Replace sanitize with CGI.escape

pulibrary · Sep 8, 2023 · b71abce · b71abce
1 parent 567ba1d
commit b71abce
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 18 deletions.
diff --git a/app/controllers/availability_controller.rb b/app/controllers/availability_controller.rb
@@ -18,7 +18,7 @@ def index
       end
     elsif params[:scsb_id]
       scsb_lookup = ScsbLookup.new
-      avail = scsb_lookup.find_by_id(sanitize(params[:scsb_id]))
+      avail = scsb_lookup.find_by_id(CGI.escape(params[:scsb_id]))
       if avail.empty?
         render plain: "SCSB Record: #{params[:scsb_id]} not found.", status: :not_found
       else
@@ -30,4 +30,10 @@ def index
       render plain: "Please provide a bib id.", status: :not_found
     end
   end
+
+  private
+
+    def sanitize_array(arr)
+      arr.map { |s| CGI.escape(s) }
+    end
 end
diff --git a/app/controllers/barcode_controller.rb b/app/controllers/barcode_controller.rb
@@ -56,10 +56,10 @@ def scsb
   rescue => e
     handle_alma_exception(exception: e, message: "Error for barcode: #{barcode}")
   end
-
+  
   private
-
-    def sanitized_barcode
-      sanitize(params[:barcode])
-    end
+  
+  def sanitized_barcode 
+    CGI.escape(params[:barcode])
+  end
 end
diff --git a/app/controllers/bibliographic_controller.rb b/app/controllers/bibliographic_controller.rb
@@ -108,12 +108,12 @@ def bib_solr
       render json: solr_doc
     end
   rescue => e
-    handle_alma_exception(exception: e, message: "Failed to retrieve the holding records for the bib. ID: #{sanitize(params[:bib_id])}")
+    handle_alma_exception(exception: e, message: "Failed to retrieve the holding records for the bib. ID: #{sanitized_bibid}")
   end
 
   # Client: No known use cases
   def bib_holdings
-    records = adapter.get_holding_records(sanitize(params[:bib_id]))
+    records = adapter.get_holding_records(sanitized_bibid)
     if records.empty?
       render plain: "Record #{params[:bib_id]} not found or suppressed", status: :not_found
     else
@@ -129,7 +129,7 @@ def bib_holdings
       end
     end
   rescue => e
-    handle_alma_exception(exception: e, message: "Failed to retrieve the holding records for the bib. ID: #{sanitize(params[:bib_id])}")
+    handle_alma_exception(exception: e, message: "Failed to retrieve the holding records for the bib. ID: #{sanitized_bibid}")
   end
 
   # bibliographic/:bib_id/items
@@ -208,11 +208,11 @@ def bib_id_url
     # Sanitizes the bib_id HTTP parameter
     # @return [String]
     def sanitized_bibid
-      sanitize(params[:bib_id])
+      CGI.escape(params[:bib_id])
     end
 
     def sanitized_adapter
-      sanitize(params[:adapter])
+      CGI.escape(params[:adapter])
     end
 
     def add_locator_call_no(records)

diff --git a/app/controllers/patron_controller.rb b/app/controllers/patron_controller.rb
@@ -19,6 +19,9 @@ def patron_info
   end
 
   private
+    def sanitize(str)
+      str.gsub(/[^A-Za-z0-9.]/, '')
+    end
 
     def parse_data
       {

diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
@@ -14,11 +14,5 @@ def bootstrap_class_for(flash_type)
     end
   end
 
-  def sanitize(str)
-    str.gsub(/[^A-Za-z0-9.]/, '')
-  end
-
-  def sanitize_array(arr)
-    arr.map { |s| sanitize(s) }
-  end
+
 end
-Original file line number
+Diff line change
@@ Expand Up / @@ -19,6 +19,9 @@ def patron_info @@
       end
       private
+        def sanitize(str)
+          str.gsub(/[^A-Za-z0-9.]/, '')
+        end
         def parse_data
           {
@@ Expand Down @@