From 0682f7b10ce687db682fa9d45088910b4973765d Mon Sep 17 00:00:00 2001
From: divinity76 <divinity76@gmail.com>
Date: Sat, 23 Jul 2022 09:26:16 +0200
Subject: [PATCH] fix xss / GH-2252

ref https://github.com/serghey-rodin/vesta/issues/2252
---
 web/api/v1/upload/UploadHandler.php | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/web/api/v1/upload/UploadHandler.php b/web/api/v1/upload/UploadHandler.php
index aedd747ca..0c80e8f40 100755
--- a/web/api/v1/upload/UploadHandler.php
+++ b/web/api/v1/upload/UploadHandler.php
@@ -1191,6 +1191,13 @@ class UploadHandler
                     ));
                 }
             }
+            if(!headers_sent()){
+                // this is the most likely/expected path.
+                header("Content-Type: text/javascript; charset=UTF-8");
+            } else {
+                // html-encode json to prevent xss...
+                $json = htmlentities($json, ENT_QUOTES | ENT_SUBSTITUTE | ENT_DISALLOWED | ENT_HTML401);
+            }
             $this->body($json);
         }
         return $content;