From ea1a01b33f51c73323d565a95dd799f5d20ba85c Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Mon, 17 Oct 2022 23:35:34 +0200
Subject: [PATCH] Update commonobject.class.php

---
 htdocs/core/class/commonobject.class.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/htdocs/core/class/commonobject.class.php b/htdocs/core/class/commonobject.class.php
index 2fb8ba6e1b8..9428c017067 100644
--- a/htdocs/core/class/commonobject.class.php
+++ b/htdocs/core/class/commonobject.class.php
@@ -6148,9 +6148,9 @@ abstract class CommonObject
 				//fix #22571 : order by could be set
 				//remember 'sellist:TableName:LabelFieldName[:KeyFieldName[:KeyFieldParent[:Filter[:Sortfield]]]]',
 				if(isset($InfoFieldList[5]) && $InfoFieldList[5] != "") {
-                    $sql .= ' ORDER BY '.$InfoFieldList[5];
+                    $sql .= " ORDER BY ".$this->db->escape($InfoFieldList[5]);
 				} else {
-					$sql .= ' ORDER BY '.implode(', ', $fields_label);
+					$sql .= " ORDER BY ".$this->db->sanitize(implode(', ', $fields_label));
                 }
 
 				dol_syslog(get_class($this).'::showInputField type=sellist', LOG_DEBUG);