Open
Description
A search query with unexpected input results in the hard error on the server and an error returned in GQL response.
E.g. searching for syst em returns ES query failed. See server logs. because it is failed here:
// validate field_value for possible no-sql injection
if NO_SQL_STRING_INVALIDATION_REGEX.is_match(&starts_with) {
error!("Invalid starts_with: {}", starts_with);
return Err(());
}
The values should be validated on the client and then on the server before they even make it to ES part.
Relates to #30