diff options
| author | mike bayer <mike_mp@zzzcomputing.com> | 2022-10-28 13:59:05 +0000 |
|---|---|---|
| committer | Gerrit Code Review <gerrit@ci3.zzzcomputing.com> | 2022-10-28 13:59:05 +0000 |
| commit | 2833aa2afbd6b1529913e6ceaa565cff6e29ba95 (patch) | |
| tree | 3a7a46dbd98e56846fef41811af5cb8bca6a9c91 /lib/sqlalchemy | |
| parent | 718d9570f278be47eae2dc5dae0d218052aeffb9 (diff) | |
| parent | caa9f0ff98d44359f5162bca8e7fe7bcaa2989a7 (diff) | |
| download | sqlalchemy-2833aa2afbd6b1529913e6ceaa565cff6e29ba95.tar.gz | |
Merge "apply basic escaping to anon_labels unconditionally" into main
Diffstat (limited to 'lib/sqlalchemy')
| -rw-r--r-- | lib/sqlalchemy/sql/elements.py | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/lib/sqlalchemy/sql/elements.py b/lib/sqlalchemy/sql/elements.py index 8167dc7e4..3f4381c1a 100644 --- a/lib/sqlalchemy/sql/elements.py +++ b/lib/sqlalchemy/sql/elements.py @@ -5063,8 +5063,13 @@ class _anonymous_label(_truncated_label): sanitize_key: bool = False, ) -> _anonymous_label: + # need to escape chars that interfere with format + # strings in any case, issue #8724 + body = re.sub(r"[%\(\) \$]+", "_", body) + if sanitize_key: - body = re.sub(r"[%\(\) \$]+", "_", body).strip("_") + # sanitize_key is then an extra step used by BindParameter + body = body.strip("_") label = "%%(%d %s)s" % (seed, body.replace("%", "%%")) if enclosing_label: |