From 34ea639c25fce1e8cccb0e3c19f9e24119eaf21c Mon Sep 17 00:00:00 2001
From: Pete Matsyburka <pete@docuseal.com>
Date: Sat, 14 Feb 2026 11:05:05 +0200
Subject: [PATCH] escape wildcard query

---
 lib/submissions.rb      | 5 +++--
 lib/template_folders.rb | 4 +++-
 lib/templates.rb        | 4 +++-
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/lib/submissions.rb b/lib/submissions.rb
index aaf18ea4..8fd26bf0 100644
--- a/lib/submissions.rb
+++ b/lib/submissions.rb
@@ -18,7 +18,8 @@ module Submissions
   def plain_search(submissions, keyword, search_values: false, search_template: false)
     return submissions if keyword.blank?
 
-    term = "%#{keyword.downcase}%"
+    sanitized = ActiveRecord::Base.sanitize_sql_like(keyword.downcase)
+    term = "%#{sanitized}%"
 
     arel_table = Submitter.arel_table
 
@@ -31,7 +32,7 @@ module Submissions
     if search_template
       submissions = submissions.left_joins(:template)
 
-      arel = arel.or(Template.arel_table[:name].lower.matches("%#{keyword.downcase}%"))
+      arel = arel.or(Template.arel_table[:name].lower.matches("%#{sanitized}%"))
     end
 
     submissions.joins(:submitters).where(arel).group(:id)
diff --git a/lib/template_folders.rb b/lib/template_folders.rb
index 00a6fc02..d4a3af9e 100644
--- a/lib/template_folders.rb
+++ b/lib/template_folders.rb
@@ -20,7 +20,9 @@ module TemplateFolders
   def search(folders, keyword)
     return folders if keyword.blank?
 
-    folders.where(TemplateFolder.arel_table[:name].lower.matches("%#{keyword.downcase}%"))
+    sanitized = ActiveRecord::Base.sanitize_sql_like(keyword.downcase)
+
+    folders.where(TemplateFolder.arel_table[:name].lower.matches("%#{sanitized}%"))
   end
 
   def filter_active_folders(template_folders, templates)
diff --git a/lib/templates.rb b/lib/templates.rb
index 73aaef80..2abd93dd 100644
--- a/lib/templates.rb
+++ b/lib/templates.rb
@@ -52,7 +52,9 @@ module Templates
   def plain_search(templates, keyword)
     return templates if keyword.blank?
 
-    templates.where(Template.arel_table[:name].lower.matches("%#{keyword.downcase}%"))
+    sanitized = ActiveRecord::Base.sanitize_sql_like(keyword.downcase)
+
+    templates.where(Template.arel_table[:name].lower.matches("%#{sanitized}%"))
   end
 
   def fulltext_search(current_user, templates, keyword)