Avoid multiple escapes (#15509)
diff --git a/erpnext/controllers/queries.py b/erpnext/controllers/queries.py
index 8a1f799..85a6310 100644
--- a/erpnext/controllers/queries.py
+++ b/erpnext/controllers/queries.py
@@ -208,9 +208,8 @@
limit %(start)s, %(page_len)s """.format(
fcond=get_filters_cond(doctype, filters, conditions),
mcond=get_match_cond(doctype),
- key=searchfield),
- {
- 'txt': frappe.db.escape('%' + txt + '%'),
+ key=searchfield), {
+ 'txt': '%' + txt + '%',
'_txt': txt.replace("%", ""),
'start': start or 0,
'page_len': page_len or 20
@@ -353,7 +352,7 @@
{condition} {match_condition}
order by idx desc, name"""
.format(condition=condition, match_condition=get_match_cond(doctype), key=searchfield), {
- 'txt': frappe.db.escape('%' + txt + '%'),
+ 'txt': '%' + txt + '%',
'company': filters.get("company", "")
})
@@ -378,7 +377,7 @@
.format(condition=condition, key=searchfield,
match_condition=get_match_cond(doctype)), {
'company': filters.get("company", ""),
- 'txt': frappe.db.escape('%' + txt + '%')
+ 'txt': '%' + txt + '%'
})
diff --git a/erpnext/projects/doctype/task/task.py b/erpnext/projects/doctype/task/task.py
index b341325..9426a91 100755
--- a/erpnext/projects/doctype/task/task.py
+++ b/erpnext/projects/doctype/task/task.py
@@ -166,10 +166,13 @@
where %(key)s like %(txt)s
%(mcond)s
order by name
- limit %(start)s, %(page_len)s """ % {'key': searchfield,
- 'txt': frappe.db.escape('%' + txt + '%'),
- 'mcond':get_match_cond(doctype),
- 'start': start, 'page_len': page_len})
+ limit %(start)s, %(page_len)s""" % {
+ 'key': searchfield,
+ 'txt': frappe.db.escape('%' + txt + '%'),
+ 'mcond':get_match_cond(doctype),
+ 'start': start,
+ 'page_len': page_len
+ })
@frappe.whitelist()
diff --git a/erpnext/projects/doctype/timesheet/timesheet.py b/erpnext/projects/doctype/timesheet/timesheet.py
index c6f405d..c51e3d9 100644
--- a/erpnext/projects/doctype/timesheet/timesheet.py
+++ b/erpnext/projects/doctype/timesheet/timesheet.py
@@ -223,7 +223,7 @@
and tsd.parent LIKE %(txt)s {condition}
order by tsd.parent limit %(start)s, %(page_len)s"""
.format(condition=condition), {
- 'txt': frappe.db.escape('%' + txt + '%'),
+ 'txt': '%' + txt + '%',
"start": start, "page_len": page_len, 'project': filters.get("project")
})
diff --git a/erpnext/selling/page/point_of_sale/point_of_sale.py b/erpnext/selling/page/point_of_sale/point_of_sale.py
index 00e4de1..e7ea4cd 100644
--- a/erpnext/selling/page/point_of_sale/point_of_sale.py
+++ b/erpnext/selling/page/point_of_sale/point_of_sale.py
@@ -60,11 +60,15 @@
where
i.disabled = 0 and i.has_variants = 0 and i.is_sales_item = 1
and i.item_group in (select name from `tabItem Group` where lft >= {lft} and rgt <= {rgt})
- and {condition} limit {start}, {page_length}""".format(start=start,page_length=page_length,lft=lft, rgt=rgt, condition=condition),
- {
- 'item_code': item_code,
+ and {condition} limit {start}, {page_length}""".format(
+ start=start,
+ page_length=page_length,
+ lft=lft,
+ rgt=rgt,
+ condition=condition
+ ), {
'price_list': price_list
- } , as_dict=1)
+ }, as_dict=1)
res = {
'items': res
diff --git a/erpnext/setup/doctype/party_type/party_type.py b/erpnext/setup/doctype/party_type/party_type.py
index fd044bc..b29c305 100644
--- a/erpnext/setup/doctype/party_type/party_type.py
+++ b/erpnext/setup/doctype/party_type/party_type.py
@@ -20,6 +20,6 @@
where `{key}` LIKE %(txt)s {cond}
order by name limit %(start)s, %(page_len)s"""
.format(key=searchfield, cond=cond), {
- 'txt': frappe.db.escape('%' + txt + '%'),
+ 'txt': '%' + txt + '%',
'start': start, 'page_len': page_len
})
diff --git a/erpnext/stock/doctype/item_alternative/item_alternative.py b/erpnext/stock/doctype/item_alternative/item_alternative.py
index 93ec5fd..8e54539 100644
--- a/erpnext/stock/doctype/item_alternative/item_alternative.py
+++ b/erpnext/stock/doctype/item_alternative/item_alternative.py
@@ -35,6 +35,6 @@
where alternative_item_code = %(item_code)s and item_code like %(txt)s
and two_way = 1) limit {0}, {1}
""".format(start, page_len), {
- "item_code": frappe.db.escape(filters.get('item_code')),
- "txt": frappe.db.escape('%' + txt + '%')
+ "item_code": filters.get('item_code'),
+ "txt": '%' + txt + '%'
})
\ No newline at end of file