Sanitize search for users and rooms (#1784)

app/models/room.rb

@@ -40,8 +40,7 @@ class Room < ApplicationRecord
     search_query = "rooms.name LIKE :search OR rooms.uid LIKE :search OR users.email LIKE :search" \
     " OR users.#{created_at_query} LIKE :search"
 
-    search_param = "%#{string}%"
-
+    search_param = "%#{sanitize_sql_like(string)}%"
     where(search_query, search: search_param)
   end
 

app/models/user.rb

@@ -85,7 +85,7 @@ class User < ApplicationRecord
       search_query = "users.name LIKE :search OR email LIKE :search OR username LIKE :search" \
                     " OR users.#{created_at_query} LIKE :search OR users.provider LIKE :search" \
                     " OR roles.name LIKE :roles_search"
-      role_search_param = "%#{string}%"
+      role_search_param = "%#{sanitize_sql_like(string)}%"
     else
       search_query = "(users.name LIKE :search OR email LIKE :search OR username LIKE :search" \
                     " OR users.#{created_at_query} LIKE :search OR users.provider LIKE :search)" \
@@ -93,7 +93,7 @@ class User < ApplicationRecord
       role_search_param = role.name
     end
 
-    search_param = "%#{string}%"
+    search_param = "%#{sanitize_sql_like(string)}%"
     where(search_query, search: search_param, roles_search: role_search_param)
   end