escape wildcard query

lib/submissions.rb

@@ -18,7 +18,8 @@ module Submissions
   def plain_search(submissions, keyword, search_values: false, search_template: false)
     return submissions if keyword.blank?
 
-    term = "%#{keyword.downcase}%"
+    sanitized = ActiveRecord::Base.sanitize_sql_like(keyword.downcase)
+    term = "%#{sanitized}%"
 
     arel_table = Submitter.arel_table
 
@@ -31,7 +32,7 @@ module Submissions
     if search_template
       submissions = submissions.left_joins(:template)
 
-      arel = arel.or(Template.arel_table[:name].lower.matches("%#{keyword.downcase}%"))
+      arel = arel.or(Template.arel_table[:name].lower.matches("%#{sanitized}%"))
     end
 
     submissions.joins(:submitters).where(arel).group(:id)

lib/template_folders.rb

@@ -20,7 +20,9 @@ module TemplateFolders
   def search(folders, keyword)
     return folders if keyword.blank?
 
-    folders.where(TemplateFolder.arel_table[:name].lower.matches("%#{keyword.downcase}%"))
+    sanitized = ActiveRecord::Base.sanitize_sql_like(keyword.downcase)
+
+    folders.where(TemplateFolder.arel_table[:name].lower.matches("%#{sanitized}%"))
   end
 
   def filter_active_folders(template_folders, templates)

lib/templates.rb

@@ -52,7 +52,9 @@ module Templates
   def plain_search(templates, keyword)
     return templates if keyword.blank?
 
-    templates.where(Template.arel_table[:name].lower.matches("%#{keyword.downcase}%"))
+    sanitized = ActiveRecord::Base.sanitize_sql_like(keyword.downcase)
+
+    templates.where(Template.arel_table[:name].lower.matches("%#{sanitized}%"))
   end
 
   def fulltext_search(current_user, templates, keyword)