fix security problem

This commit is contained in:
chiu 2020-07-01 18:05:59 +08:00
parent 4a584b2f8f
commit a691508205
1 changed files with 9 additions and 6 deletions

View File

@ -68,13 +68,16 @@
<div class="search_widget" style="display: flex;flex-wrap: wrap;font-size: 1.1em;"> <div class="search_widget" style="display: flex;flex-wrap: wrap;font-size: 1.1em;">
<%= select_tag('category',options_for_select(all_cat.concat(cats.map{|v| [v.title,v.id.to_s]}),:selected => params['category'].to_s),:id=>"category_select_box",:prompt => t('announcement.select_prompt')) %> <%= select_tag('category',options_for_select(all_cat.concat(cats.map{|v| [v.title,v.id.to_s]}),:selected => params['category'].to_s),:id=>"category_select_box",:prompt => t('announcement.select_prompt')) %>
<input class="search_box" type="text" name="keywords" value="<%= params['keywords'].to_s.gsub(/\"/,'') %>" placeholder="<%= t('announcement.keywords') %>"> <input class="search_box" type="text" name="keywords" value="<%= params['keywords'].to_s.gsub(/\"/,'') %>" placeholder="<%= t('announcement.keywords') %>">
<div class="default_picker"> <div style="display: flex;flex-wrap: wrap;">
<input class="search_box" type="text" name="stime" value="<%= params['stime'].to_s.gsub(/\"/,'') %>" placeholder="<%= t('announcement.stime') %>" data-format="yyyy/mm/dd"> <div class="default_picker">
</div> <input class="search_box" type="text" name="stime" value="<%= params['stime'].to_s.gsub(/\"/,'') %>" placeholder="<%= t('announcement.stime') %>" data-format="yyyy/mm/dd">
~ </div>
<div class="default_picker"> ~
<input class="search_box" type="text" name="etime" value="<%= params['etime'].to_s.gsub(/\"/,'') %>" placeholder="<%= t('announcement.etime') %>" data-format="yyyy/mm/dd"> <div class="default_picker">
<input class="search_box" type="text" name="etime" value="<%= params['etime'].to_s.gsub(/\"/,'') %>" placeholder="<%= t('announcement.etime') %>" data-format="yyyy/mm/dd">
</div>
</div> </div>
<input type="hidden" name="authenticity_token" value="<%= (0...46).map { ('a'..'z').to_a[rand(26)] }.join %>">
<input class="search_box" type="submit" value="<%= t('announcement.search') %>"> <input class="search_box" type="submit" value="<%= t('announcement.search') %>">
</div> </div>
</form> </form>