Chihyu
/
universal_table
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix security problem

This commit is contained in:
chiu 2020-04-29 15:59:52 +08:00
parent 00697b4fe1
commit 570a99d39a
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
app/controllers/universal_tables_controller.rb
View File

@ -9,6 +9,7 @@ class UniversalTablesController < ApplicationController
csrf_value = (0...46).map { ('a'..'z').to_a[rand(26)] }.join csrf_value = (0...46).map { ('a'..'z').to_a[rand(26)] }.join
params_column = params["column"].to_s.gsub("\"",'') params_column = params["column"].to_s.gsub("\"",'')
params_q = params["q"].to_s.gsub("\"",'') params_q = params["q"].to_s.gsub("\"",'')
params_no = params["page_no"].to_s.gsub("\"",'')
table_heads = table.table_columns.where(:display_in_index => true).asc(:order).collect do |tc| table_heads = table.table_columns.where(:display_in_index => true).asc(:order).collect do |tc|
search = "" search = ""
sort_class = "sort" sort_class = "sort"
@ -16,7 +17,7 @@ class UniversalTablesController < ApplicationController
form_field = "<input type=\"hidden\" name=\"authenticity_token\" value=\"#{csrf_value}\"><input type='search' class='form-control' name='q' placeholder='Search keyword'>" form_field = "<input type=\"hidden\" name=\"authenticity_token\" value=\"#{csrf_value}\"><input type='search' class='form-control' name='q' placeholder='Search keyword'>"
query_string = "" query_string = ""
query_string = "&column=#{params_column}&q=#{params_q}" if params["column"].present? query_string = "&column=#{params_column}&q=#{params_q}" if params["column"].present?
query_string = query_string + "&page_no=#{params["page_no"]}" if params["page_no"].present? query_string = query_string + "&page_no=#{params_no}" if params["page_no"].present?
sort_url = "/#{I18n.locale.to_s}#{page.url}?sortcolumn=#{tc.key}&sort=asc#{query_string}" sort_url = "/#{I18n.locale.to_s}#{page.url}?sortcolumn=#{tc.key}&sort=asc#{query_string}"
title_class = "" title_class = ""
case tc.type case tc.type