- Improving security by added -limit_to xxx to all im_opt_val calls

d863edbc · Frank Bergmann · 7076c835 · d863edbc
Commit d863edbc authored Jun 11, 2020 by Frank Bergmann
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

intranet-cost-procs.tcl tcl/intranet-cost-procs.tcl +1 -1

No files found.
--- a/tcl/intranet-cost-procs.tcl
+++ b/tcl/intranet-cost-procs.tcl
@@ -1330,7 +1330,7 @@ ad_proc im_costs_project_finance_component {
    set org_project_id $project_id

    # Pull out optional sort_order string from HTTP headers. Dirty and unsecure!
-    set sort_order [im_opt_val sort_order]
+    set sort_order [im_opt_val -limit_to nohtml sort_order]


    # Get a hash array of subtotals per cost_type