Sanitize parameters for various paged views

author Tom Hughes <tom@compton.nu>

Thu, 29 Jun 2017 09:55:53 +0000 (10:55 +0100)

committer Tom Hughes <tom@compton.nu>

Thu, 29 Jun 2017 09:55:53 +0000 (10:55 +0100)
author Tom Hughes <tom@compton.nu>
Thu, 29 Jun 2017 09:55:53 +0000 (10:55 +0100)
committer Tom Hughes <tom@compton.nu>
Thu, 29 Jun 2017 09:55:53 +0000 (10:55 +0100)
diff --git a/app/controllers/diary_entry_controller.rb b/app/controllers/diary_entry_controller.rb

index 19bc84ac785e6e8193235784ab1eb65f38588911..1635dc0d0a19657e717b877571eea100a0590c12 100644 (file)
--- a/app/controllers/diary_entry_controller.rb
+++ b/app/controllers/diary_entry_controller.rb
@@ -138,6 +138,8 @@ class DiaryEntryController < ApplicationController
        end
      end
  
+    @params = params.permit(:display_name, :friends, :nearby, :language)
+
      @page = (params[:page] || 1).to_i
      @page_size = 20
  
diff --git a/app/controllers/trace_controller.rb b/app/controllers/trace_controller.rb

index b6fd2984ab47373b8f457f8cdb0b53a262ce404b..916a470245541e1d3201882c9f3d6bccfc289904 100644 (file)
--- a/app/controllers/trace_controller.rb
+++ b/app/controllers/trace_controller.rb
@@ -59,6 +59,8 @@ class TraceController < ApplicationController
  
      @traces = @traces.tagged(params[:tag]) if params[:tag]
  
+    @params = params.permit(:display_name, :tag)
+
      @page = (params[:page] || 1).to_i
      @page_size = 20
  
diff --git a/app/views/changeset/history.html.erb b/app/views/changeset/history.html.erb

index 7f08a40b3ff5ddc5dda534c1d6b82cbecb38f5a9..1516118eb92683b4edb30bb33b0f5ccfac7d2a7a 100644 (file)
--- a/app/views/changeset/history.html.erb
+++ b/app/views/changeset/history.html.erb
@@ -1,6 +1,6 @@
  <% content_for :auto_discovery_link_tag do -%>
    <% unless params[:friends] or params[:nearby] -%>
-    <%= auto_discovery_link_tag :atom, params.merge(:max_id => nil, :xhr => nil, :action => :feed) %>
+    <%= auto_discovery_link_tag :atom, @params.merge(:max_id => nil, :xhr => nil, :action => :feed) %>
    <% end -%>
  <% end -%>
  
diff --git a/app/views/changeset/list.html.erb b/app/views/changeset/list.html.erb

index 36ec593793f85f0327edd7d2133748e36f2bcbbc..c448912512eeb9907c287e1b098d01024ac8816a 100644 (file)
--- a/app/views/changeset/list.html.erb
+++ b/app/views/changeset/list.html.erb
@@ -4,7 +4,7 @@
    </ol>
  <% if @edits.size == 20 -%>
    <div class="changeset_more">
-    <%= link_to t('changeset.list.load_more'), url_for(params.merge(:max_id => @edits.last.id - 1)), :class => "button load_more" %>
+    <%= link_to t('changeset.list.load_more'), url_for(@params.merge(:max_id => @edits.last.id - 1)), :class => "button load_more" %>
      <%= image_tag "searching.gif", :class => "loader", :style => "display: none;" %>
    </div>
  <% end -%>
diff --git a/app/views/diary_entry/list.html.erb b/app/views/diary_entry/list.html.erb

index 0f3415fb64a7eb6436e54e9285312acae9ef43b1..756464aa26ac79116c23219b090b5f2521069da5 100644 (file)
--- a/app/views/diary_entry/list.html.erb
+++ b/app/views/diary_entry/list.html.erb
@@ -37,13 +37,13 @@
    <% if @entries.size < @page_size -%>
      <%= t('diary_entry.list.older_entries') %>
    <% else -%>
-    <%= link_to t('diary_entry.list.older_entries'), params.merge(:page => @page + 1 ) %>
+    <%= link_to t('diary_entry.list.older_entries'), @params.merge(:page => @page + 1 ) %>
    <% end -%>
  
    |
  
    <% if @page > 1 -%>
-    <%= link_to t('diary_entry.list.newer_entries'), params.merge(:page => @page - 1) %>
+    <%= link_to t('diary_entry.list.newer_entries'), @params.merge(:page => @page - 1) %>
    <% else -%>
      <%= t('diary_entry.list.newer_entries') %>
    <% end -%>
diff --git a/app/views/trace/_trace_paging_nav.html.erb b/app/views/trace/_trace_paging_nav.html.erb

index dea4271d2e8bb48d191c627a8ce9059389e48e2c..10a563fb4d0736a2594bc4ddb5b67e38efa35cbb 100644 (file)
--- a/app/views/trace/_trace_paging_nav.html.erb
+++ b/app/views/trace/_trace_paging_nav.html.erb
@@ -2,7 +2,7 @@
  
  <% if @traces.size > 1 %>
  <% if @page > 1 %>
-<%= link_to t('trace.trace_paging_nav.newer'), params.merge({ :page => @page - 1 }) %>
+<%= link_to t('trace.trace_paging_nav.newer'), @params.merge({ :page => @page - 1 }) %>
  <% else %>
  <%= t('trace.trace_paging_nav.newer') %>
  <% end %>
@@ -12,7 +12,7 @@
  <% if @traces.size < @page_size %>
  <%= t('trace.trace_paging_nav.older') %>
  <% else %>
-<%= link_to t('trace.trace_paging_nav.older'), params.merge({ :page => @page + 1 }) %>
+<%= link_to t('trace.trace_paging_nav.older'), @params.merge({ :page => @page + 1 }) %>
  <% end %>
  <% end %>
  </p>
author	Tom Hughes <tom@compton.nu>
	Thu, 29 Jun 2017 09:55:53 +0000 (10:55 +0100)
committer	Tom Hughes <tom@compton.nu>
	Thu, 29 Jun 2017 09:55:53 +0000 (10:55 +0100)
app/controllers/diary_entry_controller.rb		patch \| blob \| history
app/controllers/trace_controller.rb		patch \| blob \| history
app/views/changeset/history.html.erb		patch \| blob \| history
app/views/changeset/list.html.erb		patch \| blob \| history
app/views/diary_entry/list.html.erb		patch \| blob \| history
app/views/trace/_trace_paging_nav.html.erb		patch \| blob \| history