\Drupal\user\Plugin\EntityReferenceSelection\UserSelection::entityQueryAlter() should escape the fake condition column on replacement

July 18, 2018, 3:23 am

≫ Next: Private file download returns access denied, when file attached to node revision other than current

≪ Previous: Exposed filter reset redirects user to 404 page on AJAX view when placed as a block

Problem/Motivation

\Drupal\user\Plugin\EntityReferenceSelection\UserSelection::entityQueryAlter() does a str_replace() on sql without accounting for the underlying escaping strategy.

Proposed resolution

Use escapeField()

This is not testable but if all identifiers are quoted as per #2986452: Database reserved keywords need to be quoted as per the ANSI standard then this will become a problem. It already is a problem for contrib or custom db drivers that do anything interesting in escapeField().

\Drupal\user\Plugin\EntityReferenceSelection\UserSelection::entityQueryAlter() should escape the fake condition column on replacement

Problem/Motivation

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes