Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-hj6w-xrv3-wjj9
Security fix for GHSA-hj6w-xrv3-wjj9
  • Loading branch information
mark-netalico committed Jan 19, 2021
2 parents 0786aa4 + 32940ab commit 4132668
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions app/code/core/Mage/Widget/Model/Widget/Instance.php
Expand Up @@ -495,6 +495,11 @@ public function getWidgetSupportedTemplatesByBlock($blockReference)
*/
public function generateLayoutUpdateXml($blockReference, $templatePath = '')
{
if ($templatePath !== htmlspecialchars($templatePath, ENT_QUOTES | ENT_HTML5)
|| $blockReference !== htmlspecialchars($blockReference, ENT_QUOTES | ENT_HTML5)) {
Mage::throwException('Templatepath or block reference contain special characters.');
}

$templateFilename = Mage::getSingleton('core/design_package')->getTemplateFilename($templatePath, array(
'_area' => $this->getArea(),
'_package' => $this->getPackage(),
Expand Down

0 comments on commit 4132668

Please sign in to comment.