_search= queries now correctly escaped, fixes #651

Queries with reserved words or characters according to the SQLite FTS5 query language could cause errors. Queries are now escaped like so: dog cat => "dog" "cat"
2025-12-10 16:51:24 +01:00 · 2019-12-29 18:48:13 +00:00 · 2019-12-29 18:48:13 +00:00 · 3c861f363d
commit 3c861f363d
parent 59e7014c8a
6 changed files with 47 additions and 2 deletions
--- a/datasette/views/table.py
+++ b/datasette/views/table.py
@ -361,7 +361,7 @@ class TableView(RowTableShared):
                # Simple ?_search=xxx
                search = search_args["_search"]
                where_clauses.append(
-                    "{fts_pk} in (select rowid from {fts_table} where {fts_table} match :search)".format(
+                    "{fts_pk} in (select rowid from {fts_table} where {fts_table} match escape_fts(:search))".format(
                        fts_table=escape_sqlite(fts_table), fts_pk=escape_sqlite(fts_pk)
                    )
                )
@ -375,7 +375,7 @@ class TableView(RowTableShared):
                        raise DatasetteError("Cannot search by that column", status=400)

                    where_clauses.append(
-                        "rowid in (select rowid from {fts_table} where {search_col} match :search_{i})".format(
+                        "rowid in (select rowid from {fts_table} where {search_col} match escape_fts(:search_{i}))".format(
                            fts_table=escape_sqlite(fts_table),
                            search_col=escape_sqlite(search_col),
                            i=i,