From 8ef71ac4a119a4c03d78db2372b41ddcc8a95035 Mon Sep 17 00:00:00 2001
From: Ben Toews <mastahyeti@gmail.com>
Date: Wed, 18 Oct 2017 10:21:45 -0600
Subject: push order arg checks down to allow for binds

---
 activerecord/lib/active_record/sanitization.rb | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'activerecord/lib/active_record/sanitization.rb')

diff --git a/activerecord/lib/active_record/sanitization.rb b/activerecord/lib/active_record/sanitization.rb
index 4caf1145f0..232743d3b6 100644
--- a/activerecord/lib/active_record/sanitization.rb
+++ b/activerecord/lib/active_record/sanitization.rb
@@ -63,13 +63,17 @@ module ActiveRecord
         #   # => "id ASC"
         def sanitize_sql_for_order(condition) # :doc:
           if condition.is_a?(Array) && condition.first.to_s.include?("?")
+            enforce_raw_sql_whitelist([condition.first],
+              whitelist: AttributeMethods::ClassMethods::COLUMN_NAME_ORDER_WHITELIST
+            )
+
             # Ensure we aren't dealing with a subclass of String that might
             # override methods we use (eg. Arel::Nodes::SqlLiteral).
             if condition.first.kind_of?(String) && !condition.first.instance_of?(String)
               condition = [String.new(condition.first), *condition[1..-1]]
             end
 
-            sanitize_sql_array(condition)
+            Arel.sql(sanitize_sql_array(condition))
           else
             condition
           end
-- 
cgit v1.2.3