Merge pull request #60 from Flowpack/task/change-sanitation

TASK: Use more fine-grained sanitation

Author: daniellienert

Classes/Controller/SuggestController.php

@@ -14,6 +14,7 @@
 use Flowpack\ElasticSearch\ContentRepositoryAdaptor\Eel\ElasticSearchQueryBuilder;
 use Flowpack\ElasticSearch\ContentRepositoryAdaptor\ElasticSearchClient;
 use Flowpack\ElasticSearch\ContentRepositoryAdaptor\Exception\QueryBuildingException;
+use Flowpack\SearchPlugin\Utility\Sanitation;
 use Neos\Cache\Frontend\VariableFrontend;
 use Neos\Flow\Annotations as Flow;
 use Neos\Flow\Mvc\Controller\ActionController;
@@ -114,8 +115,8 @@ protected function buildRequestForTerm(string $term, string $contextNodeIdentifi
         $term = strtolower($term);
 
         // The suggest function only works well with one word
-        // and the term is trimmed to alnum characters to avoid errors
-        $suggestTerm = preg_replace('/[[:^alnum:]]/', '', explode(' ', $term)[0]);
+        // special search characters are escaped
+        $suggestTerm = Sanitation::sanitizeSearchInput(explode(' ', $term)[0]);
 
         if (!$this->elasticSearchQueryTemplateCache->has($cacheKey)) {
             $contentContext = $this->createContentContext('live', $dimensionCombination ? json_decode($dimensionCombination, true) : []);

Classes/EelHelper/SuggestionIndexHelper.php

@@ -14,6 +14,7 @@
  */
 
 use Flowpack\SearchPlugin\Exception;
+use Flowpack\SearchPlugin\Utility\Sanitation;
 use Neos\Eel\ProtectedContextAwareInterface;
 use Neos\Flow\Annotations as Flow;
 
@@ -47,8 +48,9 @@ protected function prepareInput($input): ?array
     {
         $process = static function (?string $input) {
             $input = preg_replace("/\r|\n/", '', $input);
-            return array_values(array_filter(explode(' ', preg_replace("/[^[:alnum:][:space:]]/u", ' ', strip_tags($input)))));
+            return array_values(array_filter(explode(' ', Sanitation::sanitizeSearchInput(strip_tags($input)))));
         };
+
         if (\is_string($input)) {
             return $process($input);
         } elseif (\is_array($input)) {

Classes/Utility/Sanitation.php

@@ -0,0 +1,24 @@
+<?php
+declare(strict_types=1);
+
+namespace Flowpack\SearchPlugin\Utility;
+
+/*
+ * This file is part of the Flowpack.SearchPlugin package.
+ *
+ * (c) Contributors of the Flowpack Team - flowpack.org
+ *
+ * This package is Open Source Software. For the full copyright and license
+ * information, please view the LICENSE file which was distributed with this
+ * source code.
+ */
+
+class Sanitation
+{
+
+    public static function sanitizeSearchInput(string $input): string
+    {
+        return str_replace(['=', '>', '<', '(', ')', '{', '}', '[', ']', '^', '"', '~', '*', '?', ':', '\\', '/'], ['', '', '', '(', '\)', '\{', '\}', '[', '\]', '\^', '\"', '\~', '\*', '\?', '\:', '\\\\', '\/'], $input);
+    }
+
+}