Use sanitize_sql_like in like scopes (#35073).

Patch Jens Krämer. git-svn-id: http://svn.redmine.org/redmine/trunk@21231 e93f8b46-1217-0410-a6f0-8f06a7374b81
author: Marius Balteanu <marius.balteanu@zitec.com> 2021-10-03 19:44:39 +0000
committer: Marius Balteanu <marius.balteanu@zitec.com> 2021-10-03 19:44:39 +0000
commit: 05e9d7883b6bf6dc556196a75b6ab8e389d834e2 (patch)
tree: 4faf6589808c4a580a5f5d0223d6142b8e32c461 /test/unit/principal_test.rb
parent: 65f31d52cdd612407200f6af9045fa682345fab8 (diff)
download: redmine-05e9d7883b6bf6dc556196a75b6ab8e389d834e2.tar.gz
redmine-05e9d7883b6bf6dc556196a75b6ab8e389d834e2.zip
1 files changed, 16 insertions, 0 deletions
diff --git a/test/unit/principal_test.rb b/test/unit/principal_test.rb
index f9953620d..ee6d3179c 100644
--- a/test/unit/principal_test.rb
+++ b/test/unit/principal_test.rb
@@ -147,4 +147,20 @@ class PrincipalTest < ActiveSupport::TestCase
     assert_equal 1, results.count
     assert_equal user, results.first
   end
+
+  def test_like_scope_should_escape_query
+    user = User.generate!(:firstname => 'Leonardo', :lastname => 'da Vinci')
+    r = Principal.like('Vi_ci')
+    assert_not_include user, r
+    r = Principal.like('Vi%ci')
+    assert_not_include user, r
+
+    user.update_column :lastname, 'da Vi%ci'
+    r = Principal.like('vi%ci')
+    assert_include user, r
+
+    user.update_column :lastname, 'da Vi_ci'
+    r = Principal.like('vi_ci')
+    assert_include user, r
+  end
 end
author	Marius Balteanu <marius.balteanu@zitec.com>	2021-10-03 19:44:39 +0000
committer	Marius Balteanu <marius.balteanu@zitec.com>	2021-10-03 19:44:39 +0000
commit	05e9d7883b6bf6dc556196a75b6ab8e389d834e2 (patch)
tree	4faf6589808c4a580a5f5d0223d6142b8e32c461 /test/unit/principal_test.rb
parent	65f31d52cdd612407200f6af9045fa682345fab8 (diff)
download	redmine-05e9d7883b6bf6dc556196a75b6ab8e389d834e2.tar.gz redmine-05e9d7883b6bf6dc556196a75b6ab8e389d834e2.zip