Use instance variable instead of param

Prevent unescaped user input. Co-authored-by: Eduardo Navarro <enavarro@suse.com> Co-authored-by: Henne Vogelsang <hvogel@opensuse.org>
openSUSE · Jul 9, 2020 · 2a52e0e · 2a52e0e
1 parent d480d42
commit 2a52e0e
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/src/api/app/controllers/webui/users/notifications_controller.rb b/src/api/app/controllers/webui/users/notifications_controller.rb
@@ -9,6 +9,7 @@ def index
     @notifications = fetch_notifications
     @projects_for_filter = projects_for_filter
     @notifications_count = notifications_count
+    @filtered_project = Project.find_by(name: params[:project])
   end
 
   def update

diff --git a/src/api/app/views/webui/users/notifications/index.html.haml b/src/api/app/views/webui/users/notifications/index.html.haml
@@ -8,7 +8,7 @@
     .card.mb-3
       %strong.d-block.d-md-none.p-3{ data: { toggle: 'collapse', target: '#filters' },
                                   aria: { expanded: true, controls: 'filters' } }
-        Filtered by: #{params[:type]&.humanize || params[:project] || 'Unread'}
+        Filtered by: #{params[:type]&.humanize || @filtered_project || 'Unread'}
         %i.float-right.mt-1.fa.fa-chevron-down
       .card-body.collapse#filters
         = render partial: 'notifications_filter', locals: { projects_for_filter: @projects_for_filter, notifications_count: @notifications_count }