From 684d3e51398d4ea032b06fa4a1cd2bdf7d8b0ede Mon Sep 17 00:00:00 2001
From: iglocska <andras.iklody@gmail.com>
Date: Thu, 22 Dec 2022 15:37:43 +0100
Subject: [PATCH] fix: [security] XSS in the template file uploads

- as reported by Dawid Czarnecki from Zigrin Security
---
 app/View/Templates/upload_file.ctp | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/app/View/Templates/upload_file.ctp b/app/View/Templates/upload_file.ctp
index 77d68182a..315b50be6 100644
--- a/app/View/Templates/upload_file.ctp
+++ b/app/View/Templates/upload_file.ctp
@@ -6,7 +6,7 @@ if ($batch == 'yes') {
     $multiple = false;
     if (isset($filenames)) {
         $buttonText = __('Replace File');
-    } else {
+    } else {    
         $buttonText = __('Upload File');
     }
 }
@@ -18,13 +18,13 @@ if ($batch == 'yes') {
         echo $this->Form->end();
     ?>
 </div>
-<span id="fileUploadButton_<?php echo $element_id; ?>"  role="button" tabindex="0" aria-label="<?php echo $buttonText; ?>" title="<?php echo $buttonText; ?>" class="btn btn-primary" onClick="templateFileUploadTriggerBrowse('<?php echo $element_id; ?>');"><?php echo $buttonText; ?></span>
+<span id="fileUploadButton_<?php echo h($element_id); ?>"  role="button" tabindex="0" aria-label="<?php echo $buttonText; ?>" title="<?php echo $buttonText; ?>" class="btn btn-primary" onClick="templateFileUploadTriggerBrowse(<?php echo json_encode($element_id); ?>);"><?php echo $buttonText; ?></span>
 <script type="text/javascript">
 $(document).ready(function() {
     <?php if (isset($filenames)): ?>
     var fileArray = JSON.parse('<?php echo $fileArray;?>');
-    templateFileHiddenAdd(fileArray, '<?php echo $element_id; ?>', '<?php echo $batch; ?>');
-    showMessage('<?php echo $upload_error ? 'fail' : 'success'; ?>', '<?php echo $result; ?>', 'iframe');
+    templateFileHiddenAdd(fileArray, '<?php echo h($element_id); ?>', '<?php echo h($batch); ?>');
+    showMessage('<?php echo $upload_error ? 'fail' : 'success'; ?>', '<?php echo h($result); ?>', 'iframe');
     <?php endif; ?>
 });