From 517c6079ca8862e6ec7ba2e1d13e566d249135d2 Mon Sep 17 00:00:00 2001
From: zjeffer <4633209+zjeffer@users.noreply.github.com>
Date: Fri, 17 Jan 2025 21:51:49 +0100
Subject: [PATCH] Fix #234: possible injection through .arg() chains

---
 src/dbmanager.cpp | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/dbmanager.cpp b/src/dbmanager.cpp
index d8e2d69d..ced8253a 100644
--- a/src/dbmanager.cpp
+++ b/src/dbmanager.cpp
@@ -2502,9 +2502,8 @@ void DBManager::exportNotes(const QString &baseExportPath, const QString &extens
         counter = 1;
         while (directory.exists(filePath)) {
             filePath = QStringLiteral("%1%2%3 %4%5")
-                               .arg(notePath, QDir::separator(), safeTitle)
-                               .arg(counter++)
-                               .arg(extension);
+                               .arg(notePath, QDir::separator(), safeTitle,
+                                    QString::number(counter++), extension);
         }
 
         // qDebug() << "Exporting note:" << filePath;