Security fix

scoumbourdis · Nov 8, 2018 · 2b580e0 · mckaygerhard · Dec 12, 2018 · scoumbourdis
1 parent 1f10265
commit 2b580e0
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/application/libraries/Grocery_CRUD.php b/application/libraries/Grocery_CRUD.php
@@ -3240,12 +3240,14 @@ public function getStateInfo()
                         if (is_array($data['search_field'])) {
                             $search_array = array();
                             foreach ($data['search_field'] as $search_key => $search_field_name) {
+                                $search_field_name = preg_replace('/[^a-zA-Z0-9_]/', '' , $search_field_name);
                                 $search_array[$search_field_name] = isset($data['search_text'][$search_key]) ? $data['search_text'][$search_key] : '';
                             }
                             $state_info->search	= $search_array;
                         } else {
+                            $field_name = preg_replace('/[^a-zA-Z0-9_]/', '' , $data['search_field']);
                             $state_info->search	= (object)array(
-                                'field' => strip_tags($data['search_field']) ,
+                                'field' => $field_name,
                                 'text' => $data['search_text'] );
                         }
                     }

diff --git a/change_log.txt b/change_log.txt
@@ -1,6 +1,7 @@
 v 1.6.2
     - #442: Searching in grid with value 0 is not working
     - #458: Updated Lithuanian language by @dgvirtual
+    - Security fix
 v 1.6.1
     - #441: Adding clone functionality - contribution from @portapipe
 v 1.6.0