From 32940abba6297f95f89f9247770549af8ce3af78 Mon Sep 17 00:00:00 2001
From: Mark <mark@netalico.com>
Date: Tue, 22 Dec 2020 08:36:19 -0500
Subject: [PATCH] Security fix for GHSA-hj6w-xrv3-wjj9

---
 app/code/core/Mage/Widget/Model/Widget/Instance.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/app/code/core/Mage/Widget/Model/Widget/Instance.php b/app/code/core/Mage/Widget/Model/Widget/Instance.php
index 6cc5b5a76bd..d09ce9fa743 100644
--- a/app/code/core/Mage/Widget/Model/Widget/Instance.php
+++ b/app/code/core/Mage/Widget/Model/Widget/Instance.php
@@ -495,6 +495,11 @@ public function getWidgetSupportedTemplatesByBlock($blockReference)
      */
     public function generateLayoutUpdateXml($blockReference, $templatePath = '')
     {
+      if ($templatePath !== htmlspecialchars($templatePath, ENT_QUOTES | ENT_HTML5)
+        || $blockReference !== htmlspecialchars($blockReference, ENT_QUOTES | ENT_HTML5)) {
+          Mage::throwException('Templatepath or block reference contain special characters.');
+      }
+
         $templateFilename = Mage::getSingleton('core/design_package')->getTemplateFilename($templatePath, array(
             '_area'    => $this->getArea(),
             '_package' => $this->getPackage(),