Sanitize search for users and rooms (#1784)

2020-06-11 12:39:18 -04:00
parent cf794db595
commit 06236b49f7
2 changed files with 3 additions and 4 deletions
--- a/app/models/room.rb
+++ b/app/models/room.rb
@ -40,8 +40,7 @@ class Room < ApplicationRecord
    search_query = "rooms.name LIKE :search OR rooms.uid LIKE :search OR users.email LIKE :search" \
    " OR users.#{created_at_query} LIKE :search"

-    search_param = "%#{string}%"
-
+    search_param = "%#{sanitize_sql_like(string)}%"
    where(search_query, search: search_param)
  end