From 0ec96f52f3be5ef0b687c90a06f28921a105da3a Mon Sep 17 00:00:00 2001
From: Marius Balteanu <marius.balteanu@zitec.com>
Date: Sun, 3 Oct 2021 19:45:20 +0000
Subject: Use sanitize_sql_like in Query#sql_contains (#35073).
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Patch by Jens Krämer.

git-svn-id: http://svn.redmine.org/redmine/trunk@21232 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/models/query.rb | 1 +
 1 file changed, 1 insertion(+)

(limited to 'app')

diff --git a/app/models/query.rb b/app/models/query.rb
index c49e4f4d1..b1a98b77d 100644
--- a/app/models/query.rb
+++ b/app/models/query.rb
@@ -1441,6 +1441,7 @@ class Query < ActiveRecord::Base
     prefix = '%' if options[:ends_with]
     suffix = '%' if options[:starts_with]
     prefix = suffix = '%' if prefix.nil? && suffix.nil?
+    value = queried_class.sanitize_sql_like value
     queried_class.send(
       :sanitize_sql_for_conditions,
       [Redmine::Database.like(db_field, '?', :match => options[:match]), "#{prefix}#{value}#{suffix}"])
-- 
cgit v1.2.3