Andreas/tracks
1
0
Fork 0
mirror of https://github.com/TracksApp/tracks.git synced 2025-12-16 15:20:13 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #2301 from ZeiP/feature/#2072_tag_sanitize

Browse source 
#2072: Remove needless sanitisation of tags. The sanitised version is…
This commit is contained in:
Matt Rogers 2020-01-03 11:54:05 -06:00 committed by GitHub
commit c2a882ceac
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

10
app/controllers/todos_controller.rb
View file

@ -864,14 +864,16 @@ class TodosController < ApplicationController
def get_params_for_tag_view
filter_format_for_tag_view
# use sanitize to prevent XSS attacks
# Don't use sanitize here because these are only used for a DB query.
@tag_expr = []
@tag_expr << sanitize(params[:name]).split(',')
@tag_expr << sanitize(params[:and]).split(',') if params[:and]
# Tag conditions handled as OR.
@tag_expr << params[:name].split(',')
# Additional tag condition(s) handled as AND.
@tag_expr << params[:and].split(',') if params[:and]
i = 1
while params['and'+i.to_s]
@tag_expr << sanitize(params['and'+i.to_s]).split(',')
@tag_expr << params['and'+i.to_s].split(',')
i=i+1
end