Fix a potential XSS vulnerability on the hardcopy page.

This is another case where a URL parameter is inserted directly into the
page without being escaped.  This just escapes the parameter value to
prevent the possibility of an XSS attack.

Author: drgrice1

lib/WeBWorK/ContentGenerator/Hardcopy.pm

@@ -10,6 +10,7 @@ problem sets.
 
 use File::Temp qw/tempdir/;
 use Mojo::File;
+use Mojo::Util qw(xml_escape);
 use String::ShellQuote;
 use Archive::Zip qw(:ERROR_CODES);
 use XML::LibXML;
@@ -284,13 +285,14 @@ async sub pre_header_initialize ($c) {
 		my $fullFilePath = "$ce->{webworkDirs}{tmp}/$courseID/hardcopy/$userID/$tempFile";
 
 		unless (-e $fullFilePath) {
-			$c->addbadmessage($c->maketext('The requested file "[_1]" does not exist on the server.', $tempFile));
+			$c->addbadmessage(
+				$c->maketext('The requested file "[_1]" does not exist on the server.', xml_escape($tempFile)));
 			return;
 		}
 
 		unless ($baseName =~ /\.$userID\./ || $authz->hasPermissions($userID, 'download_hardcopy_multiuser')) {
 			$c->addbadmessage($c->maketext('You do not have permission to access the requested file "[_1]".'),
-				$tempFile);
+				xml_escape($tempFile));
 			return;
 		}