Elastic Search Not Properly Filtering Search Terms for autocomplete. Causing sql error to show when using words like "MAX" or "COUNT" etc in product names

Not Properly Filtering Search Terms for autocomplete. Causing sql error to show when using words like "MAX" or "COUNT" etc

Preconditions
magento 2.3.4 and elastic search 6+ on nexcess

Magento Version : 2.3.4

ElasticSuite Version : 6.0

Environment : production

Third party modules : no

Steps to reproduce
1.https://www.goinggreensolutions.com.au/
2. search "eco max"
3. you can see here https://prnt.sc/s8v1k7

Expected result
normal search results
{
"title": "Eco",
"num_results": "242"
},
Actual result
[Screenshot, logs] sql error
https://www.goinggreensolutions.com.au/search/ajax/suggest/?q=eco+max&_=1588277353486
{
"title": "eco max brush' AND 9307=CAST((CHR(113)||CHR(122)||CHR(118)||CHR(113)||CHR(113))||(SELECT (CASE WHEN (9307=9307) THEN 1 ELSE 0 EN",
"num_results": "267"
}

The extra SQL parts here are being added to your documents before they get added into elasticsearch I think. How are you indexing data? Is this through some third-party database?

So this site is hosted at nexcess on the cloud server

its just a standard magento2 installation and we choose there elastic search 6+ container.. its a 1 click installation and we are on 2.3.4 which has elastic search support out of the box.

So basically besides going to m2 admin and saying use elastic search 6+ and clicked the button in nexcess portal that says "enable elastic search container" we haven't done anything else.

Its mysql DB.. just your standard magento 2.3.4 installation... nothing custom

Scott

I'm afraid I don't know anything about nexcess or magento2, but it sounds like it's a bug in whatever is doing the indexing. Elasticsearch doesn't use SQL internally for anything, so these extra bits of code must be coming from elsewhere.

wow so either core magento / core elastic search then.. since its a standard core installation.