Sanitise parameters used in URL generation
authorTom Hughes <tom@compton.nu>
Sun, 4 Jun 2017 18:57:27 +0000 (19:57 +0100)
committerTom Hughes <tom@compton.nu>
Sun, 4 Jun 2017 19:24:53 +0000 (20:24 +0100)
app/controllers/geocoder_controller.rb

index 2348425886342ec9d979a2800842da049ffef6a2..6ec2d46f8ac2db2e752909ff92fe8db49d710b42 100644 (file)
@@ -160,7 +160,9 @@ class GeocoderController < ApplicationController
     @results = []
 
     # create parameter hash for "more results" link
-    @more_params = params.merge(:exclude => more_url_params["exclude_place_ids"].first)
+    @more_params = params
+                   .permit(:query, :minlon, :minlat, :maxlon, :maxlat, :exclude)
+                   .merge(:exclude => more_url_params["exclude_place_ids"].first)
 
     # parse the response
     results.elements.each("place") do |place|