id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
28680	Document that Func.__init__()'s **extra and as_sql()'s **extra_context aren't escaped	Hynek Cernoch	nobody	"I found an SQL injection possibility due to unclear documentation about query expression:

`class Func(*expressions, **extra)`

if unsafe user input is passed by keyword parameters `extra` it is unprotected, while positional parameters are protected by compile and passing through sql execute parameters, never merged to SQL by % format.
{{{
class Position(Func):
    function = 'POSITION'
    template = ""%(function)s('%(substring)s' in %(expressions)s)""

    def __init__(self, expression, substring):
        super(Position, self).__init__(expression, substring=substring)
}}}"	Cleanup/optimization	closed	Documentation	1.11	Normal	fixed			Accepted	1	0	0	0	0	0