/** * Prevents XSS and escapes characters used in Lucene query syntax. * Any query string transformations before sending to backend should be placed here. * @see WikiaSearchTest::testSanitizeQuery * @param string $query * @return string */ public static function sanitizeQuery($query) { wfProfileIn(__METHOD__); if (self::$queryHelper === null) { self::$queryHelper = new Solarium_Query_Helper(); } // non-indexed number-string phrases issue workaround (RT #24790) $query = preg_replace('/(\\d+)([a-zA-Z]+)/i', '$1 $2', $query); // escape all lucene special characters: + - && || ! ( ) { } [ ] ^ " ~ * ? : \ (RT #25482) // added html entity decoding now that we're doing extra work to prevent xss $query = self::$queryHelper->escapeTerm(html_entity_decode($query, ENT_COMPAT, 'UTF-8')); wfProfileOut(__METHOD__); return $query; }
/** * Build nested query string * @see Solarium_Client_Builder::build() * @param Solarium_Query_Select $query * @return string */ public function build($query) { $helper = new Solarium_Query_Helper(); return sprintf('_query_:"{!%s %s}%s"', $this->getDefType($query), $this->constructParamString($this->getSubQueryParams($this->getParamsFromQuery($query))), $helper->escapeTerm($query->getQuery())); }
public function testEscapeTermNoEscape() { $this->assertEquals('abc', $this->_helper->escapeTerm('abc')); }