diff --git a/lib/search.rb b/lib/search.rb index c4c086ad78e..a4fb577ef46 100644 --- a/lib/search.rb +++ b/lib/search.rb @@ -177,8 +177,8 @@ class Search def ts_query @ts_query ||= begin - escaped_term = PG::Connection.escape_string(@term.gsub(/[:()&!]/,'')) - query = Post.sanitize(escaped_term.split.map {|t| "#{t}:*"}.join(" & ")) + all_terms = @term.gsub(/[:()&!'"]/,'').split + query = Post.sanitize(all_terms.map {|t| "#{PG::Connection.escape_string(t)}:*"}.join(" & ")) "TO_TSQUERY(#{query_locale}, #{query})" end end diff --git a/spec/components/search_spec.rb b/spec/components/search_spec.rb index 02d9466f977..0bf0ac91644 100644 --- a/spec/components/search_spec.rb +++ b/spec/components/search_spec.rb @@ -92,6 +92,10 @@ describe Search do Search.new('foo :!$);}]>@\#\"\'').execute.should be_blank # There are at least three levels of sanitation for Search.query! end + it "doesn't raise an error when single quotes are present" do + Search.new("'hello' world").execute.should be_blank # There are at least three levels of sanitation for Search.query! + end + it 'works when given two terms with spaces' do lambda { Search.new('evil trout').execute }.should_not raise_error end