From cb5166e0227ed79d6cdcf688f05016e2fa4f9bd1 Mon Sep 17 00:00:00 2001
From: Tim Su <tim@todoroo.com>
Date: Tue, 24 May 2011 16:14:33 -0700
Subject: [PATCH] Fix for unescaped sql in custom filter tags

---
 .../com/todoroo/astrid/core/CustomFilterActivity.java          | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/astrid/plugin-src/com/todoroo/astrid/core/CustomFilterActivity.java b/astrid/plugin-src/com/todoroo/astrid/core/CustomFilterActivity.java
index e0f9d73a1..e0bac43da 100644
--- a/astrid/plugin-src/com/todoroo/astrid/core/CustomFilterActivity.java
+++ b/astrid/plugin-src/com/todoroo/astrid/core/CustomFilterActivity.java
@@ -37,6 +37,7 @@ import com.todoroo.andlib.service.DependencyInjectionService;
 import com.todoroo.andlib.sql.Criterion;
 import com.todoroo.andlib.sql.Field;
 import com.todoroo.andlib.sql.Query;
+import com.todoroo.andlib.sql.UnaryCriterion;
 import com.todoroo.astrid.activity.TaskListActivity;
 import com.todoroo.astrid.api.AstridApiConstants;
 import com.todoroo.astrid.api.CustomFilterCriterion;
@@ -435,7 +436,7 @@ public class CustomFilterActivity extends ListActivity {
             if(instance.criterion.sql == null)
                 sql.append(TaskCriteria.activeAndVisible()).append(' ');
             else {
-                String subSql = instance.criterion.sql.replace("?", value);
+                String subSql = instance.criterion.sql.replace("?", UnaryCriterion.sanitize(value));
                 subSql = PermaSql.replacePlaceholders(subSql);
                 sql.append(Task.ID).append(" IN (").append(subSql).append(") ");
             }