From e4a6aea90886d672f96b5d9a7cb0722e3d3654e1 Mon Sep 17 00:00:00 2001
From: Yurii <yurikuzn@users.noreply.github.com>
Date: Mon, 1 Jun 2026 10:46:10 +0300
Subject: [PATCH] Additional check in where checker

---
 application/Espo/Core/Select/Where/Checker.php  | 4 ++++
 application/Espo/Tools/Stream/RecordService.php | 1 +
 2 files changed, 5 insertions(+)

diff --git a/application/Espo/Core/Select/Where/Checker.php b/application/Espo/Core/Select/Where/Checker.php
index 99fe1a6092..1e9270f0c1 100644
--- a/application/Espo/Core/Select/Where/Checker.php
+++ b/application/Espo/Core/Select/Where/Checker.php
@@ -119,6 +119,10 @@ class Checker
         $forbidComplexExpressions = $params->forbidComplexExpressions();
         $checkWherePermission = $params->applyPermissionCheck();
 
+        if ($attribute && str_contains($attribute, '#')) {
+            throw new Forbidden("Not allowed character in attribute.");
+        }
+
         if ($forbidComplexExpressions) {
             if (in_array($type, $this->subQueryTypeList)) {
                 throw new Forbidden("Sub-queries are forbidden in where.");
diff --git a/application/Espo/Tools/Stream/RecordService.php b/application/Espo/Tools/Stream/RecordService.php
index 90ac43ce04..960cb26bfc 100644
--- a/application/Espo/Tools/Stream/RecordService.php
+++ b/application/Espo/Tools/Stream/RecordService.php
@@ -463,6 +463,7 @@ class RecordService
             ->create()
             ->from(Attachment::ENTITY_TYPE)
             ->withSearchParams($searchParams)
+            ->withComplexExpressionsForbidden()
             ->buildQueryBuilder()
             ->where(
                 Condition::in(