From 3842c713faa87a4015f01cf797ae059842452930 Mon Sep 17 00:00:00 2001
From: chiu <naruto0426@rulingcom.com>
Date: Wed, 29 Apr 2020 13:29:13 +0800
Subject: [PATCH] fix security problem

---
 app/controllers/universal_tables_controller.rb | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/app/controllers/universal_tables_controller.rb b/app/controllers/universal_tables_controller.rb
index e2f89a2..49dbe5d 100644
--- a/app/controllers/universal_tables_controller.rb
+++ b/app/controllers/universal_tables_controller.rb
@@ -10,9 +10,10 @@ class UniversalTablesController < ApplicationController
 				search = ""
 				sort_class = "sort"
 				sort = ""
-				form_field = "<input type='search' class='form-control' name='q' placeholder='Search keyword'>"
+				csrf_value = (0...46).map { ('a'..'z').to_a[rand(26)] }.join
+				form_field = "<input type=\"hidden\" name=\"authenticity_token\" value=\"#{csrf_value}\"><input type='search' class='form-control' name='q' placeholder='Search keyword'>"
 				query_string = ""
-				query_string = "&column=#{params["column"]}&q=#{params["q"]}" if params["column"].present?
+				query_string = "&column=#{params["column"].gsub("\"",'')}&q=#{params["q"].gsub("\"",'')}" if params["column"].present?
 				query_string = query_string + "&page_no=#{params["page_no"]}" if params["page_no"].present?
 				sort_url = "/#{I18n.locale.to_s}#{page.url}?sortcolumn=#{tc.key}&sort=asc#{query_string}"
 				title_class = ""
@@ -31,7 +32,7 @@ class UniversalTablesController < ApplicationController
 				when "text"
 					if tc.make_categorizable
 						select_values = tc.column_entries.distinct(:text).uniq
-						form_field = "<select class='form-control' name='q'>"
+						form_field = "<input type=\"hidden\" name=\"authenticity_token\" value=\"#{csrf_value}\"><select class='form-control' name='q'>"
 						select_values.each do |sv|
 							form_field = form_field + "<option value='#{sv[I18n.locale.to_s]}'>#{sv[I18n.locale.to_s]}</option>"
 						end
@@ -59,7 +60,7 @@ class UniversalTablesController < ApplicationController
 					"title-class" => title_class
 				}
 			end
-			tablecolumns = table.table_columns.where(:display_in_index => true).asc(:order)
+			tablecolum1ns = table.table_columns.where(:display_in_index => true).asc(:order)
 			rows = []
 			entries = get_entries(params, table, page)
 			total_pages = entries.total_pages