--- loncom/interface/lonsyllabus.pm	2022/01/01 21:32:06	1.138.2.8.2.1
+++ loncom/interface/lonsyllabus.pm	2023/01/21 21:34:08	1.138.2.8.2.2
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Syllabus
 #
-# $Id: lonsyllabus.pm,v 1.138.2.8.2.1 2022/01/01 21:32:06 raeburn Exp $
+# $Id: lonsyllabus.pm,v 1.138.2.8.2.2 2023/01/21 21:34:08 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -170,6 +170,7 @@ sub handler {
                 } else {
                     my $brcrum;
                     if ($env{'form.folderpath'} =~ /^supplemental/) {
+                        &Apache::loncommon::validate_folderpath(1,'',$cnum,$cdom);
                         my $title = $env{'form.title'};
                         if ($title eq '') {
                             $title = &mt('Syllabus');
@@ -205,10 +206,12 @@ sub handler {
                     $is_pdf = 1;
                 }
                 if ($env{'form.folderpath'} =~ /^supplemental/) {
+                    &Apache::loncommon::validate_folderpath(1,'',$cnum,$cdom);
                     my $title = $env{'form.title'};
                     if ($title eq '') {
                         $title = &mt('Syllabus');
                     }
+                    $title = &HTML::Entities::encode($title,'\'"<>&');
                     $brcrum =
                         &Apache::lonhtmlcommon::docs_breadcrumbs(undef,$crstype,undef,$title,1);
                 }
@@ -767,6 +770,7 @@ sub get_breadcrumbs{
     my ($cdom,$cnum,$crstype,$args) = @_;
     return unless (ref($args) eq 'HASH');
     if ($env{'form.folderpath'} =~ /^supplemental/) {
+        &Apache::loncommon::validate_folderpath(1,'',$cnum,$cdom);  
         my $title = $env{'form.title'};
         if ($title eq '') {
             $title = &mt('Syllabus');