From d8e91cae329d69f419d9ac4ea3bed57155a98d3a Mon Sep 17 00:00:00 2001
From: Suraj Shetty <surajshetty3416@gmail.com>
Date: Fri, 23 Apr 2021 01:20:47 +0530
Subject: [PATCH] fix: Strip comments before sanitizing column_name

---
 frappe/utils/data.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/frappe/utils/data.py b/frappe/utils/data.py
index 3ffa8dc874..dbf0d0665a 100644
--- a/frappe/utils/data.py
+++ b/frappe/utils/data.py
@@ -1278,7 +1278,9 @@ def make_filter_dict(filters):
 
 def sanitize_column(column_name):
 	from frappe import _
+	import sqlparse
 	regex = re.compile("^.*[,'();].*")
+	column_name = sqlparse.format(column_name, strip_comments=True, keyword_case="lower")
 	blacklisted_keywords = ['select', 'create', 'insert', 'delete', 'drop', 'update', 'case', 'and', 'or']
 
 	def _raise_exception():