From cfa6c7cb7191b88622264b011f529dc18f625d9b Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Thu, 28 Mar 2019 09:33:52 +0100
Subject: [PATCH] Escape the search terms on the server

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 lib/private/Collaboration/Resources/Manager.php | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/lib/private/Collaboration/Resources/Manager.php b/lib/private/Collaboration/Resources/Manager.php
index 4d24636b6b0..add23171f56 100644
--- a/lib/private/Collaboration/Resources/Manager.php
+++ b/lib/private/Collaboration/Resources/Manager.php
@@ -138,11 +138,15 @@ class Manager implements IManager {
 					$query->expr()->eq('a.user_id', $query->createNamedParameter($userId, IQueryBuilder::PARAM_STR))
 				)
 			)
-			->where($query->expr()->iLike('c.name', $query->createNamedParameter($filter, IQueryBuilder::PARAM_STR)))
-			->andWhere($query->expr()->eq('a.access', $query->createNamedParameter(1, IQueryBuilder::PARAM_INT)))
+			->where($query->expr()->eq('a.access', $query->createNamedParameter(1, IQueryBuilder::PARAM_INT)))
 			->orderBy('c.id')
 			->setMaxResults($limit)
 			->setFirstResult($start);
+
+		if ($filter !== '') {
+			$query->where($query->expr()->iLike('c.name', $query->createNamedParameter('%' . $this->connection->escapeLikeParameter($filter) . '%')));
+		}
+
 		$result = $query->execute();
 		$collections = [];
 
-- 
GitLab