Fix SQL injection vulnerability in cleanup-template.ts

2026-03-09 03:32:54 -05:00 · 2025-03-10 15:36:37 -07:00
1 changed files with 2 additions and 1 deletions
--- a/packages/loot-core/src/server/budget/cleanup-template.ts
+++ b/packages/loot-core/src/server/budget/cleanup-template.ts
@@ -370,7 +370,8 @@ async function getCategoryTemplates() {
  const templates = {};

  const notes = await db.all<db.DbNote>(
-    `SELECT * FROM notes WHERE lower(note) like '%${TEMPLATE_PREFIX}%'`,
+    `SELECT * FROM notes WHERE lower(note) like ?`,
+    [`%${TEMPLATE_PREFIX}%`]
  );

  for (let n = 0; n < notes.length; n++) {