/**
* Prevents XSS and escapes characters used in Lucene query syntax.
* Any query string transformations before sending to backend should be placed here.
* @see WikiaSearchTest::testSanitizeQuery
* @param string $query
* @return string
*/
public static function sanitizeQuery($query)
{
wfProfileIn(__METHOD__);
if (self::$queryHelper === null) {
self::$queryHelper = new Solarium_Query_Helper();
}
// non-indexed number-string phrases issue workaround (RT #24790)
$query = preg_replace('/(\\d+)([a-zA-Z]+)/i', '$1 $2', $query);
// escape all lucene special characters: + - && || ! ( ) { } [ ] ^ " ~ * ? : \ (RT #25482)
// added html entity decoding now that we're doing extra work to prevent xss
$query = self::$queryHelper->escapeTerm(html_entity_decode($query, ENT_COMPAT, 'UTF-8'));
wfProfileOut(__METHOD__);
return $query;
}
/**
* Build nested query string
* @see Solarium_Client_Builder::build()
* @param Solarium_Query_Select $query
* @return string
*/
public function build($query)
{
$helper = new Solarium_Query_Helper();
return sprintf('_query_:"{!%s %s}%s"', $this->getDefType($query), $this->constructParamString($this->getSubQueryParams($this->getParamsFromQuery($query))), $helper->escapeTerm($query->getQuery()));
}
public function testEscapeTermNoEscape()
{
$this->assertEquals('abc', $this->_helper->escapeTerm('abc'));
}
