Escape variables in javauploaddownload module

Author: Jamie Snape

modules/javauploaddownload/views/download/index.phtml

@@ -23,7 +23,7 @@
 <div class="viewMain">
     <div class="downloadDescription">
         <img class="descriptionImage" alt="" src="<?php echo $this->moduleWebroot; ?>/public/images/icons/move.png"/>
-        <?php echo $this->contentDescription; ?> will be downloaded.
+        <?php echo $this->escape($this->contentDescription); ?> will be downloaded.
     </div>
     <div class="downloadInstructions">
         Press the
@@ -37,13 +37,13 @@
             archive="<?php echo $this->moduleWebroot; ?>/public/java/upload/MidasUploader.jar?rev=3; ?>"
             code="com.kitware.utils.Main" mayscript="true">
         <param name="background" value="ffffff"/>
-        <param name="baseURL" value="<?php echo $this->protocol.'://'.$this->host.$this->webroot; ?>/"/>
+        <param name="baseURL" value="<?php echo $this->escape($this->protocol).'://'.$this->escape($this->host.$this->webroot); ?>/"/>
         <param name="downloadMode" value="true"/>
-        <param name="folderIds" value="<?php echo $this->folderIds; ?>"/>
-        <param name="itemIds" value="<?php echo $this->itemIds; ?>"/>
+        <param name="folderIds" value="<?php echo $this->escape($this->folderIds); ?>"/>
+        <param name="itemIds" value="<?php echo $this->escape($this->itemIds); ?>"/>
         <param name="loglevel" value="WARNING"/>
-        <param name="sessionId" value="<?php echo session_id(); ?>"/>
-        <param name="totalSize" value="<?php echo $this->totalSize; ?>"/>
+        <param name="sessionId" value="<?php echo $this->escape(session_id()); ?>"/>
+        <param name="totalSize" value="<?php echo $this->escape($this->totalSize); ?>"/>
         <param name="type" value="application/x-java-applet;version=1.5"/>
         You must install and enable Java on your system in order to use the Java download applet.
     </applet>

modules/javauploaddownload/views/element/license.phtml

@@ -18,8 +18,6 @@
  limitations under the License.
 =========================================================================*/
 
-$this->headScript()->appendFile($this->coreWebroot.'/public/js/common/common.license.js');
-
 if (!isset($this->selectedLicense) || $this->selectedLicense == null) {
     $this->selectedLicense = -1;
 }
@@ -29,8 +27,8 @@ if (!isset($this->selectedLicense) || $this->selectedLicense == null) {
     <select name="licenseSelect">
         <?php
         foreach ($this->allLicenses as $license) {
-            echo '<option value="'.$license->getKey().'" '.(($this->selectedLicense == $license->getKey(
-                    )) ? 'selected' : '').'>'.$license->getName().'</option>';
+            echo '<option value="'.$this->escape($license->getKey()).'" '.(($this->selectedLicense == $license->getKey(
+                    )) ? 'selected' : '').'>'.$this->escape($license->getName()).'</option>';
         }
         ?>
     </select>

modules/javauploaddownload/views/upload/index.phtml

@@ -23,11 +23,11 @@
 <div>
     <br/>
     <b><?php echo $this->t('Destination:'); ?></b>
-    <span class="destinationUpload"><?php echo $this->defaultUploadLocationText; ?></span>
+    <span class="destinationUpload"><?php echo $this->escape($this->defaultUploadLocationText); ?></span>
     <br/>
 
     <div class="belowDestinationUpload"></div>
-    <input type="hidden" name="parent" class="destinationId" value="<?php echo $this->defaultUploadLocation; ?>"/>
+    <input type="hidden" name="parent" class="destinationId" value="<?php echo $this->escape($this->defaultUploadLocation); ?>"/>
     <br/>
     <input class="browseMIDASLink globalButton" type="button" value="Choose location"/>
     <br/><br/>
@@ -45,15 +45,15 @@
 <applet name="MidasUploader" class="uploadApplet" width="480" height="175"
         archive="<?php echo $this->moduleWebroot; ?>/public/java/upload/MidasUploader.jar?rev=3; ?>"
         code="com.kitware.utils.Main" mayscript="true">
-    <param name="apiURL" value="<?php echo $this->protocol."://".$this->host.$this->webroot; ?>/api/json"/>
+    <param name="apiURL" value="<?php echo $this->escape($this->protocol)."://".$this->escape($this->host.$this->webroot); ?>/api/json"/>
     <param name="background" value="ffffff"/>
     <param name="baseURL"
-           value="<?php echo $this->protocol."://".$this->host.$this->webroot; ?>/javauploaddownload/upload/"/>
+           value="<?php echo $this->escape($this->protocol)."://".$this->escape($this->host.$this->webroot); ?>/javauploaddownload/upload/"/>
     <param name="getUploadFileOffsetBaseURL" value="gethttpuploadoffset/"/>
     <param name="loglevel" value="WARNING"/>
     <param name="onSuccessfulUploadRedirectEnable" value="true"/>
     <param name="onSuccessRedirectURL" value="review"/>
-    <param name="sessionId" value="<?php echo session_id(); ?>"/>
+    <param name="sessionId" value="<?php echo $this->escape(session_id()); ?>"/>
     <param name="type" value="application/x-java-applet;version=1.5"/>
     <param name="uploadFileBaseURL" value="processjavaupload?sid="/>
     <param name="uploadType" value="item"/>

modules/javauploaddownload/views/upload/revision.phtml

@@ -47,15 +47,15 @@
             code="com.kitware.utils.Main" mayscript="true">
         <param name="background" value="ffffff"/>
         <param name="baseURL"
-               value="<?php echo $this->protocol."://".$this->host.$this->webroot; ?>/javauploaddownload/upload/"/>
+               value="<?php echo $this->escape($this->protocol)."://".$this->escape($this->host.$this->webroot); ?>/javauploaddownload/upload/"/>
         <param name="getUploadFileOffsetBaseURL" value="gethttpuploadoffset/"/>
         <param name="loglevel" value="WARNING"/>
         <param name="onSuccessfulUploadRedirectEnable" value="true"/>
         <param name="onSuccessRedirectURL"
-               value="<?php echo $this->protocol."://".$this->host.$this->webroot ?>/item/<?php echo $this->item->getKey(
-               ); ?>"/>
-        <param name="parentItem" value="<?php echo $this->item->getKey(); ?>"/>
-        <param name="sessionId" value="<?php echo session_id(); ?>"/>
+               value="<?php echo $this->escape($this->protocol)."://".$this->escape($this->host.$this->webroot); ?>/item/<?php echo $this->escape($this->item->getKey(
+               )); ?>"/>
+        <param name="parentItem" value="<?php echo $this->escape($this->item->getKey()); ?>"/>
+        <param name="sessionId" value="<?php echo $this->escape(session_id()); ?>"/>
         <param name="type" value="application/x-java-applet;version=1.5"/>
         <param name="uploadFileBaseURL" value="processjavarevisionupload?sid="/>
         <param name="uploadType" value="revision"/>