diff --git a/autoload/Domain/Product/ProductRepository.php b/autoload/Domain/Product/ProductRepository.php
index ddef888..562db10 100644
--- a/autoload/Domain/Product/ProductRepository.php
+++ b/autoload/Domain/Product/ProductRepository.php
@@ -1751,8 +1751,10 @@ class ProductRepository
         if ( \Shared\Helpers\Helpers::is_array_fix( $customFields ) ) {
             foreach ( $customFields as $row ) {
                 $this->db->insert( 'pp_shop_products_custom_fields', [
-                    'id_product' => $newProductId,
-                    'name'       => $row['name'],
+                    'id_product'  => $newProductId,
+                    'name'        => $row['name'],
+                    'type'        => $row['type'] ?? 'text',
+                    'is_required' => $row['is_required'] ?? 0,
                 ] );
             }
         }
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index aa77310..5ffc45f 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -4,6 +4,13 @@ Logi zmian z migracji na Domain-Driven Architecture. Najnowsze na gorze.
 
 ---
 
+## ver. 0.343 (2026-03-19) - Custom fields: type + is_required + obsługa obrazków w koszyku
+
+- **FIX**: `autoload/Domain/Product/ProductRepository.php` — kopiowanie custom fields przy duplikacji produktu uwzględnia teraz pola `type` i `is_required`
+- **FIX**: `templates/shop-basket/_partials/product-custom-fields.php` — ochrona XSS (htmlspecialchars), obsługa pola typu `image`, bezpieczny fallback typu na `text`
+
+---
+
 ## ver. 0.342 (2026-03-19) - Apilo: email z danymi zamówienia + infinite retry dla order jobów
 
 - **FIX**: `cron.php` — email notyfikacji Apilo zawiera teraz dane zamówienia (numer, klient, data, kwota) zamiast surowego JSON payload; temat emaila zawiera numery zamówień
diff --git a/docs/TODO.md b/docs/TODO.md
index 2f19ae1..5f58c39 100644
--- a/docs/TODO.md
+++ b/docs/TODO.md
@@ -73,4 +73,34 @@ Dodać możliwość ustawienia limitu znaków w wiadomościach do produktu
 - [ ] [MINOR] autoload/api/ApiRouter.php:107 — Remove unused "$db" local variable (php:S1481)
 - [ ] [MINOR] cron.php:198 — Remove unused "$orderAdminService" local variable (php:S1481)
 - [ ] [MINOR] cron.php:524 — Remove unused "$mdb" local variable (php:S1481)
-- [ ] [MINOR] cron.php:539 — Remove unused "$mdb" local variable (php:S1481)
\ No newline at end of file
+- [ ] [MINOR] cron.php:539 — Remove unused "$mdb" local variable (php:S1481)
+
+## SonarQube — 0.343 (2026-03-19)
+
+### Nowe issues (nie występowały w 0.340)
+
+#### Code Smells — CRITICAL
+
+- [ ] [CRITICAL] autoload/admin/App.php:39 — Cognitive Complexity 37 (max 15) (php:S3776)
+- [ ] [CRITICAL] autoload/admin/App.php:50 — Duplicated literal "Location: /admin/" 8 times (php:S1192)
+- [ ] [CRITICAL] autoload/front/Controllers/ShopOrderController.php:86 — Cognitive Complexity 22 (max 15) (php:S3776)
+- [ ] [CRITICAL] autoload/front/Controllers/ShopBasketController.php:275 — Duplicated literal "Location: /koszyk" 6 times (php:S1192)
+- [ ] [CRITICAL] autoload/front/Controllers/ShopBasketController.php:287 — Duplicated literal "Location: /zamowienie/" 3 times (php:S1192)
+- [ ] [CRITICAL] autoload/front/Controllers/ShopBasketController.php:495 — Add curly braces around nested statement(s) (php:S121)
+- [ ] [CRITICAL] autoload/Domain/Integrations/IntegrationsRepository.php:33 — Add curly braces around nested statement(s) (php:S121)
+- [ ] [CRITICAL] autoload/Domain/Integrations/ApiloRepository.php:449 — Cognitive Complexity 22 (max 15) (php:S3776)
+- [ ] [CRITICAL] autoload/Domain/Order/OrderRepository.php:635 — Cognitive Complexity 61 (max 15) (php:S3776)
+- [ ] [CRITICAL] cron.php:198 — Cognitive Complexity 109 (max 15) (php:S3776)
+- [ ] [CRITICAL] cron.php:651 — Cognitive Complexity 18 (max 15) (php:S3776)
+
+#### Code Smells — MAJOR
+
+- [ ] [MAJOR] cron.php:198 — Function has 305 lines (max 150) (php:S138)
+- [ ] [MAJOR] cron.php:572 — Unused function parameter "$payload" (php:S1172)
+- [ ] [MAJOR] cron.php:572 — 5 returns (max 3) (php:S1142)
+- [ ] [MAJOR] cron.php:605 — Unused function parameter "$payload" (php:S1172)
+- [ ] [MAJOR] cron.php:605 — 4 returns (max 3) (php:S1142)
+- [ ] [MAJOR] cron.php:651 — Unused function parameter "$payload" (php:S1172)
+- [ ] [MAJOR] autoload/Domain/Integrations/ApiloRepository.php:53 — 4 returns (max 3) (php:S1142)
+- [ ] [MAJOR] autoload/Domain/Integrations/ApiloRepository.php:93 — 4 returns (max 3) (php:S1142)
+- [ ] [MAJOR] autoload/Domain/Integrations/ApiloRepository.php:105 — Merge if statement with enclosing one (php:S1066)
\ No newline at end of file
diff --git a/templates/shop-basket/_partials/product-custom-fields.php b/templates/shop-basket/_partials/product-custom-fields.php
index a9134c7..d0b651f 100644
--- a/templates/shop-basket/_partials/product-custom-fields.php
+++ b/templates/shop-basket/_partials/product-custom-fields.php
@@ -1,20 +1,26 @@
 <? if ( $this -> custom_fields ) : ?>
   <? foreach ( $this -> custom_fields as $key => $val ) : ?>
     <? $custom_field = ( new \Domain\Product\ProductRepository( $GLOBALS['mdb'] ) )->findCustomFieldCached( $key ); ?>
-    
-    <? if ( $custom_field['type'] == 'text' ) : ?>
+    <? $field_type = !empty( $custom_field['type'] ) ? $custom_field['type'] : 'text'; ?>
+
+    <? if ( $field_type == 'text' ) : ?>
       <div class="custom-field">
         <div class="_name">
-          <?
-            echo $custom_field['name'] . ':';
-          ?>
+          <?= htmlspecialchars( $custom_field['name'] ) . ':'; ?>
         </div>
         <div class="_text">
-          <?= $val;?>
+          <?= nl2br( htmlspecialchars( $val ) );?>
+        </div>
+      </div>
+    <? elseif ( $field_type == 'image' && !empty( $val ) ) : ?>
+      <div class="custom-field">
+        <div class="_name">
+          <?= htmlspecialchars( $custom_field['name'] ) . ':'; ?>
+        </div>
+        <div class="_image">
+          <img src="<?= htmlspecialchars( $val );?>" alt="<?= htmlspecialchars( $custom_field['name'] );?>">
         </div>
       </div>
-    <? elseif ( $custom_field['type'] == 'image' ) : ?>
-
     <? endif; ?>
   <? endforeach; ?>
 <? endif;?>
\ No newline at end of file