From a3ae3805d15115a0d5bef9d94a2a25ea4c2b2859 Mon Sep 17 00:00:00 2001
From: Jellyfrog <Jellyfrog@users.noreply.github.com>
Date: Thu, 9 Jul 2020 19:48:36 +0200
Subject: [PATCH] Sanitize graph title input (#11919)

---
 includes/html/graphs/graph.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/includes/html/graphs/graph.inc.php b/includes/html/graphs/graph.inc.php
index 020f8bb289..673f23f7a1 100644
--- a/includes/html/graphs/graph.inc.php
+++ b/includes/html/graphs/graph.inc.php
@@ -60,7 +60,7 @@ function graph_error($string)
     include 'includes/html/graphs/common.inc.php';
 
     $rrd_options .= ' HRULE:0#555555';
-    $rrd_options .= " --title='".$string."'";
+    $rrd_options .= " --title=" . escapeshellarg($string);
 
     rrdtool_graph($graphfile, $rrd_options);