diff options
Diffstat (limited to 'app/Controllers/configureController.php')
| -rwxr-xr-x | app/Controllers/configureController.php | 13 |
1 files changed, 6 insertions, 7 deletions
diff --git a/app/Controllers/configureController.php b/app/Controllers/configureController.php index a44ef3104..2bd13997f 100755 --- a/app/Controllers/configureController.php +++ b/app/Controllers/configureController.php @@ -493,18 +493,17 @@ class FreshRSS_configure_Controller extends Minz_ActionController { * It gets the GET parameters and stores them in the configuration query * storage. Before it is saved, the unwanted parameters are unset to keep * lean data. - * - * @todo change the way of keeping lean data to have a more defensive - * code. At the moment, the code accepts any parameters and discard - * those on the black list. I think it is safer if we maintain a - * whitelist instead. */ public function addQueryAction() { + $whitelist = array('get', 'order', 'name', 'search', 'state'); $queries = $this->view->conf->queries; $query = Minz_Request::params(); $query['name'] = _t('query_number', count($queries) + 1); - unset($query['output']); - unset($query['token']); + foreach ($query as $key => $value) { + if (!in_array($key, $whitelist)) { + unset($query[$key]); + } + } $queries[] = $query; $this->view->conf->_queries($queries); $this->view->conf->save(); |