From 8ae863f5e7c241bf18c850e3d3511131db3717f3 Mon Sep 17 00:00:00 2001
From: Nathan van der Werf <nvanderwerf93@gmail.com>
Date: Tue, 13 Nov 2018 22:51:31 +0100
Subject: [PATCH] Escape output to minimize potential XSS opportunities (#3916)

Credit to @nathan-van-der-werf.
---
 modules/system/controllers/updates/_plugin_form.htm  | 4 ++--
 modules/system/controllers/updates/_project_form.htm | 2 +-
 modules/system/controllers/updates/_theme_form.htm   | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/modules/system/controllers/updates/_plugin_form.htm b/modules/system/controllers/updates/_plugin_form.htm
index 03fb6c602..9b6108d3b 100644
--- a/modules/system/controllers/updates/_plugin_form.htm
+++ b/modules/system/controllers/updates/_plugin_form.htm
@@ -6,7 +6,7 @@
     <div class="modal-body">
 
         <?php if ($this->fatalError): ?>
-            <p class="flash-message static error"><?= $fatalError ?></p>
+            <p class="flash-message static error"><?= e($fatalError) ?></p>
         <?php endif ?>
 
         <div class="form-group">
@@ -16,7 +16,7 @@
                 type="text"
                 class="form-control"
                 id="pluginCode"
-                value="<?= post('code') ?>" />
+                value="<?= e(post('code')) ?>" />
             <p class="help-block"><?= e(trans('system::lang.plugin.name.help')) ?></p>
         </div>
 
diff --git a/modules/system/controllers/updates/_project_form.htm b/modules/system/controllers/updates/_project_form.htm
index f56135a74..3a133b817 100644
--- a/modules/system/controllers/updates/_project_form.htm
+++ b/modules/system/controllers/updates/_project_form.htm
@@ -6,7 +6,7 @@
     <div class="modal-body">
 
         <?php if ($this->fatalError): ?>
-            <p class="flash-message static error"><?= $fatalError ?></p>
+            <p class="flash-message static error"><?= e($fatalError) ?></p>
         <?php endif ?>
 
         <div class="form-group">
diff --git a/modules/system/controllers/updates/_theme_form.htm b/modules/system/controllers/updates/_theme_form.htm
index 8729e8974..e13239cca 100644
--- a/modules/system/controllers/updates/_theme_form.htm
+++ b/modules/system/controllers/updates/_theme_form.htm
@@ -6,7 +6,7 @@
     <div class="modal-body">
 
         <?php if ($this->fatalError): ?>
-            <p class="flash-message static error"><?= $fatalError ?></p>
+            <p class="flash-message static error"><?= e($fatalError) ?></p>
         <?php endif ?>
 
         <div class="form-group">
@@ -16,7 +16,7 @@
                 type="text"
                 class="form-control"
                 id="themeCode"
-                value="<?= post('code') ?>" />
+                value="<?= e(post('code')) ?>" />
             <p class="help-block"><?= e(trans('system::lang.theme.name.help')) ?></p>
         </div>