Problem/Motivation

The '%' character is not escaped when used in an exposed filter.

Steps to reproduce

  • Create a view page for nodes list
  • Add a exposed filter for title
  • Set operation to equals (=)
  • Create nodes with title abc, abc%, abcd, abcde
  • Visit created views page, type testing search string into exposed filter: "abc%"

Result:
View shows all four nodes (abc, abc%, abcd, abcde)

Expected:
Only node abc% should be shown as operation is set to equal and not to contains.

Proposed resolution

Call Database::getConnection()->escapeLike($value) for all values.
we can check #6, #7 for detail.

Remaining tasks

Review

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

Problem/Motivation

CommentFileSizeAuthor
#33 3055152-nr-bot.txt91 bytesneeds-review-queue-bot
#16 3055152-5.patch1.47 KBmanpreet_singh
#4 3055152-4.patch664 byteskfritsche
#2 3055152-1.patch663 byteskfritsche

Issue fork drupal-3055152

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

kfritsche created an issue. See original summary.

kfritsche’s picture

kfritsche
Primary language German
Location 🇩🇪🇪🇺
commented
StatusFileSize
new 3055152-1.patch663 bytes

Attached a patch for 8.8.x

kfritsche’s picture

kfritsche
Primary language German
Location 🇩🇪🇪🇺
commented
Status: Active » Needs review
kfritsche’s picture

kfritsche
Primary language German
Location 🇩🇪🇪🇺
commented
StatusFileSize
new 3055152-4.patch664 bytes

Ups, forgot a semicolon :/

daffie’s picture

daffie commented

@kfritsche: What does query now returns without your solution?

kfritsche’s picture

kfritsche
Primary language German
Location 🇩🇪🇪🇺
commented
Issue summary: View changes

@daffie:
Without the patch a % in the search works like a SQL LIKE.
So search for "a%" will return all entities which starts with an a, even if the operation is equal and in my mind should only return something if there is an entity which has the exact title "a%".

We needed this patch, as we have entity titles with % signs and want to search exactly for these.

daffie’s picture

daffie commented
Status: Needs review » Needs work
Issue tags: +Needs tests

@kfritsche: I had another look at the code of the StringFilter filter and first I thought that the operator was an "=", but now I see that the operator is "LIKE". The solution in your patch is the correct. What we now are missing is an automated test to make sure that the solution does not get undone in the future.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.0-alpha1 will be released the week of October 14th, 2019, which means new developments and disruptive changes should now be targeted against the 8.9.x-dev branch. (Any changes to 8.9.x will also be committed to 9.0.x in preparation for Drupal 9’s release, but some changes like significant feature additions will be deferred to 9.1.x.). For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.1.x-dev

Drupal 8.9.0-beta1 was released on March 20, 2020. 8.9.x is the final, long-term support (LTS) minor release of Drupal 8, which means new developments and disruptive changes should now be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 9.1.x-dev » 9.2.x-dev

Drupal 9.1.0-alpha1 will be released the week of October 19, 2020, which means new developments and disruptive changes should now be targeted for the 9.2.x-dev branch. For more information see the Drupal 9 minor version schedule and the Allowed changes during the Drupal 9 release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Drupal 9.2.0-alpha1 will be released the week of May 3, 2021, which means new developments and disruptive changes should now be targeted for the 9.3.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

quietone’s picture

quietone commented
Status: Needs work » Closed (outdated)
Issue tags: +Bug Smash Initiative

@kfritsche, Thank you for reporting this problem and making a patch.. We rely on issue reports like this to improve Drupal core.

I tested this on 9.3.9, standard install, and was not able to reproduce this error. I followed the steps given in the Issue Summary.

Therefore, closing as outdated.

If you are experiencing this problem on a supported version of Drupal reopen the issue, by setting the status to 'Active', and provide complete steps to reproduce the issue (starting from "Install Drupal core").

jimyhuang’s picture

jimyhuang commented
Version: 9.5.x-dev » 10.3.x-dev
Status: Closed (outdated) » Needs review

This issue still there. I tried patch 3055152-4.patch, it is correct.

Tested version: 10.3.2
Tested db: MariaDB
Problematic code: 11.x , 10.x

Reproduce step:

  1. Create a view with page, choose "content" as type
  2. Add filter to created views, use title as exposed filter
  3. Operator choose "Is equal to"
  4. Visit created views page, type testing search string into exposed filter: %abc%
  5. Visit created views page, type query on the url: /test-node?title=%25abc%25
  6. All the title contains abc will listed. The percentage character is not escape.
manpreet_singh’s picture

manpreet_singh commented
Status: Needs review » Reviewed & tested by the community
Issue tags: -Needs tests, -Bug Smash Initiative +Barcelona2024
StatusFileSize
new 3055152-5.patch1.47 KB

I have fixed the issue above-mentioned issue.
I attached the patch for the Drupal 10.3.5

Tested version: 10.3.5
Tested db: MariaDB

Thank you

manpreet_singh opened merge request !9635

quietone’s picture

quietone commented
Version: 10.3.x-dev » 11.x-dev
Issue summary: View changes
Status: Reviewed & tested by the community » Needs work
Issue tags: +Needs tests, +Needs issue summary update

I re-tested today with Umami on 11.x and was able to reproduce the problem. I can only assume that my earlier testing was incorrect.

