|
11 | 11 | use App\Http\Requests\StoreCommentUpdateRequest; |
12 | 12 | use App\Http\Requests\StoreVideoRequest; |
13 | 13 | use App\Http\Requests\UpdateVideoRequest; |
| 14 | +use App\Http\Resources\AccountCompactResource; |
14 | 15 | use App\Http\Resources\CommentCaptionEditResource; |
15 | 16 | use App\Http\Resources\CommentReplyCaptionEditResource; |
16 | 17 | use App\Http\Resources\CommentReplyResource; |
@@ -61,20 +62,36 @@ public function __construct() |
61 | 62 |
|
62 | 63 | public function showAutocompleteTags(Request $request) |
63 | 64 | { |
64 | | - $request->validate(['q' => 'required|string|min:2|max:60']); |
| 65 | + $validated = $request->validate(['q' => 'required|alpha_dash|min:2|max:60']); |
65 | 66 |
|
66 | | - $hashtags = Hashtag::where('name', 'like', $request->input('q').'%')->whereCanSearch(true)->limit(10)->get(); |
| 67 | + $q = trim($validated['q']); |
| 68 | + |
| 69 | + $escaped = $this->escapeLike($q); |
| 70 | + |
| 71 | + $hashtags = Hashtag::where('name', 'like', $escaped.'%')->whereCanSearch(true)->limit(10)->get(); |
67 | 72 |
|
68 | 73 | return HashtagResource::collection($hashtags); |
69 | 74 | } |
70 | 75 |
|
71 | 76 | public function showAutocompleteAccounts(Request $request) |
72 | 77 | { |
73 | | - $request->validate(['q' => 'required|string|min:2|max:90']); |
| 78 | + $validated = $request->validate([ |
| 79 | + 'q' => [ |
| 80 | + 'required', |
| 81 | + 'string', |
| 82 | + 'min:2', |
| 83 | + 'max:90', |
| 84 | + 'regex:/^[A-Za-z0-9.\-_@]+$/', |
| 85 | + ], |
| 86 | + ]); |
| 87 | + |
| 88 | + $q = trim($validated['q']); |
74 | 89 |
|
75 | | - $profiles = Profile::where('username', 'like', $request->input('q').'%')->where('is_hidden', false)->limit(10)->get(); |
| 90 | + $escaped = $this->escapeLike($q); |
76 | 91 |
|
77 | | - return ProfileResource::collection($profiles); |
| 92 | + $profiles = Profile::where('username', 'like', $escaped.'%')->where('is_hidden', false)->limit(10)->get(); |
| 93 | + |
| 94 | + return AccountCompactResource::collection($profiles); |
78 | 95 | } |
79 | 96 |
|
80 | 97 | /** |
@@ -767,4 +784,13 @@ public function getAutocompleteHashtag(GetMentionAutocomplete $request) |
767 | 784 |
|
768 | 785 | return HashtagResource::collection($res); |
769 | 786 | } |
| 787 | + |
| 788 | + private function escapeLike(string $value): string |
| 789 | + { |
| 790 | + return str_replace( |
| 791 | + ['\\', '%', '_'], |
| 792 | + ['\\\\', '\\%', '\\_'], |
| 793 | + $value |
| 794 | + ); |
| 795 | + } |
770 | 796 | } |
0 commit comments