From 36871844648e0e82ecb0608463c7436c7b9cb44a Mon Sep 17 00:00:00 2001
From: Michael Lyons <github@michael.lyo.nz>
Date: Mon, 17 Nov 2025 17:32:04 -0500
Subject: [PATCH] Plug SQLi in test utility function

---
 test/test_docset.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/test/test_docset.py b/test/test_docset.py
index c19ee26..a8692be 100644
--- a/test/test_docset.py
+++ b/test/test_docset.py
@@ -59,12 +59,13 @@ def _test_a_doc_page_index(
         contains_lenient: list[tuple[str,str]] | None = None,
         not_contains: list[tuple[str,str]] | None = None,
     ):
-        sql = f'''
+        sql = '''
             SELECT  type, name
             FROM    searchIndex
-            WHERE   path LIKE '{path}#%'
+            WHERE   path LIKE :path_like
         '''
-        res = self.cur.execute(sql)
+        data = {'path_like': f'{path}#%'}
+        res = self.cur.execute(sql, data)
         items = res.fetchall()
 
         for pair in contains_lenient or []: