Qualify the collection on the queries, ensure search is against preview_token in serialize

src/KeyValueStore/DatabaseStorageExpirableToken.php

@@ -23,6 +23,21 @@ class DatabaseStorageExpirableToken extends DatabaseStorageExpirable {
     return parent::doSetWithExpire($key, $value, $expire);
   }
 
+  /**
+   * Escape the token value for searching within a serialized blob.
+   *
+   * @param string|null $token
+   *   The token to escape.
+   *
+   * @return string
+   *   The escaped token.
+   */
+  protected function escapeToken(?string $token): string {
+    $token = $token ?: '';
+    $token = preg_replace('/[^a-zA-Z0-9_-]/', '', $token);
+    return sprintf('%%;s:13:"preview_token";s:%d:"%s";%%', strlen($token), $token);
+  }
+
   /**
    * Load by token.
    *
@@ -33,14 +48,12 @@ class DatabaseStorageExpirableToken extends DatabaseStorageExpirable {
    *   The value.
    */
   public function getKeyByToken(?string $token) {
-    $token_length = strlen($token ?? '');
-    $token_pattern = sprintf('%%s:%s:"%s";%%', $token_length, $token);
-
     try {
       return $this->connection->query(
-        'SELECT [name] FROM {' . $this->connection->escapeTable($this->table) . '} WHERE value LIKE :token',
+        'SELECT [name] FROM {' . $this->connection->escapeTable($this->table) . '} WHERE value LIKE :token AND collection = :collection',
         [
-          ':token' => $token_pattern,
+          ':token' => $this->escapeToken($token),
+          ':collection' => $this->collection,
         ])->fetchField();
     }
     catch (\Exception $e) {
@@ -61,14 +74,13 @@ class DatabaseStorageExpirableToken extends DatabaseStorageExpirable {
   public function getTokenByKey($name) {
     try {
       $preview_blob = $this->connection->query(
-        'SELECT [value] FROM {' . $this->connection->escapeTable($this->table) . '} WHERE name = :name',
+        'SELECT [value] FROM {' . $this->connection->escapeTable($this->table) . '} WHERE name = :name AND collection = :collection',
         [
           ':name' => $name,
+          ':collection' => $this->collection,
         ])->fetchField();
 
-      $preview_object = $this->serializer->decode($preview_blob);
-
-      return $preview_object?->preview_token ?? NULL;
+      return $this->serializer->decode($preview_blob)?->preview_token ?? NULL;
     }
     catch (\Exception $e) {
       $this->catchException($e);