From 570a99d39a5b7f320ed78e9ec28e643305c00dc9 Mon Sep 17 00:00:00 2001 From: chiu Date: Wed, 29 Apr 2020 15:59:52 +0800 Subject: [PATCH] fix security problem --- app/controllers/universal_tables_controller.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/app/controllers/universal_tables_controller.rb b/app/controllers/universal_tables_controller.rb index 9480191..9af6641 100644 --- a/app/controllers/universal_tables_controller.rb +++ b/app/controllers/universal_tables_controller.rb @@ -9,6 +9,7 @@ class UniversalTablesController < ApplicationController csrf_value = (0...46).map { ('a'..'z').to_a[rand(26)] }.join params_column = params["column"].to_s.gsub("\"",'') params_q = params["q"].to_s.gsub("\"",'') + params_no = params["page_no"].to_s.gsub("\"",'') table_heads = table.table_columns.where(:display_in_index => true).asc(:order).collect do |tc| search = "" sort_class = "sort" @@ -16,7 +17,7 @@ class UniversalTablesController < ApplicationController form_field = "" query_string = "" query_string = "&column=#{params_column}&q=#{params_q}" if params["column"].present? - query_string = query_string + "&page_no=#{params["page_no"]}" if params["page_no"].present? + query_string = query_string + "&page_no=#{params_no}" if params["page_no"].present? sort_url = "/#{I18n.locale.to_s}#{page.url}?sortcolumn=#{tc.key}&sort=asc#{query_string}" title_class = "" case tc.type