Skip to content

search/FTS: injection & tokenizer configuration #9

Open
#45
Open
search/FTS: injection & tokenizer configuration#9
#45
@thenotespublisher

Description

@thenotespublisher
thenotespublisher
opened on Mar 7, 2026

Impact: User input used in FTS without sanitization can produce unexpected results; tokenization affects recall/precision.
FTS queries may be built from raw user strings (special chars, boolean tokens).
Fix:

Always parameterize FTS queries or sanitize special tokens.

Choose/tokenize language appropriately (simple tokenizer vs unicode61) and document.

Add unit tests for edge cases (quotes, AND/OR, punctuation).
Snippet:
SELECT * FROM messages WHERE messages_fts MATCH ? -- use parameter

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions