Skip to content
Permalink
Browse files Browse the repository at this point in the history
Avoid XSS in pagination ordering
  • Loading branch information
fguillot committed Jan 31, 2019
1 parent 8cf8f9e commit 83deec2
Showing 1 changed file with 8 additions and 2 deletions.
10 changes: 8 additions & 2 deletions app/Core/Paginator.php
Expand Up @@ -169,10 +169,16 @@ public function setFormatter(FormatterInterface $formatter)
public function executeQuery()
{
if ($this->query !== null) {

$this->query
->offset($this->offset)
->limit($this->limit)
->orderBy($this->order, $this->direction);
->limit($this->limit);

if (preg_match('/^[a-zA-Z0-9._]+$/', $this->order)) {
$this->query->orderBy($this->order, $this->direction);
} else {
$this->order = '';
}

if ($this->formatter !== null) {
return $this->formatter->withQuery($this->query)->format();
Expand Down

0 comments on commit 83deec2

Please sign in to comment.