From 117f0e82260efba3c6862e3aefa4b015b062a109 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Thu, 29 Jun 2017 10:55:53 +0100 Subject: [PATCH] Sanitize parameters for various paged views --- app/controllers/diary_entry_controller.rb | 2 ++ app/controllers/trace_controller.rb | 2 ++ app/views/changeset/history.html.erb | 2 +- app/views/changeset/list.html.erb | 2 +- app/views/diary_entry/list.html.erb | 4 ++-- app/views/trace/_trace_paging_nav.html.erb | 4 ++-- 6 files changed, 10 insertions(+), 6 deletions(-) diff --git a/app/controllers/diary_entry_controller.rb b/app/controllers/diary_entry_controller.rb index 19bc84ac7..1635dc0d0 100644 --- a/app/controllers/diary_entry_controller.rb +++ b/app/controllers/diary_entry_controller.rb @@ -138,6 +138,8 @@ class DiaryEntryController < ApplicationController end end + @params = params.permit(:display_name, :friends, :nearby, :language) + @page = (params[:page] || 1).to_i @page_size = 20 diff --git a/app/controllers/trace_controller.rb b/app/controllers/trace_controller.rb index b6fd2984a..916a47024 100644 --- a/app/controllers/trace_controller.rb +++ b/app/controllers/trace_controller.rb @@ -59,6 +59,8 @@ class TraceController < ApplicationController @traces = @traces.tagged(params[:tag]) if params[:tag] + @params = params.permit(:display_name, :tag) + @page = (params[:page] || 1).to_i @page_size = 20 diff --git a/app/views/changeset/history.html.erb b/app/views/changeset/history.html.erb index 7f08a40b3..1516118eb 100644 --- a/app/views/changeset/history.html.erb +++ b/app/views/changeset/history.html.erb @@ -1,6 +1,6 @@ <% content_for :auto_discovery_link_tag do -%> <% unless params[:friends] or params[:nearby] -%> - <%= auto_discovery_link_tag :atom, params.merge(:max_id => nil, :xhr => nil, :action => :feed) %> + <%= auto_discovery_link_tag :atom, @params.merge(:max_id => nil, :xhr => nil, :action => :feed) %> <% end -%> <% end -%> diff --git a/app/views/changeset/list.html.erb b/app/views/changeset/list.html.erb index 36ec59379..c44891251 100644 --- a/app/views/changeset/list.html.erb +++ b/app/views/changeset/list.html.erb @@ -4,7 +4,7 @@ <% if @edits.size == 20 -%>
- <%= link_to t('changeset.list.load_more'), url_for(params.merge(:max_id => @edits.last.id - 1)), :class => "button load_more" %> + <%= link_to t('changeset.list.load_more'), url_for(@params.merge(:max_id => @edits.last.id - 1)), :class => "button load_more" %> <%= image_tag "searching.gif", :class => "loader", :style => "display: none;" %>
<% end -%> diff --git a/app/views/diary_entry/list.html.erb b/app/views/diary_entry/list.html.erb index 0f3415fb6..756464aa2 100644 --- a/app/views/diary_entry/list.html.erb +++ b/app/views/diary_entry/list.html.erb @@ -37,13 +37,13 @@ <% if @entries.size < @page_size -%> <%= t('diary_entry.list.older_entries') %> <% else -%> - <%= link_to t('diary_entry.list.older_entries'), params.merge(:page => @page + 1 ) %> + <%= link_to t('diary_entry.list.older_entries'), @params.merge(:page => @page + 1 ) %> <% end -%> | <% if @page > 1 -%> - <%= link_to t('diary_entry.list.newer_entries'), params.merge(:page => @page - 1) %> + <%= link_to t('diary_entry.list.newer_entries'), @params.merge(:page => @page - 1) %> <% else -%> <%= t('diary_entry.list.newer_entries') %> <% end -%> diff --git a/app/views/trace/_trace_paging_nav.html.erb b/app/views/trace/_trace_paging_nav.html.erb index dea4271d2..10a563fb4 100644 --- a/app/views/trace/_trace_paging_nav.html.erb +++ b/app/views/trace/_trace_paging_nav.html.erb @@ -2,7 +2,7 @@ <% if @traces.size > 1 %> <% if @page > 1 %> -<%= link_to t('trace.trace_paging_nav.newer'), params.merge({ :page => @page - 1 }) %> +<%= link_to t('trace.trace_paging_nav.newer'), @params.merge({ :page => @page - 1 }) %> <% else %> <%= t('trace.trace_paging_nav.newer') %> <% end %> @@ -12,7 +12,7 @@ <% if @traces.size < @page_size %> <%= t('trace.trace_paging_nav.older') %> <% else %> -<%= link_to t('trace.trace_paging_nav.older'), params.merge({ :page => @page + 1 }) %> +<%= link_to t('trace.trace_paging_nav.older'), @params.merge({ :page => @page + 1 }) %> <% end %> <% end %>

-- 2.39.5