_search= queries now correctly escaped, fixes #651

Queries with reserved words or characters according to the SQLite FTS5 query language could cause errors. Queries are now escaped like so: dog cat => "dog" "cat"
2025-12-10 16:51:24 +01:00 · 2019-12-29 18:48:13 +00:00 · 2019-12-29 18:48:13 +00:00 · 3c861f363d
commit 3c861f363d
parent 59e7014c8a
6 changed files with 47 additions and 2 deletions
--- a/tests/test_api.py
+++ b/tests/test_api.py
@ -947,6 +947,11 @@ def test_sortable_columns_metadata(app_client):
                [2, "terry dog", "sara weasel", "puma"],
            ],
        ),
+        (
+            # Special keyword shouldn't break FTS query
+            "/fixtures/searchable.json?_search=AND",
+            [],
+        ),
        (
            "/fixtures/searchable.json?_search=weasel",
            [[2, "terry dog", "sara weasel", "puma"]],
--- a/tests/test_utils.py
+++ b/tests/test_utils.py
@ -388,3 +388,21 @@ def test_path_with_format(path, format, extra_qs, expected):
 )
 def test_format_bytes(bytes, expected):
    assert expected == utils.format_bytes(bytes)
+
+
+@pytest.mark.parametrize(
+    "query,expected",
+    [
+        ("dog", '"dog"'),
+        ("cat,", '"cat,"'),
+        ("cat dog", '"cat" "dog"'),
+        # If a phrase is already double quoted, leave it so
+        ('"cat dog"', '"cat dog"'),
+        ('"cat dog" fish', '"cat dog" "fish"'),
+        # Sensibly handle unbalanced double quotes
+        ('cat"', '"cat"'),
+        ('"cat dog" "fish', '"cat dog" "fish"'),
+    ],
+)
+def test_escape_fts(query, expected):
+    assert expected == utils.escape_fts(query)