From a612c2a893b11a69be559a80918173a1708746da Mon Sep 17 00:00:00 2001
From: Seamus Lee <seamuslee001@gmail.com>
Date: Mon, 22 Apr 2019 17:45:52 +1000
Subject: [PATCH] Fix security/core#51 by paramatising the Event Type part of
 the wuere clause

---
 CRM/Event/Page/ManageEvent.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/CRM/Event/Page/ManageEvent.php b/CRM/Event/Page/ManageEvent.php
index afc523e034..ae0f929428 100644
--- a/CRM/Event/Page/ManageEvent.php
+++ b/CRM/Event/Page/ManageEvent.php
@@ -517,7 +517,8 @@ ORDER BY start_date desc
       if (is_array($value)) {
         $type = implode(',', $value);
       }
-      $clauses[] = "event_type_id IN ({$type})";
+      $clauses[] = "event_type_id IN (%2)";
+      $params[2] = [$type, 'String'];
     }
 
     $eventsByDates = $this->get('eventsByDates');
-- 
2.25.1