From 9b7cdb9c509ec7342670be22a02c20532b07ccac Mon Sep 17 00:00:00 2001
From: Alex Aragon <aragcar@gmail.com>
Date: Thu, 20 Jul 2017 18:07:53 -0500
Subject: [PATCH] fix add template - refs BT#13086

---
 main/admin/settings.lib.php | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/main/admin/settings.lib.php b/main/admin/settings.lib.php
index f37c6616b4..091f329312 100755
--- a/main/admin/settings.lib.php
+++ b/main/admin/settings.lib.php
@@ -1081,23 +1081,29 @@ function addEditTemplate()
 
             // Store the information in the database (as insert or as update).
             $table_system_template = Database::get_main_table('system_template');
+            $cssFile = api_get_path(WEB_CSS_PATH).'themes/'.api_get_visual_theme().'/editor.css';
+            $style = '<link href="'.$cssFile.'" rel="stylesheet" media="screen" type="text/css" />';
+            $bootstrap = '<link href="'.api_get_path(WEB_PUBLIC_PATH).'assets/bootstrap/dist/css/bootstrap.min.css" rel="stylesheet" media="screen" type="text/css" />';
+            $viewport = '<meta name="viewport" content="width=device-width, initial-scale=1.0">';
+            
             if ($_GET['action'] == 'add') {
-                $content_template = Security::remove_XSS($values['template_text'], COURSEMANAGERLOWSECURITY);
+                $templateContent = '<head>'.$viewport.'<title>'.$values['title'].'</title>'.$style.$bootstrap.'</head>'
+                    . '<body>'.Database::escape_string($values['template_text']).'</body>';
+                $content_template = Security::remove_XSS($templateContent, COURSEMANAGERLOWSECURITY);
                 $params = [
                     'title' =>  $values['title'],
                     'content' => $content_template,
                     'image' => $new_file_name
                 ];
+                
+                
                 Database::insert($table_system_template, $params);
 
                 // Display a feedback message.
                 echo Display::return_message(get_lang('TemplateAdded'), 'confirm');
                 echo '<a href="settings.php?category=Templates&action=add">'.Display::return_icon('new_template.png', get_lang('AddTemplate'), '', ICON_SIZE_MEDIUM).'</a>';
             } else {
-                $cssFile = api_get_path(WEB_CSS_PATH).'themes/'.api_get_visual_theme().'/editor.css';
-                $style = '<link href="'.$cssFile.'" rel="stylesheet" media="screen" type="text/css" />';
-                $bootstrap = '<link href="'.api_get_path(WEB_PUBLIC_PATH).'assets/bootstrap/dist/css/bootstrap.min.css" rel="stylesheet" media="screen" type="text/css" />';
-                $viewport = '<meta name="viewport" content="width=device-width, initial-scale=1.0">';
+                
                 $content_template = '<head>'.$viewport.'<title>'.$values['title'].'</title>'.$style.$bootstrap.'</head>'
                     . '<body>'.Database::escape_string($values['template_text']).'</body>';
                 $sql = "UPDATE $table_system_template set title = '".Database::escape_string($values['title'])."', content = '".$content_template."'";