--- get_template_xml.php.orig	2022-07-04 14:45:34.000000000 +0100
+++ get_template_xml.php	2023-12-15 12:17:01.054847435 +0000
@@ -29,16 +29,18 @@
 
 $full_unsafe_file_path = $xerte_toolkits_site->root_file_path . $unsafe_file_path;
 
+$twodots = strpos($full_unsafe_file_path, '..');
+
 // Account for Windows, because realpath changes / to \
 if(DIRECTORY_SEPARATOR !== '/') {
     $full_unsafe_file_path = str_replace('/', DIRECTORY_SEPARATOR, $full_unsafe_file_path);
 }
 // This gets the canonical file name, so in case of 542-tom-Notingham/../../../../etc/passwd -> /etc/passwd
 $realpath = realpath($full_unsafe_file_path);
-// Check that is start with root_path/USER-FILES
-if ($realpath !== false && $realpath === $full_unsafe_file_path) {
+// Check that it starts with root_path/USER-FILES or at least doesn't contain '..'.
+if ($realpath !== false && ($realpath === $full_unsafe_file_path || $twodots === false)) {
     echo file_get_contents($realpath);
 }
 else{
     echo "Not found!";
-}
\ No newline at end of file
+}