diff options
author | Frédéric Guillot <fred@kanboard.net> | 2019-01-30 22:05:43 -0800 |
---|---|---|
committer | Frédéric Guillot <fred@kanboard.net> | 2019-01-30 22:05:43 -0800 |
commit | 83deec2e3621c40d15a06e2491f27571d32fe10f (patch) | |
tree | 57dbbe9384d39fb46cda44a7dfacef0d2982dd00 /app/Core | |
parent | 8cf8f9ef078b31473e9edcb4b9a61a80e3152c0c (diff) |
Avoid XSS in pagination ordering
Diffstat (limited to 'app/Core')
-rw-r--r-- | app/Core/Paginator.php | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/app/Core/Paginator.php b/app/Core/Paginator.php index 9776a03d..d805567e 100644 --- a/app/Core/Paginator.php +++ b/app/Core/Paginator.php @@ -169,10 +169,16 @@ class Paginator public function executeQuery() { if ($this->query !== null) { + $this->query ->offset($this->offset) - ->limit($this->limit) - ->orderBy($this->order, $this->direction); + ->limit($this->limit); + + if (preg_match('/^[a-zA-Z0-9._]+$/', $this->order)) { + $this->query->orderBy($this->order, $this->direction); + } else { + $this->order = ''; + } if ($this->formatter !== null) { return $this->formatter->withQuery($this->query)->format(); |