Merge pull request #2258 from divinity76/patch-5

fix xss / GH-2252

web/api/v1/upload/UploadHandler.php

@@ -1191,6 +1191,13 @@ class UploadHandler
                     ));
                 }
             }
+            if(!headers_sent()){
+                // this is the most likely/expected path.
+                header("Content-Type: application/json");
+            } else {
+                // html-encode json to prevent xss...
+                $json = htmlentities($json, ENT_QUOTES | ENT_SUBSTITUTE | ENT_DISALLOWED | ENT_HTML401);
+            }
             $this->body($json);
         }
         return $content;