From f9711bac372e466358ed005b675ccf721ebec6c1 Mon Sep 17 00:00:00 2001 From: Gerhard Boden Date: Tue, 25 Jun 2019 17:37:42 +0200 Subject: [PATCH] BUGFIX: Use multi_match instead of query_string By using ``multi_match`` instead of ``query_string`` within our search query, we prevent the accidental injection of Lucene search query strings. Currently an exception is thrown when adding ``"`` to your search query. Using ``multi_match`` instead should lead to the same quality of results and is less prone to user errors, because in 99% of cases the search is used for classic search terms and no end user is expected to know the compact Lucene query string syntax. see: https://www.elastic.co/guide/en/elasticsearch/reference/5.6/query-dsl-multi-match-query.html see: https://www.elastic.co/guide/en/elasticsearch/reference/5.6/query-dsl-query-string-query.html see: https://www.elastic.co/guide/en/elasticsearch/reference/5.6/query-dsl-query-string-query.html#query-string-syntax --- Classes/Driver/Version5/Query/FilteredQuery.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Classes/Driver/Version5/Query/FilteredQuery.php b/Classes/Driver/Version5/Query/FilteredQuery.php index ad0591f4..d97547b2 100644 --- a/Classes/Driver/Version5/Query/FilteredQuery.php +++ b/Classes/Driver/Version5/Query/FilteredQuery.php @@ -60,7 +60,7 @@ public function from(int $size): void public function fulltext(string $searchWord, array $options = []): void { $this->appendAtPath('query.bool.must', [ - 'query_string' => array_merge($options, [ + 'multi_match' => array_merge($options, [ 'query' => $searchWord, 'fields' => ['__fulltext*'] ])