summaryrefslogtreecommitdiff
path: root/app/Core
diff options
context:
space:
mode:
authorFrédéric Guillot <fred@kanboard.net>2019-01-30 22:05:43 -0800
committerFrédéric Guillot <fred@kanboard.net>2019-01-30 22:05:43 -0800
commit83deec2e3621c40d15a06e2491f27571d32fe10f (patch)
tree57dbbe9384d39fb46cda44a7dfacef0d2982dd00 /app/Core
parent8cf8f9ef078b31473e9edcb4b9a61a80e3152c0c (diff)
Avoid XSS in pagination ordering
Diffstat (limited to 'app/Core')
-rw-r--r--app/Core/Paginator.php10
1 files changed, 8 insertions, 2 deletions
diff --git a/app/Core/Paginator.php b/app/Core/Paginator.php
index 9776a03d..d805567e 100644
--- a/app/Core/Paginator.php
+++ b/app/Core/Paginator.php
@@ -169,10 +169,16 @@ class Paginator
public function executeQuery()
{
if ($this->query !== null) {
+
$this->query
->offset($this->offset)
- ->limit($this->limit)
- ->orderBy($this->order, $this->direction);
+ ->limit($this->limit);
+
+ if (preg_match('/^[a-zA-Z0-9._]+$/', $this->order)) {
+ $this->query->orderBy($this->order, $this->direction);
+ } else {
+ $this->order = '';
+ }
if ($this->formatter !== null) {
return $this->formatter->withQuery($this->query)->format();