From 6747e99be13e5a6d07fd836e7bc5665ffb94bdf7 Mon Sep 17 00:00:00 2001
From: Thierry Bugier <tbugier@teclib.com>
Date: Fri, 24 May 2024 09:11:46 +0200
Subject: [PATCH] fix(abstracttarget): missing escaping before SQL query

---
 inc/abstracttarget.class.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/inc/abstracttarget.class.php b/inc/abstracttarget.class.php
index 66b3d0e04..f7d697d22 100644
--- a/inc/abstracttarget.class.php
+++ b/inc/abstracttarget.class.php
@@ -565,10 +565,12 @@ public function prepareInputForClone($input) {
    }
 
    protected static function getTemplateByName(string $name): int {
+      global $DB;
+
       $targetTemplateType = (new static())->getTemplateItemtypeName();
       $targetTemplate = new $targetTemplateType();
       $targetTemplate->getFromDBByCrit([
-         'name' => $name,
+         'name' => $DB->escape($name),
       ]);
 
       if ($targetTemplate->isNewItem()) {