From 62532260efe31f7da7e29fd07b1f7287fb8fc9ee Mon Sep 17 00:00:00 2001
From: Iglocska <andras.iklody@gmail.com>
Date: Wed, 2 Sep 2015 10:18:08 +0200
Subject: [PATCH] Addition to the previous commit

---
 app/Controller/EventsController.php   | 1 +
 app/View/Events/ajax/exportChoice.ctp | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/app/Controller/EventsController.php b/app/Controller/EventsController.php
index 1c5232539..4ae654b6c 100755
--- a/app/Controller/EventsController.php
+++ b/app/Controller/EventsController.php
@@ -3190,6 +3190,7 @@ class EventsController extends AppController {
 	}
 	
 	public function exportChoice($id) {
+		if (!is_numeric($id)) throw new MethodNotAllowedException('Invalid ID');
 		$event = $this->Event->find('first' ,array(
 				'conditions' => array('id' => $id),
 				'recursive' => -1,
diff --git a/app/View/Events/ajax/exportChoice.ctp b/app/View/Events/ajax/exportChoice.ctp
index d5560e005..0f9a869c6 100644
--- a/app/View/Events/ajax/exportChoice.ctp
+++ b/app/View/Events/ajax/exportChoice.ctp
@@ -9,8 +9,8 @@
 					<?php if ($export['checkbox']): 
 						echo h($export['checkbox_text']);
 					?>
-						<input id = "<?php echo $k . '_toggle';?>" type="checkbox" style="align;vertical-align:top;margin-top:8px;">
-						<span id ="<?php echo $k?>_set" style="display:none;"><?php echo h($export['checkbox_set']); ?></span>
+						<input id = "<?php echo h($k) . '_toggle';?>" type="checkbox" style="align;vertical-align:top;margin-top:8px;">
+						<span id ="<?php echo h($k);?>_set" style="display:none;"><?php echo h($export['checkbox_set']); ?></span>
 					<?php else: ?>
 						&nbsp;
 					<?php endif; ?>