Fix #234: possible injection through .arg() chains

nuttyartist · Jan 17, 2025 · 517c607 · 517c607
1 parent b066fc7
commit 517c607
Showing 1 changed file with 2 additions and 3 deletions.
diff --git a/src/dbmanager.cpp b/src/dbmanager.cpp
@@ -2502,9 +2502,8 @@ void DBManager::exportNotes(const QString &baseExportPath, const QString &extens
         counter = 1;
         while (directory.exists(filePath)) {
             filePath = QStringLiteral("%1%2%3 %4%5")
-                               .arg(notePath, QDir::separator(), safeTitle)
-                               .arg(counter++)
-                               .arg(extension);
+                               .arg(notePath, QDir::separator(), safeTitle,
+                                    QString::number(counter++), extension);
         }
 
         // qDebug() << "Exporting note:" << filePath;