properly quote and escape query to member service

maxceem · maxceem · commit 8610922de283 · 2019-05-16T23:03:37.000+08:00
diff --git a/connect/service.js b/connect/service.js
@@ -166,7 +166,7 @@ const getUsersById = (ids) => {
  * @return {Promise}   resolves to the list of user details
  */
 const getUsersByHandle = (handles) => {
-  const query = _.map(handles, (handle) => 'handle:' + handle).join(' OR ');
+  const query = _.map(handles, (handle) => 'handle:"' + handle.trim().replace('"', '\\"') + '"').join(' OR ');
   return M2m.getMachineToken(config.AUTH0_CLIENT_ID, config.AUTH0_CLIENT_SECRET)
     .catch((err) => {
       err.message = 'Error generating m2m token: ' + err.message;
diff --git a/src/common/tcApiHelper.js b/src/common/tcApiHelper.js
@@ -83,7 +83,7 @@ function* getUsersByHandles(handles) {
     return [];
   }
   // use 'OR' to link the handle matches
-  const query = _.map(handles, (h) => 'handle:"' + h.trim() + '"').join(' OR ');
+  const query = _.map(handles, (h) => 'handle:"' + h.trim().replace('"', '\\"')  + '"').join(' OR ');
   return yield searchUsersByQuery(query);
 }
 

Original file line number	Diff line number	Diff line change
`@@ -83,7 +83,7 @@ function* getUsersByHandles(handles) {`
`83`	`83`	`return [];`
`84`	`84`	`}`
`85`	`85`	`// use 'OR' to link the handle matches`
`86`		`- const query = _.map(handles, (h) => 'handle:"' + h.trim() + '"').join(' OR ');`
	`86`	`+ const query = _.map(handles, (h) => 'handle:"' + h.trim().replace('"', '\\"') + '"').join(' OR ');`
`87`	`87`	`return yield searchUsersByQuery(query);`
`88`	`88`	`}`
`89`	`89`