Correctly escape sort-by columns in SQL (refs #189)

simonw · Apr 9, 2018 · bfb19e3 · bfb19e3
1 parent 747a801
commit bfb19e3
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/datasette/app.py b/datasette/app.py
@@ -616,10 +616,10 @@ async def data(self, request, name, hash, table):
         # Allow for custom sort order
         sort = special_args.get('_sort')
         if sort:
-            order_by = sort
+            order_by = escape_sqlite(sort)
         sort_desc = special_args.get('_sort_desc')
         if sort_desc:
-            order_by = '{} desc'.format(sort_desc)
+            order_by = '{} desc'.format(escape_sqlite(sort_desc))
 
         count_sql = 'select count(*) from {table_name} {where}'.format(
             table_name=escape_sqlite(table),