Bug 27715: Sanitize order by DT params
We are not on the safe side when we build the ORDER BY clause from the
DataTables parameters.
I've started to limit the columns by using Koha::Objects->columns, but
for instance for the patron search we need (at least) the columns from
the branches, categories and members tables.
It seems easier, and still safe, to use a regex.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Joonas Kylmälä <joonas.kylmala@helsinki.fi>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit
0d1e5ea69b70292c89f827adaefc286fff8318a7)
Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>
projects / koha.git / commit