Merge pull request #2301 from ZeiP/feature/#2072_tag_sanitize

#2072: Remove needless sanitisation of tags. The sanitised version is…
TracksApp · Jan 3, 2020 · c2a882c · c2a882c
2 parents 0bf6f60 + e0aa0ac
commit c2a882c
Showing 1 changed file with 6 additions and 4 deletions.
diff --git a/app/controllers/todos_controller.rb b/app/controllers/todos_controller.rb
@@ -864,14 +864,16 @@ def tag_title(tag_expr)
   def get_params_for_tag_view
     filter_format_for_tag_view
 
-    # use sanitize to prevent XSS attacks
+    # Don't use sanitize here because these are only used for a DB query.
     @tag_expr = []
-    @tag_expr << sanitize(params[:name]).split(',')
-    @tag_expr << sanitize(params[:and]).split(',') if params[:and]
+    # Tag conditions handled as OR.
+    @tag_expr << params[:name].split(',')
 
+    # Additional tag condition(s) handled as AND.
+    @tag_expr << params[:and].split(',') if params[:and]
     i = 1
     while params['and'+i.to_s]
-      @tag_expr << sanitize(params['and'+i.to_s]).split(',')
+      @tag_expr << params['and'+i.to_s].split(',')
       i=i+1
     end