Add missing HTML/url encoding (5245-chunk9) (#5255)

* Add missing HTML/url encoding (5245-chunk9)
Was reports that some missing HTML encoding could lead to XSS/javascript injection.

Reviewable chunk of #5245 , which grew too large.

web/templates/pages/add_package.php

@@ -3,12 +3,12 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/package/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 		<div class="toolbar-buttons">
 			<button type="submit" class="button" form="main-form">
-				<i class="fas fa-floppy-disk icon-purple"></i><?= _("Save") ?>
+				<i class="fas fa-floppy-disk icon-purple"></i><?= tohtml( _("Save")) ?>
 			</button>
 		</div>
 	</div>
@@ -22,229 +22,229 @@
 		name="v_add_package"
 		method="post"
 	>
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<input type="hidden" name="ok" value="Add">
 
 		<div class="form-container">
-			<h1 class="u-mb20"><?= _("Add Package") ?></h1>
+			<h1 class="u-mb20"><?= tohtml( _("Add Package")) ?></h1>
 			<?php show_alert_message($_SESSION); ?>
 			<div class="u-mb10">
-				<label for="v_package" class="form-label"><?= _("Package Name") ?></label>
-				<input type="text" class="form-control" name="v_package" id="v_package" value="<?= htmlentities(trim($v_package, "'")) ?>" required>
+				<label for="v_package" class="form-label"><?= tohtml( _("Package Name")) ?></label>
+				<input type="text" class="form-control" name="v_package" id="v_package" value="<?= tohtml(trim($v_package, "'")) ?>" required>
 			</div>
 			<div class="u-mb10">
 				<label for="v_disk_quota" class="form-label">
-					<?= _("Quota") ?> <span class="optional">(<?= _("in MB") ?>)</span>
+					<?= tohtml( _("Quota")) ?> <span class="optional">(<?= tohtml( _("in MB")) ?>)</span>
 				</label>
 				<div class="u-pos-relative">
-					<input type="text" class="form-control" name="v_disk_quota" id="v_disk_quota" value="<?= htmlentities(trim($v_disk_quota, "'")) ?>">
-					<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= _("Unlimited") ?>">
+					<input type="text" class="form-control" name="v_disk_quota" id="v_disk_quota" value="<?= tohtml(trim($v_disk_quota, "'")) ?>">
+					<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= tohtml( _("Unlimited")) ?>">
 						<i class="fas fa-infinity"></i>
 					</button>
 				</div>
 			</div>
 			<div class="u-mb10">
 				<label for="v_bandwidth" class="form-label">
-					<?= _("Bandwidth") ?> <span class="optional">(<?= _("in MB") ?>)</span>
+					<?= tohtml( _("Bandwidth")) ?> <span class="optional">(<?= tohtml( _("in MB")) ?>)</span>
 				</label>
 				<div class="u-pos-relative">
-					<input type="text" class="form-control" name="v_bandwidth" id="v_bandwidth" value="<?= htmlentities(trim($v_bandwidth, "'")) ?>">
-					<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= _("Unlimited") ?>">
+					<input type="text" class="form-control" name="v_bandwidth" id="v_bandwidth" value="<?= tohtml(trim($v_bandwidth, "'")) ?>">
+					<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= tohtml( _("Unlimited")) ?>">
 						<i class="fas fa-infinity"></i>
 					</button>
 				</div>
 			</div>
 			<div class="u-mb10">
-				<label for="v_backups" class="form-label"><?= _("Backups") ?></label>
-				<input type="text" class="form-control" name="v_backups" id="v_backups" value="<?= htmlentities(trim($v_backups, "'")) ?>">
+				<label for="v_backups" class="form-label"><?= tohtml( _("Backups")) ?></label>
+				<input type="text" class="form-control" name="v_backups" id="v_backups" value="<?= tohtml(trim($v_backups, "'")) ?>">
 			</div>
 			<div class="u-mb10">
-				<label for="v_backups_incremental" class="form-label"><?= _("Incremental Backups") ?></label>
+				<label for="v_backups_incremental" class="form-label"><?= tohtml( _("Incremental Backups")) ?></label>
 				<select class="form-select" name="v_backups_incremental" id="v_backups_incremental">
-					<option value="no"><?=_('Disabled')?></option>
-					<option value="yes" <?php if ('yes' == trim($v_backups_incremental, "''")): ?>
-						selected
