Sanitise parameters used in URL generation
[rails.git] / app / controllers / user_controller.rb
index 2ff9646e649a2c8784df78ec58891558cadc9446..430051c1755771f14db594433d1dc3e7b5bd6faa 100644 (file)
@@ -480,9 +480,11 @@ class UserController < ApplicationController
 
       redirect_to url_for(:status => params[:status], :ip => params[:ip], :page => params[:page])
     else
+      @params = params.permit(:status, :ip)
+
       conditions = {}
-      conditions[:status] = params[:status] if params[:status]
-      conditions[:creation_ip] = params[:ip] if params[:ip]
+      conditions[:status] = @params[:status] if @params[:status]
+      conditions[:creation_ip] = @params[:ip] if @params[:ip]
 
       @user_pages, @users = paginate(:users,
                                      :conditions => conditions,