]> git.openstreetmap.org Git - rails.git/blobdiff - app/controllers/geocoder_controller.rb
Sanitise parameters used in URL generation
[rails.git] / app / controllers / geocoder_controller.rb
index 2348425886342ec9d979a2800842da049ffef6a2..6ec2d46f8ac2db2e752909ff92fe8db49d710b42 100644 (file)
@@ -160,7 +160,9 @@ class GeocoderController < ApplicationController
     @results = []
 
     # create parameter hash for "more results" link
-    @more_params = params.merge(:exclude => more_url_params["exclude_place_ids"].first)
+    @more_params = params
+                   .permit(:query, :minlon, :minlat, :maxlon, :maxlat, :exclude)
+                   .merge(:exclude => more_url_params["exclude_place_ids"].first)
 
     # parse the response
     results.elements.each("place") do |place|