From 95422f71bac3b27104726739ec1f7505799980d2 Mon Sep 17 00:00:00 2001
From: Bryan Ashby <bryan@l33t.codes>
Date: Fri, 1 Jun 2018 20:16:08 -0600
Subject: [PATCH] Fix possible SQL injection in file tags search

---
 core/file_entry.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/file_entry.js b/core/file_entry.js
index 169bbb74..f6b86c64 100644
--- a/core/file_entry.js
+++ b/core/file_entry.js
@@ -548,7 +548,7 @@ module.exports = class FileEntry {
 
 		if(filter.tags && filter.tags.length > 0) {
 			//	build list of quoted tags; filter.tags comes in as a space and/or comma separated values
-			const tags = filter.tags.replace(/,/g, ' ').replace(/\s{2,}/g, ' ').split(' ').map( tag => `"${tag}"` ).join(',');
+			const tags = filter.tags.replace(/,/g, ' ').replace(/\s{2,}/g, ' ').split(' ').map( tag => `"${sanatizeString(tag)}"` ).join(',');
 
 			appendWhereClause(
 				`f.file_id IN (