_search= queries now correctly escaped, fixes #651

Queries with reserved words or characters according to the SQLite FTS5 query language could cause errors. Queries are now escaped like so: dog cat => "dog" "cat"
2025-12-10 16:51:24 +01:00 · 2019-12-29 18:48:13 +00:00 · 2019-12-29 18:48:13 +00:00 · 3c861f363d
commit 3c861f363d
parent 59e7014c8a
6 changed files with 47 additions and 2 deletions
--- a/datasette/utils/init.py
+++ b/datasette/utils/init.py
@ -758,6 +758,20 @@ def format_bytes(bytes):
        return "{:.1f} {}".format(current, unit)


+_escape_fts_re = re.compile(r'\s+|(".*?")')
+
+
+def escape_fts(query):
+    # If query has unbalanced ", add one at end
+    if query.count('"') % 2:
+        query += '"'
+    bits = _escape_fts_re.split(query)
+    bits = [b for b in bits if b and b != '""']
+    return " ".join(
+        '"{}"'.format(bit) if not bit.startswith('"') else bit for bit in bits
+    )
+
+
 class RequestParameters(dict):
    def get(self, name, default=None):
        "Return first value in the list, if available"