From 5e87fbc4292cf7a96fa5139ede88f4baefad104b Mon Sep 17 00:00:00 2001
From: joebordes <joe@tsolucio.com>
Date: Fri, 2 Jun 2023 17:43:56 +0200
Subject: [PATCH] sec(Picklist) sanitize picklist values

---
 modules/PickList/PickListAction.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/PickList/PickListAction.php b/modules/PickList/PickListAction.php
index da1ff413da..edd9806707 100644
--- a/modules/PickList/PickListAction.php
+++ b/modules/PickList/PickListAction.php
@@ -37,7 +37,7 @@
 			$id = $adb->getUniqueID("vtiger_$tableName");
 			$picklist_valueid = getUniquePicklistID();
 			$sql = "insert into vtiger_$tableName values (?,?,?,?)";
-			$adb->pquery($sql, array($id, $val, 1, $picklist_valueid));
+			$adb->pquery($sql, array($id, vtlib_purify($val), 1, $picklist_valueid));
 			//add the picklist values to the selected roles
 			foreach ($roles as $roleid) {
 				$sql ="select max(sortid)+1 as sortid