/**
* Prevents XSS and escapes characters used in Lucene query syntax.
* Any query string transformations before sending to backend should be placed here.
* @see WikiaSearchTest::testSanitizeQuery
* @param string $query
* @return string
*/
public static function sanitizeQuery($query)
{
wfProfileIn(__METHOD__);
if (self::$queryHelper === null) {
self::$queryHelper = new Solarium_Query_Helper();
}
// non-indexed number-string phrases issue workaround (RT #24790)
$query = preg_replace('/(\\d+)([a-zA-Z]+)/i', '$1 $2', $query);
// escape all lucene special characters: + - && || ! ( ) { } [ ] ^ " ~ * ? : \ (RT #25482)
// added html entity decoding now that we're doing extra work to prevent xss
$query = self::$queryHelper->escapeTerm(html_entity_decode($query, ENT_COMPAT, 'UTF-8'));
wfProfileOut(__METHOD__);
return $query;
}
