XSS fixes

2 files changed, 4 insertions, 4 deletions

diff --git a/modules/server_add/views/admin_server_add.html.php b/modules/server_add/views/admin_server_add.html.php
index 30ab3536..c4439bda 100644
--- a/modules/server_add/views/admin_server_add.html.php
+++ b/modules/server_add/views/admin_server_add.html.php
@@ -11,12 +11,12 @@
     <ul id="gPathList">
       <? foreach ($paths as $id => $path): ?>
       <li class="ui-icon-left">
-        <a href="<?= url::site("admin/server_add/remove_path?path=$path&amp;csrf=$csrf") ?>"
+        <a href="<?= url::site("admin/server_add/remove_path?path=" . urlencode($path) . "&amp;csrf=$csrf") ?>"
            id="icon_<?= $id?>"
            class="gRemoveDir ui-icon ui-icon-trash">
           X
         </a>
-        <?= $path ?>
+        <?= SafeString::of($path) ?>
       </li>
       <? endforeach ?>
     </ul>
diff --git a/modules/server_add/views/server_add_tree.html.php b/modules/server_add/views/server_add_tree.html.php
index b68544ec..2f65a590 100644
--- a/modules/server_add/views/server_add_tree.html.php
+++ b/modules/server_add/views/server_add_tree.html.php
@@ -10,7 +10,7 @@
     <li class="ui-icon-left">
       <span class="ui-icon ui-icon-folder-open"></span>
       <span ondblclick="open_dir('<?= $dir ?>')">
-        <?= basename($dir) ?>
+        <?= SafeString::of(basename($dir)) ?>
       </span>
       <ul>
         <? endforeach ?>
@@ -22,7 +22,7 @@
                 <? if (is_dir($file)): ?>
                 ondblclick="open_dir($(this).attr('file'))"
                 <? endif ?>
-                file="<?= $file ?>"
+                file="<?= strtr($file, array('"' => '\\"')) ?>"
                 >
             <?= SafeString::of(basename($file)) ?>
           </span>