archive
/
tasks
mirror of https://github.com/tasks/tasks
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fix for unescaped sql in custom filter tags

Browse Source
pull/14/head
Tim Su 15 years ago
parent eaebec0850
commit cb5166e022
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File

3
astrid/plugin-src/com/todoroo/astrid/core/CustomFilterActivity.java
Unescape Escape View File

@ -37,6 +37,7 @@ import com.todoroo.andlib.service.DependencyInjectionService;
import com.todoroo.andlib.sql.Criterion; import com.todoroo.andlib.sql.Criterion;
import com.todoroo.andlib.sql.Field; import com.todoroo.andlib.sql.Field;
import com.todoroo.andlib.sql.Query; import com.todoroo.andlib.sql.Query;
import com.todoroo.andlib.sql.UnaryCriterion;
import com.todoroo.astrid.activity.TaskListActivity; import com.todoroo.astrid.activity.TaskListActivity;
import com.todoroo.astrid.api.AstridApiConstants; import com.todoroo.astrid.api.AstridApiConstants;
import com.todoroo.astrid.api.CustomFilterCriterion; import com.todoroo.astrid.api.CustomFilterCriterion;
@ -435,7 +436,7 @@ public class CustomFilterActivity extends ListActivity {
if(instance.criterion.sql == null) if(instance.criterion.sql == null)
sql.append(TaskCriteria.activeAndVisible()).append(' '); sql.append(TaskCriteria.activeAndVisible()).append(' ');
else { else {
String subSql = instance.criterion.sql.replace("?", value); String subSql = instance.criterion.sql.replace("?", UnaryCriterion.sanitize(value));
subSql = PermaSql.replacePlaceholders(subSql); subSql = PermaSql.replacePlaceholders(subSql);
sql.append(Task.ID).append(" IN (").append(subSql).append(") "); sql.append(Task.ID).append(" IN (").append(subSql).append(") ");
} }

Write Preview
Loading…
Cancel
Save