|
@@ -1589,7 +1589,7 @@ class ExtraFields
|
|
|
} elseif ($type == 'link') {
|
|
|
$param_list = array_keys($param['options']); // $param_list[0] = 'ObjectName:classPath' but can also be 'ObjectName:classPath:1:(status:=:1)'
|
|
|
/* Removed.
|
|
|
- The selectForForms is called with parameter $objectfield defined, so the app can retreive the filter inside the ajax component instead of being provided as parameters. The
|
|
|
+ The selectForForms is called with parameter $objectfield defined, so the app can retrieve the filter inside the ajax component instead of being provided as parameters. The
|
|
|
filter was used to pass SQL requests leading to serious SQL injection problem. This should not be possible. Also the call of the ajax was broken by some WAF.
|
|
|
if (strpos($param_list[0], '$ID$') !== false && !empty($objectid)) {
|
|
|
$param_list[0] = str_replace('$ID$', $objectid, $param_list[0]);
|