Documents: Move form, add remove_xss

Author: jmontoyaa

main/document/document.php

@@ -1090,7 +1090,7 @@ function convertModal (id, format) {
                 false,
                 $curdirpath
             );
-            $moveForm .= '<legend>'.get_lang('Move').': '.$document_to_move['title'].'</legend>';
+            $moveForm .= '<legend>'.get_lang('Move').': '.Security::remove_XSS($document_to_move['title']).'</legend>';
 
             // filter if is my shared folder. TODO: move this code to build_move_to_selector function
             if (DocumentManager::is_my_shared_folder(api_get_user_id(), $curdirpath, $sessionId) &&

main/inc/lib/document.lib.php

@@ -5049,7 +5049,7 @@ public static function build_directory_selector(
 
         if (is_array($folders)) {
             $escaped_folders = [];
-            foreach ($folders as $key => &$val) {
+            foreach ($folders as $key => $val) {
                 $escaped_folders[$key] = Database::escape_string($val);
             }
             $folder_sql = implode("','", $escaped_folders);
@@ -5097,6 +5097,7 @@ public static function build_directory_selector(
                     } else {
                         $label = ' — '.$folder_titles[$folder];
                     }
+                    $label = Security::remove_XSS($label);
                     $parent_select->addOption($label, $folder_id);
                     if ($selected != '') {
                         $parent_select->setSelected($folder_id);