From f0065af00a123df1bd8a7b44447b5951eb19a028 Mon Sep 17 00:00:00 2001
From: miteruzo <miteruzo@naver.com>
Date: Mon, 23 Mar 2026 12:19:16 +0900
Subject: [PATCH] #279

---
 backend/app/controllers/tags_controller.rb | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/backend/app/controllers/tags_controller.rb b/backend/app/controllers/tags_controller.rb
index 9652f18..45a1e33 100644
--- a/backend/app/controllers/tags_controller.rb
+++ b/backend/app/controllers/tags_controller.rb
@@ -2,8 +2,8 @@ class TagsController < ApplicationController
   def index
     post_id = params[:post]
 
-    name = params[:name].presence
-    category = params[:category].presence
+    name = params[:name].to_s.strip.presence
+    category = params[:category].to_s.strip.presence
     post_count_between = (params[:post_count_gte].presence || -1).to_i,
                          (params[:post_count_lte].presence || -1).to_i
     post_count_between[0] = nil if post_count_between[0] < 0
@@ -36,7 +36,9 @@ class TagsController < ApplicationController
         .includes(:tag_name, tag_name: :wiki_page)
     q = q.where(posts: { id: post_id }) if post_id.present?
 
-    q = q.where('tag_names.name LIKE ?', "%#{ name }%") if name
+    if name
+      q = q.where('tag_names.name LIKE ?', "%#{ ActiveRecord::Base.sanitize_sql_like(name) }%")
+    end
     q = q.where(category: category) if category
     q = q.where('tags.post_count >= ?', post_count_between[0]) if post_count_between[0]
     q = q.where('tags.post_count <= ?', post_count_between[1]) if post_count_between[1]
@@ -77,7 +79,7 @@ class TagsController < ApplicationController
 
     alias_rows =
         TagName
-        .where('name LIKE ?', "#{ q }%")
+        .where('name LIKE ?', "#{ ActiveRecord::Base.sanitize_sql_like(q) }%")
         .where.not(canonical_id: nil)
         .pluck(:canonical_id, :name)
 
@@ -97,7 +99,8 @@ class TagsController < ApplicationController
         base
         .where(((with_nico ? '(tags.category = ? AND tag_names.name LIKE ?) OR ' : '') +
                 'tag_names.name LIKE ?'),
-               *(with_nico ? ['nico', "nico:#{ q }%"] : []), "#{ q }%")
+               *(with_nico ? ['nico', "nico:#{ ActiveRecord::Base.sanitise_sql_like(q) }%"] : []),
+               "#{ ActiveRecord::Base.sanitise_sql_like(q) }%")
 
     tags =
         if canonical_ids.present?