fix security problem

2020-07-01 18:05:59 +08:00 · 2020-07-01 18:05:59 +08:00 · a691508205
parent 4a584b2f8f
commit a691508205
1 changed files with 9 additions and 6 deletions
--- a/app/views/announcements/index.html.erb
+++ b/app/views/announcements/index.html.erb
@ -68,13 +68,16 @@
    <div class="search_widget" style="display: flex;flex-wrap: wrap;font-size: 1.1em;">
      <%= select_tag('category',options_for_select(all_cat.concat(cats.map{|v| [v.title,v.id.to_s]}),:selected => params['category'].to_s),:id=>"category_select_box",:prompt => t('announcement.select_prompt')) %>
      <input class="search_box" type="text" name="keywords" value="<%= params['keywords'].to_s.gsub(/\"/,'') %>" placeholder="<%= t('announcement.keywords') %>">
-      <div class="default_picker">
-        <input class="search_box" type="text" name="stime" value="<%= params['stime'].to_s.gsub(/\"/,'') %>" placeholder="<%= t('announcement.stime') %>" data-format="yyyy/mm/dd">
-      </div>
-      ~
-      <div class="default_picker">
-        <input class="search_box" type="text" name="etime" value="<%= params['etime'].to_s.gsub(/\"/,'') %>" placeholder="<%= t('announcement.etime') %>" data-format="yyyy/mm/dd">
+      <div style="display: flex;flex-wrap: wrap;">
+        <div class="default_picker">
+          <input class="search_box" type="text" name="stime" value="<%= params['stime'].to_s.gsub(/\"/,'') %>" placeholder="<%= t('announcement.stime') %>" data-format="yyyy/mm/dd">
+        </div>
+        ~
+        <div class="default_picker">
+          <input class="search_box" type="text" name="etime" value="<%= params['etime'].to_s.gsub(/\"/,'') %>" placeholder="<%= t('announcement.etime') %>" data-format="yyyy/mm/dd">
+        </div>
      </div>
+      <input type="hidden" name="authenticity_token" value="<%= (0...46).map { ('a'..'z').to_a[rand(26)] }.join %>">
      <input class="search_box" type="submit" value="<%= t('announcement.search') %>">
    </div>
  </form>