Added new paramter 'columns' to avoid sql injection/cross site scripting

README.html

@@ -43,7 +43,9 @@ <h2 id="basic-usage">Basic Usage</h2>
 <p>Activate the feature in your controller class:</p>
 
 <pre><code>class MyController &lt; ApplicationController
-  handles_sortable_columns
+  handles_sortable_columns do |conf|
+    conf.columns = ['name', 'date']
+  end
   ...
 </code></pre>
 
@@ -73,7 +75,8 @@ <h3 id="configuration">Configuration</h3>
 <p>Change names of GET parameters used for sorting and pagination:</p>
 
 <pre><code>class MyController &lt; ApplicationController
-  handles_sortable_columns do |conf|
+  handles_sortable_columns do |conf|
+    conf.columns = ['name', 'date']
     conf.sort_param = "s"
     conf.page_param = "p"
   end
@@ -82,22 +85,25 @@ <h3 id="configuration">Configuration</h3>
 
 <p>Change CSS class of all sortable column <code>&lt;a&gt;</code> tags:</p>
 
-<pre><code>handles_sortable_columns do |conf|
+<pre><code>handles_sortable_columns do |conf|
+  conf.columns = ['name', 'date']
   conf.class = "SortableLink"
   conf.indicator_class = {:asc =&gt; "AscSortableLink", :desc =&gt; "DescSortableLink"}
 end
 </code></pre>
 
 <p>Change how text-based sort indicator looks like:</p>
 
-<pre><code>handles_sortable_columns do |conf|
+<pre><code>handles_sortable_columns do |conf|
+  conf.columns = ['name', 'date']
   conf.indicator_text = {:asc =&gt; "[asc]", :desc =&gt; "[desc]"}
 end
 </code></pre>
 
 <p>Disable text-based sort indicator completely:</p>
 
-<pre><code>handles_sortable_columns do |conf|
+<pre><code>handles_sortable_columns do |conf|
+  conf.columns = ['name', 'date']
   conf.indicator_text = {}
 end
 </code></pre>

README.md

@@ -44,7 +44,9 @@ Basic Usage
 Activate the feature in your controller class:
 
     class MyController < ApplicationController
-      handles_sortable_columns
+      handles_sortable_columns do |conf|
+         conf.columns = ['name', 'date']
+      end
       ...
 
 In a view, mark up sortable columns by using the <tt>sortable_column</tt> helper:
@@ -75,6 +77,7 @@ Change names of GET parameters used for sorting and pagination:
 
     class MyController < ApplicationController
       handles_sortable_columns do |conf|
+        conf.columns = ['name', 'date']
         conf.sort_param = "s"
         conf.page_param = "p"
       end
@@ -83,19 +86,22 @@ Change names of GET parameters used for sorting and pagination:
 Change CSS class of all sortable column `<a>` tags:
 
     handles_sortable_columns do |conf|
+      conf.columns = ['name', 'date']
       conf.class = "SortableLink"
       conf.indicator_class = {:asc => "AscSortableLink", :desc => "DescSortableLink"}
     end
 
 Change how text-based sort indicator looks like:
 
     handles_sortable_columns do |conf|
+      conf.columns = ['name', 'date']
       conf.indicator_text = {:asc => "[asc]", :desc => "[desc]"}
     end
 
 Disable text-based sort indicator completely:
 
     handles_sortable_columns do |conf|
+      conf.columns = ['name', 'date']
       conf.indicator_text = {}
     end
 

lib/handles/sortable_columns.rb

@@ -40,6 +40,12 @@ def self.included(owner)    #:nodoc:
     #     ...
     #   end
     class Config
+
+      # List of accessible columns to avoid SQL/code injection. Default:
+      #
+      #   []
+      attr_accessor :columns
+
       # CSS class for link (regardless of sorted state). Default:
       #
       #   SortableColumnLink
@@ -55,11 +61,6 @@ class Config
       #   sort
       attr_accessor :sort_param
 
-      # Default sort direction, if params[sort_param] is not given.
-      #
-      #   default_sort_value
-      attr_accessor :default_sort_value
-
       # Sort indicator text. If any of values are empty, indicator is not displayed. Default:
       #
       #  {:asc => " ↓ ", :desc => " ↑ "}
@@ -77,7 +78,6 @@ def initialize(attrs = {})
           :indicator_text => {:asc => " ↓ ", :desc => " ↑ "},
           :page_param => "page",
           :sort_param => "sort",
-          :default_sort_value => nil
         }
 
         defaults.merge(attrs).each {|k, v| send("#{k}=", v)}
@@ -147,11 +147,13 @@ module InstanceMethods
       #   parse_sortable_column_sort_param("-name")   # => {:column => "name", :direction => :desc}
       #   parse_sortable_column_sort_param("")        # => {:column => nil, :direction => nil}
       def parse_sortable_column_sort_param(sort)    #:nodoc:
+
         out = {:column => nil, :direction => nil}
         if sort.to_s.strip.match /\A((?:-|))([^-]+)\z/
           out[:direction] = $1.empty?? :asc : :desc
           out[:column] = $2.strip
         end
+        return {} if !sortable_columns_config['columns'].include?(out[:column])
         out
       end
 
@@ -175,7 +177,6 @@ def sortable_column(title, options = {})    #:doc:
         o = {}
         conf = {}
         conf[k = :sort_param] = sortable_columns_config[k]
-        conf[k = :default_sort_value] = sortable_columns_config[k]
         conf[k = :page_param] = sortable_columns_config[k]
         conf[k = :indicator_text] = sortable_columns_config[k]
         conf[k = :indicator_class] = sortable_columns_config[k]
@@ -190,8 +191,7 @@ def sortable_column(title, options = {})    #:doc:
         raise "Unknown option(s): #{options.inspect}" if not options.empty?
 
         # Parse sort param.
-        sort = params[conf[:sort_param]] || conf[:default_sort_value]
-        pp = parse_sortable_column_sort_param(sort)
+        pp = parse_sortable_column_sort_param(params[conf[:sort_param]])
 
         css_class = []
         if (s = o[:link_class]).present?
@@ -259,11 +259,9 @@ def sortable_column(title, options = {})    #:doc:
       def sortable_column_order(&block)
         conf = {}
         conf[k = :sort_param] = sortable_columns_config[k]
-        conf[k = :default_sort_value] = sortable_columns_config[k]
 
         # Parse sort param.
-        sort = params[conf[:sort_param]] || conf[:default_sort_value]
-        pp = parse_sortable_column_sort_param(sort)
+        pp = parse_sortable_column_sort_param(params[conf[:sort_param]])
 
         order = if block
           column, direction = pp[:column], pp[:direction]