about summary refs log tree commit diff
path: root/app/models
diff options
context:
space:
mode:
Diffstat (limited to 'app/models')
-rw-r--r--app/models/account.rb10
-rw-r--r--app/models/tag.rb5
2 files changed, 9 insertions, 6 deletions
diff --git a/app/models/account.rb b/app/models/account.rb
index c0cd2ff64..6968607a2 100644
--- a/app/models/account.rb
+++ b/app/models/account.rb
@@ -222,8 +222,9 @@ SQL
     end
 
     def search_for(terms, limit = 10)
+      terms      = Arel.sql(connection.quote(terms.gsub(/['?\\:]/, ' ')))
       textsearch = '(setweight(to_tsvector(\'simple\', accounts.display_name), \'A\') || setweight(to_tsvector(\'simple\', accounts.username), \'B\') || setweight(to_tsvector(\'simple\', coalesce(accounts.domain, \'\')), \'C\'))'
-      query      = 'to_tsquery(\'simple\', \'\'\' \' || ? || \' \'\'\' || \':*\')'
+      query      = 'to_tsquery(\'simple\', \'\'\' \' || ' + terms + ' || \' \'\'\' || \':*\')'
 
       sql = <<SQL
         SELECT
@@ -235,12 +236,13 @@ SQL
         LIMIT ?
 SQL
 
-      Account.find_by_sql([sql, terms, terms, limit])
+      Account.find_by_sql([sql, limit])
     end
 
     def advanced_search_for(terms, account, limit = 10)
+      terms      = Arel.sql(connection.quote(terms.gsub(/['?\\:]/, ' ')))
       textsearch = '(setweight(to_tsvector(\'simple\', accounts.display_name), \'A\') || setweight(to_tsvector(\'simple\', accounts.username), \'B\') || setweight(to_tsvector(\'simple\', coalesce(accounts.domain, \'\')), \'C\'))'
-      query      = 'to_tsquery(\'simple\', \'\'\' \' || ? || \' \'\'\' || \':*\')'
+      query      = 'to_tsquery(\'simple\', \'\'\' \' || ' + terms + ' || \' \'\'\' || \':*\')'
 
       sql = <<SQL
         SELECT
@@ -254,7 +256,7 @@ SQL
         LIMIT ?
 SQL
 
-      Account.find_by_sql([sql, terms, account.id, account.id, terms, limit])
+      Account.find_by_sql([sql, account.id, account.id, limit])
     end
 
     def following_map(target_account_ids, account_id)
diff --git a/app/models/tag.rb b/app/models/tag.rb
index e2ad8e4db..15625ca43 100644
--- a/app/models/tag.rb
+++ b/app/models/tag.rb
@@ -13,8 +13,9 @@ class Tag < ApplicationRecord
 
   class << self
     def search_for(terms, limit = 5)
+      terms      = Arel.sql(connection.quote(terms.gsub(/['?\\:]/, ' ')))
       textsearch = 'to_tsvector(\'simple\', tags.name)'
-      query      = 'to_tsquery(\'simple\', \'\'\' \' || ? || \' \'\'\' || \':*\')'
+      query      = 'to_tsquery(\'simple\', \'\'\' \' || ' + terms + ' || \' \'\'\' || \':*\')'
 
       sql = <<SQL
         SELECT
@@ -26,7 +27,7 @@ class Tag < ApplicationRecord
         LIMIT ?
 SQL
 
-      Tag.find_by_sql([sql, terms, terms, limit])
+      Tag.find_by_sql([sql, limit])
     end
   end
 end
generated by cgit-pink (git 2.37.1) at 2024-11-01 12:55:01 +0000