Merge pull request #1255 from glensc/1252-followup

eventum · Nov 10, 2021 · 15f749f · 15f749f
2 parents 835f928 + 7ba9f19
commit 15f749f
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 12 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,7 +4,7 @@
 
 See [Upgrading] for details on how to upgrade.
 
-- Fix `sort_by` not being filtered in search form, #1252
+- Fix `sort_by` not being filtered in search form, #1252, #1255
 - Fix bug allowing to execute arbitrary JavaScript in SVG files, #1251
 
 [3.10.8]: https://github.com/eventum/eventum/compare/v3.10.7...master

diff --git a/lib/eventum/class.search.php b/lib/eventum/class.search.php
@@ -20,6 +20,8 @@
  */
 class Search
 {
+    private const SORT_BY_FIELDS = ['last_action_date', 'pri_rank', 'iss_id', 'sta_rank', 'iss_summary', 'custom_field'];
+
     /**
      * Method used to get a specific parameter in the issue listing cookie.
      *
@@ -87,7 +89,8 @@ public static function saveSearchParams($save_db = true): array
     {
         $request_only = !$save_db; // if we should only look at get / post not the DB or cookies
 
-        $sort_by = self::getParam('sort_by', $request_only);
+        $sort_by = self::getParam('sort_by', $request_only, self::SORT_BY_FIELDS);
+        $sort_by = $sort_by ?: 'pri_rank';
         $sort_order = self::getParam('sort_order', $request_only, ['asc', 'desc']);
         $rows = self::getParam('rows', $request_only);
         $hide_closed = self::getParam('hide_closed', $request_only);
@@ -368,16 +371,7 @@ public static function getListing($prj_id, array $options, $current_row = 0, $ma
             $fld_details = Custom_Field::getDetails($fld_id);
             $sort_by = 'cf_sort.' . Custom_Field::getDBValueFieldNameByType($fld_details['fld_type']);
         } else {
-            $sort_by = Misc::escapeString($options['sort_by']);
-        }
-
-        // default sort by option
-        $default_sort_by_options = ['last_action_date', 'pri_rank', 'iss_id', 'sta_rank', 'iss_summary'];
-        // check $sort_by
-        if (in_array($sort_by, $default_sort_by_options, true)) {
-            $sort_by = $sort_by;
-        } else {
-            $sort_by = '';
+            $sort_by = DB_Helper::getInstance()->quoteIdentifier($options['sort_by']);
         }
 
         $stmt .= '