escape data before being used in query

dangerous!

escape data before being used in query
dangerous!
1b07f2cf · Raz0r · 5a3918c5 · 1b07f2cf
Commit 1b07f2cf authored Jul 01, 2014 by Raz0r
Show whitespace changes
Inline Side-by-side

Showing with 5 additions and 3 deletions

tools.py flask_admin/contrib/pymongo/tools.py +5 -3

No files found.
--- a/flask_admin/contrib/pymongo/tools.py
+++ b/flask_admin/contrib/pymongo/tools.py
+import re
+
 def parse_like_term(term):
    """
        Parse search term into (operation, term) tuple
@@ -6,8 +8,8 @@ def parse_like_term(term):
            Search term
    """
    if term.startswith('^'):
-        return '^%s' % term[1:]
+        return '^{}'.format(re.escape(term[1:]))
    elif term.startswith('='):
-        return '^%s$' % term[1:]
+        return '^{}$'.format(re.escape(term[1:]))

-    return '%s' % term
+    return re.escape(term)