fix(abstracttarget): missing escaping before SQL query

pluginsGLPI · May 24, 2024 · 6747e99 · 6747e99
1 parent 8a8f8d4
commit 6747e99
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/inc/abstracttarget.class.php b/inc/abstracttarget.class.php
@@ -565,10 +565,12 @@ public function prepareInputForClone($input) {
    }
 
    protected static function getTemplateByName(string $name): int {
+      global $DB;
+
       $targetTemplateType = (new static())->getTemplateItemtypeName();
       $targetTemplate = new $targetTemplateType();
       $targetTemplate->getFromDBByCrit([
-         'name' => $name,
+         'name' => $DB->escape($name),
       ]);
 
       if ($targetTemplate->isNewItem()) {