Commit fa7ac2f8 authored by Seamus Lee's avatar Seamus Lee

Also escape subtype to fix POC#2 found by Patrick

parent 3e91f6c9
......@@ -599,7 +599,7 @@ class CRM_Core_BAO_CustomField extends CRM_Core_DAO_CustomField {
if (!empty($customDataSubType)) {
$subtypeClause = array();
foreach ($customDataSubType as $subtype) {
$subtype = CRM_Core_DAO::VALUE_SEPARATOR . $subtype . CRM_Core_DAO::VALUE_SEPARATOR;
$subtype = CRM_Core_DAO::VALUE_SEPARATOR . CRM_Utils_Type::escape($subtype, 'String') . CRM_Core_DAO::VALUE_SEPARATOR;
$subtypeClause[] = "$cgTable.extends_entity_column_value LIKE '%{$subtype}%'";
}
if (!$onlySubType) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment