[MGNLUI-2581] Search queries not escaped in SearchJcrContainer Created: 14/Jan/14  Updated: 09/Mar/21  Resolved: 09/Mar/21

Status: Closed
Project: Magnolia UI
Component/s: workbench
Affects Version/s: 5.2
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Michal Čudrnák Assignee: Unassigned
Resolution: Obsolete Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled

 Description   

Search for something containing a ' in a list view generates an exception as user data input isn't escaped.

Log output:

2014-01-14 16:33:18,729 WARN gnolia.ui.workbench.container.AbstractJcrContainer: Could not update size with statement: select * from [nt:base] as t where ( ISDESCENDANTNODE('/articles') and ([jcr:primaryType] = 'mgnl:page') and (lower(localname()) LIKE 'sadf asd'%' or t.['sadf asd''] IS NOT NULL or contains(t.*, 'sadf asd')) ): javax.jcr.query.InvalidQueryException: Query:
select * from [nt:base] as t where ( ISDESCENDANTNODE('/articles') and ([jcr:primaryType] = 'mgnl:page') and (lower(localname()) LIKE 'sadf asd'%' or t.['sadf asd''] IS NOT NULL or contains(t.*, 'sadf asd')) ); expected: )


Generated at Mon Feb 12 08:58:06 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.