Small update for query escaping, stripping ampesand

etianen / django-watson

Full-text multi-table search application for Django. Easy to install and use, with good performance.

BSD 3-Clause "New" or "Revised" License

1.2k stars 130 forks source link

Small update for query escaping, stripping ampesand #162

Closed amureki closed 8 years ago

amureki commented 8 years ago

According to https://github.com/etianen/django-watson/pull/161 conversation, I just added ampersand symbol stripping.

etianen commented 8 years ago

I'd be tempted to just add '&' to the list of removed characters, and perform a .strip() on the final result. Since & seems to have meaning to postgres queries, removing it entirely is probably safer. Otherwise, what if there's two in a row, or other such silliness?

amureki commented 8 years ago

@etianen I guess, you're right. Updated commit. :)

etianen commented 8 years ago

Thanks! This stuff is tricky to get right, as it runs the risk of allowing potential SQL injection!