diff --git a/CHANGELOG.md b/CHANGELOG.md index a33638ba59..27a5d40b48 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ See [Upgrading] for details on how to upgrade. -- Fix `sort_by` not being filtered in search form, #1252 +- Fix `sort_by` not being filtered in search form, #1252, #1255 - Fix bug allowing to execute arbitrary JavaScript in SVG files, #1251 [3.10.8]: https://github.com/eventum/eventum/compare/v3.10.7...master diff --git a/lib/eventum/class.search.php b/lib/eventum/class.search.php index 024109c70a..7bb0c7f548 100644 --- a/lib/eventum/class.search.php +++ b/lib/eventum/class.search.php @@ -20,6 +20,8 @@ */ class Search { + private const SORT_BY_FIELDS = ['last_action_date', 'pri_rank', 'iss_id', 'sta_rank', 'iss_summary', 'custom_field']; + /** * Method used to get a specific parameter in the issue listing cookie. * @@ -87,7 +89,8 @@ public static function saveSearchParams($save_db = true): array { $request_only = !$save_db; // if we should only look at get / post not the DB or cookies - $sort_by = self::getParam('sort_by', $request_only); + $sort_by = self::getParam('sort_by', $request_only, self::SORT_BY_FIELDS); + $sort_by = $sort_by ?: 'pri_rank'; $sort_order = self::getParam('sort_order', $request_only, ['asc', 'desc']); $rows = self::getParam('rows', $request_only); $hide_closed = self::getParam('hide_closed', $request_only); @@ -368,16 +371,7 @@ public static function getListing($prj_id, array $options, $current_row = 0, $ma $fld_details = Custom_Field::getDetails($fld_id); $sort_by = 'cf_sort.' . Custom_Field::getDBValueFieldNameByType($fld_details['fld_type']); } else { - $sort_by = Misc::escapeString($options['sort_by']); - } - - // default sort by option - $default_sort_by_options = ['last_action_date', 'pri_rank', 'iss_id', 'sta_rank', 'iss_summary']; - // check $sort_by - if (in_array($sort_by, $default_sort_by_options, true)) { - $sort_by = $sort_by; - } else { - $sort_by = ''; + $sort_by = DB_Helper::getInstance()->quoteIdentifier($options['sort_by']); } $stmt .= '