@@ -1678,11 +1678,32 @@ public function apply_filter(string $filter, string &$searchtext = '') {
16781678 // Create a list of allowed keys that can be used for filtering.
16791679 $ availablefilters = json_decode ($ this ->filterjson );
16801680 if (!empty ($ availablefilters ->categories )) {
1681- $ allowedfilters = array_map (fn ($ item ) => $ item ->columnname , $ availablefilters ->categories );
1681+ foreach ($ availablefilters ->categories as $ category ) {
1682+ $ allowedfilters [] = $ category ->columnname ;
1683+ // There is an exception for the datepicker: we need to add both the start and end columns as well.
1684+ if (
1685+ $ category ->wbfilterclass === 'local_wunderbyte_table\filters\types\datepicker '
1686+ &&
1687+ is_object ($ category ->datepicker )
1688+ ) {
1689+ foreach ($ category ->datepicker ->datepickers as $ dp ) {
1690+ $ allowedfilters [] = $ dp ->startcolumn ;
1691+ if (!empty ($ dp ->endcolumn )) {
1692+ $ allowedfilters [] = $ dp ->endcolumn ;
1693+ }
1694+ }
1695+ }
1696+ }
16821697 } else {
16831698 $ allowedfilters = [];
16841699 }
16851700
1701+ // It’s not important to collect a list of columns that have filters, but rather a list of valid column names
1702+ // that allows us to compare them with the columns posted by the user for filtering, to prevent injection.
1703+ // For this reason, we merge any column name from any property that likely holds a column name.
1704+ $ allowedfilters = array_merge ($ allowedfilters , array_keys ($ this ->columns ));
1705+ $ allowedfilters = array_unique ($ allowedfilters );
1706+
16861707 foreach ($ categoryvalue as $ key => $ value ) {
16871708 $ filter .= ($ categorycounter == 1 ) ? "" : " AND " ;
16881709 $ valuecounter = 1 ;
0 commit comments