Escape variables in dicomanonymize module

Author: Jamie Snape

modules/dicomanonymize/views/element/license.phtml

@@ -18,8 +18,6 @@
  limitations under the License.
 =========================================================================*/
 
-$this->headScript()->appendFile($this->coreWebroot.'/public/js/common/common.license.js');
-
 if (!isset($this->selectedLicense) || $this->selectedLicense == null) {
     $this->selectedLicense = -1; // don't pre-select any in this case
 }
@@ -29,8 +27,8 @@ if (!isset($this->selectedLicense) || $this->selectedLicense == null) {
     <select name="licenseSelect">
         <?php
         foreach ($this->allLicenses as $license) {
-            echo '<option value="'.$license->getKey().'" '.(($this->selectedLicense == $license->getKey(
-                    )) ? 'selected' : '').'>'.$license->getName().'</option>';
+            echo '<option value="'.$this->escape($license->getKey()).'" '.(($this->selectedLicense == $license->getKey(
+                    )) ? 'selected' : '').'>'.$this->escape($license->getName()).'</option>';
         }
         ?>
 

modules/dicomanonymize/views/upload/index.phtml

@@ -25,11 +25,11 @@
 <div>
     <br/>
     <b><?php echo $this->t('Destination:') ?></b>
-    <span class="destinationUpload"><?php echo $this->defaultUploadLocationText ?></span>
+    <span class="destinationUpload"><?php echo $this->escape($this->defaultUploadLocationText); ?></span>
     <br/><br/>
 
     <div class="belowDestinationUpload" style="display: none;"></div>
-    <input type="hidden" name="parent" class="destinationId" value="<?php echo $this->defaultUploadLocation ?>"/>
+    <input type="hidden" name="parent" class="destinationId" value="<?php echo $this->escape($this->defaultUploadLocation); ?>"/>
     <br/>
     <input style="margin-left: 0;" class="browseMIDASLink globalButton" type="button" value="Choose location"/>
     <br/><br/>
@@ -63,14 +63,14 @@
     <param name="type" value="application/x-java-applet;version=1.5"/>
     <param name="background" value="ffffff"/>
     <param name="loglevel" value="WARNING"/>
-    <param name="sessionId" value="<?php echo session_id(); ?>"/>
+    <param name="sessionId" value="<?php echo $this->escape(session_id()); ?>"/>
     <param name="baseURL"
-           value="<?php echo $this->protocol.'://'.$this->host.$this->webroot ?>/javauploaddownload/upload/"/>
-    <param name="webroot" value="<?php echo $this->protocol.'://'.$this->host.$this->webroot ?>"/>
+           value="<?php echo $this->escape($this->protocol).'://'.$this->escape($this->host.$this->webroot); ?>/javauploaddownload/upload/"/>
+    <param name="webroot" value="<?php echo $this->escape($this->protocol).'://'.$this->escape($this->host.$this->webroot); ?>"/>
     <param name="apiURL"
-           value="<?php echo $this->protocol.'://'.$this->host.$this->webroot ?>/api/json?useSession&method="/>
+           value="<?php echo $this->escape($this->protocol).'://'.$this->escape($this->host.$this->webroot); ?>/api/json?useSession&method="/>
     <param name="daScript"
-           value="<?php echo $this->protocol.'://'.$this->host.$this->webroot ?>/modules/dicomanonymize/public/java/upload/DA.script"/>
+           value="<?php echo $this->escape($this->protocol).'://'.$this->escape($this->host.$this->webroot); ?>/modules/dicomanonymize/public/java/upload/DA.script"/>
     <param name="getUploadFileOffsetBaseURL" value="gethttpuploadoffset/"/>
     <param name="onSuccessfulUploadRedirectEnable" value="true"/>
     <param name="onSuccessRedirectURL" value="/item/"/>