@manpreet_singh, thanks for the fix. Drupal uses peer review for all changes to core, so the setting on an issue to RTBC should be done by another contributor. Thanks.

This issue will also need a test to prove the fix works and expected, adding tag.

shalini_jha’s picture

shalini_jha commented
Assigned: Unassigned » shalini_jha

I have able to replicate this issue and MR fixes the issue , so i will work on this for test coverage.

shalini_jha’s picture

shalini_jha commented
Issue summary: View changes
shalini_jha’s picture

shalini_jha commented
Issue summary: View changes

shalini_jha changed the visibility of the branch 3055152-views-stringfilter-doesnt-11x to hidden.

shalini_jha changed the visibility of the branch 3055152-views-stringfilter-doesnt-11x to active.

shalini_jha opened merge request !10110

shalini_jha changed the visibility of the branch 3055152-views-stringfilter-doesnt to hidden.

shalini_jha’s picture

shalini_jha commented
Issue summary: View changes

Hi,
I was able to replicate the issue and reviewed the existing fix in this MR. The solution appears correct, and functionality works as expected based on my testing. To validate this, I have tried to add test coverage in the FilterStringTest class, aiming to demonstrate both the issue and its resolution.

I’ve submitted a new MR against 11.x. Since there was an existing MR on 10, I’ve hidden that one to avoid any confusion. I wasn’t sure about the status of the existing MR, Apologies if you would have preferred updating the existing MR.

Please review when possible, and let me know if there’s anything further I should address.

Updated issue summary also.
Thank you!

Failing test :

1) Drupal\Tests\views\Kernel\Handler\FilterStringTest::testFilterStringEqual
Actual result <pre>
array (
  0 => 
  array (
    'name' => 'Ringo',
  ),
  1 => 
  array (
    'name' => 'Ringo%',
  ),
)
</pre> is  identical to expected <pre>
array (
  0 => 
  array (
    'name' => 'Ringo%',
  ),
)
</pre>
Failed asserting that two arrays are identical.
--- Expected
+++ Actual
@@ @@
 Array &0 [
     0 => Array &1 [
+        'name' => 'Ringo',
+    ],
+    1 => Array &2 [
         'name' => 'Ringo%',
     ],
 ]
shalini_jha’s picture

shalini_jha commented
Assigned: shalini_jha » Unassigned
Status: Needs work » Needs review

Moving this for Review.

smustgrave’s picture

smustgrave commented
Status: Needs review » Needs work

Comment on MR.

shalini_jha’s picture

shalini_jha commented
Assigned: Unassigned » shalini_jha
shalini_jha’s picture

shalini_jha commented
Issue summary: View changes
shalini_jha’s picture

shalini_jha commented
Assigned: shalini_jha » Unassigned
Status: Needs work » Needs review

I have address the feedback, also verified with another method no type cast is added, also again re ran the test and its working as expected, pipeline is also green so moving this for NR.
Kindly review.

smustgrave’s picture

smustgrave commented
Status: Needs review » Reviewed & tested by the community
Issue tags: -Needs tests, -Needs issue summary update +Needs Review Queue Initiative

All feedback appears to be addressed.

needs-review-queue-bot’s picture

needs-review-queue-bot commented
Status: Reviewed & tested by the community » Needs work
StatusFileSize
new 3055152-nr-bot.txt91 bytes

The Needs Review Queue Bot tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".

This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.

shalini_jha’s picture

shalini_jha commented
Status: Needs work » Reviewed & tested by the community

Rebase without conflicts , so moving back to previous status.

quietone’s picture

quietone commented

I read the IS, comments and the MR. Everything looks in order here. I updated credit.

  • catch committed f333c6bc on 11.x 
    Issue #3055152 by shalini_jha, manpreet_singh, kfritsche, quietone,...

  • catch committed b1429b24 on 10.5.x 
    Issue #3055152 by shalini_jha, manpreet_singh, kfritsche, quietone,...
catch’s picture

catch
he/him
Primary language English
commented
Version: 11.x-dev » 10.5.x-dev
Status: Reviewed & tested by the community » Fixed

Committed/pushed to 11.x and cherry-picked to 10.5.x, thanks!

catch closed merge request !10110

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Anonymous’s picture

Anonymous (not verified) commented

After this fix, hook_views_query_substitutions() no longer works correctly.
Because a \ is added before the _ in the target strings, the replacements no longer match.