D. Pai --- frappe/tests/test_global_search.py | 3 +++ frappe/utils/global_search.py | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/frappe/tests/test_global_search.py b/frappe/tests/test_global_search.py index 01067c85dd..5c3a2df4db 100644 --- a/frappe/tests/test_global_search.py +++ b/frappe/tests/test_global_search.py @@ -191,3 +191,6 @@ class TestGlobalSearch(unittest.TestCase): frappe.db.commit() results = global_search.web_search('unsubscribe') self.assertTrue('Unsubscribe' in results[0].content) + results = global_search.web_search(text='manufacturing', + scope="manufacturing\" UNION ALL SELECT 1,2,3,4,doctype from __global_search") + self.assetTrue(results == []) diff --git a/frappe/utils/global_search.py b/frappe/utils/global_search.py index a5fcca8bb8..3c4b9583f8 100644 --- a/frappe/utils/global_search.py +++ b/frappe/utils/global_search.py @@ -501,7 +501,7 @@ def web_search(text, scope=None, start=0, limit=20): WHERE {conditions} LIMIT %(limit)s OFFSET %(start)s''' - scope_condition = '`route` like "%(scope)s" AND ' if scope else '' + scope_condition = '`route` like %(scope)s AND ' if scope else '' published_condition = '`published` = 1 AND ' mariadb_conditions = postgres_conditions = ' '.join([published_condition, scope_condition]) @@ -514,7 +514,7 @@ def web_search(text, scope=None, start=0, limit=20): "scope": "".join([scope, "%"]) if scope else '', "limit": limit, "start": start, - "text": frappe.db.escape(text) + "text": text } result = frappe.db.multisql({