BUGFIX: Use multi_match instead of query_string

By using ``multi_match`` instead of ``query_string`` within our search query, we prevent the accidental injection of Lucene search query strings. Currently an exception is thrown when adding ``"`` to your search query. Using ``multi_match`` instead should lead to the same quality of results and is less prone to user errors, because in 99% of cases the search is used for classic search terms and no end user is expected to know the compact Lucene query string syntax. see: https://www.elastic.co/guide/en/elasticsearch/reference/5.6/query-dsl-multi-match-query.html see: https://www.elastic.co/guide/en/elasticsearch/reference/5.6/query-dsl-query-string-query.html see: https://www.elastic.co/guide/en/elasticsearch/reference/5.6/query-dsl-query-string-query.html#query-string-syntax
Flowpack · Jun 25, 2019 · 3f90605 · 3f90605
1 parent 618da54
commit 3f90605
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/Classes/Driver/Version5/Query/FilteredQuery.php b/Classes/Driver/Version5/Query/FilteredQuery.php
@@ -61,6 +61,7 @@ public function fulltext(string $searchWord, array $options = []): void
     {
         $this->appendAtPath('query.bool.must', [
             'query_string' => array_merge($options, [
+//            'multi_match' => array_merge($options, [
                 'query' => $searchWord,
                 'fields' => ['__fulltext*']
             ])