Validate sort field

Just to avoid people to sort on crazy unexistant field

1 files changed, 6 insertions, 2 deletions

diff --git a/src/Wallabag/CoreBundle/Controller/EntryController.php b/src/Wallabag/CoreBundle/Controller/EntryController.php
index cef29990..ff90957b 100644
--- a/src/Wallabag/CoreBundle/Controller/EntryController.php
+++ b/src/Wallabag/CoreBundle/Controller/EntryController.php
@@ -532,8 +532,12 @@ class EntryController extends Controller
         $searchTerm = (isset($request->get('search_entry')['term']) ? $request->get('search_entry')['term'] : '');
         $currentRoute = (null !== $request->query->get('currentRoute') ? $request->query->get('currentRoute') : '');
 
-        $sortBy = $request->get('sort', 'id');
-        $direction = $request->get('direction', 'DESC');
+        $sortBy = 'id';
+        if (in_array($request->get('sort', 'id'), ['id', 'created_at', 'title', 'updated_at'], true)) {
+            $sortBy = $request->get('sort', 'id');
+        }
+
+        $direction = 'DESC' === $request->get('direction') ? 'DESC' : 'ASC';
 
         switch ($type) {
             case 'search':