-					<?php endif; ?>><?=_('Enabled')?></option>
+						<option value="no"><?= tohtml( _("Disabled")) ?></option>
+						<option value="yes" <?php if ('yes' == trim($v_backups_incremental, "''")): ?>
+							selected
+						<?php endif; ?>><?= tohtml( _("Enabled")) ?></option>
 				</select>
 			</div>
 			<details class="collapse" id="web-options">
 				<summary class="collapse-header">
-					<?= _("WEB") ?>
+					<?= tohtml( _("WEB")) ?>
 				</summary>
 				<div class="collapse-content">
 					<div class="u-mb10">
-						<label for="v_web_domains" class="form-label"><?= _("Web Domains") ?></label>
+						<label for="v_web_domains" class="form-label"><?= tohtml( _("Web Domains")) ?></label>
 						<div class="u-pos-relative">
-							<input type="text" class="form-control" name="v_web_domains" id="v_web_domains" value="<?= htmlentities(trim($v_web_domains, "'")) ?>">
-							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= _("Unlimited") ?>">
+							<input type="text" class="form-control" name="v_web_domains" id="v_web_domains" value="<?= tohtml(trim($v_web_domains, "'")) ?>">
+							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= tohtml( _("Unlimited")) ?>">
 								<i class="fas fa-infinity"></i>
 							</button>
 						</div>
 					</div>
 					<div class="u-mb10">
 						<label for="v_web_aliases" class="form-label">
-							<?= _("Web Aliases") ?> <span class="optional">(<?= _("per domain") ?>)</span>
+							<?= tohtml( _("Web Aliases")) ?> <span class="optional">(<?= tohtml( _("per domain")) ?>)</span>
 						</label>
 						<div class="u-pos-relative">
-							<input type="text" class="form-control" name="v_web_aliases" id="v_web_aliases" value="<?= htmlentities(trim($v_web_aliases, "'")) ?>">
-							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= _("Unlimited") ?>">
+							<input type="text" class="form-control" name="v_web_aliases" id="v_web_aliases" value="<?= tohtml(trim($v_web_aliases, "'")) ?>">
+							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= tohtml( _("Unlimited")) ?>">
 								<i class="fas fa-infinity"></i>
 							</button>
 						</div>
 					</div>
 					<div class="u-mb10">
 						<label for="v_web_template" class="form-label">
-							<?= _("Web Template") . " <span class='optional'> " . strtoupper($_SESSION["WEB_SYSTEM"]) . "</span>" ?>
+							<?= tohtml( _("Web Template")) ?> <span class="optional"><?= tohtml(strtoupper($_SESSION["WEB_SYSTEM"])) ?></span>
 						</label>
 						<select class="form-select" name="v_web_template" id="v_web_template">
-							<?php
-								foreach ($web_templates as $key => $value) {
-									echo "\t\t\t\t<option value=\"".htmlentities($value)."\"";
-									if ((!empty($v_web_template)) && ( $value == trim($v_web_template, "'"))){
-										echo ' selected' ;
+								<?php
+									foreach ($web_templates as $key => $value) {
+										echo "\t\t\t\t<option value=\"" . tohtml($value) . "\"";
+										if ((!empty($v_web_template)) && ( $value == trim($v_web_template, "'"))){
+											echo ' selected' ;
+										}
+										echo ">" . tohtml($value) . "</option>\n";
 									}
-									echo ">".htmlentities($value)."</option>\n";
-								}
-							?>
+								?>
 						</select>
 					</div>
 					<?php if (!empty($_SESSION['WEB_BACKEND'])) { echo ""; ?>
 						<div class="u-mb10">
-							<label for="v_backend_template" class="form-label">
-								<?= _("Backend Template") . "<span class='optional'>" . strtoupper($_SESSION["WEB_BACKEND"]) . "</span>" ?>
-							</label>
+								<label for="v_backend_template" class="form-label">
+									<?= tohtml( _("Backend Template")) ?> <span class="optional"><?= tohtml(strtoupper($_SESSION["WEB_BACKEND"])) ?></span>
+								</label>
 							<select class="form-select" name="v_backend_template" id="v_backend_template">
-								<?php
-									foreach ($backend_templates as $key => $value) {
-										echo "\t\t\t\t<option value=\"".$value."\"";
-										if ((!empty($v_backend_template)) && ( $value == trim($v_backend_template, "'"))){
-											echo ' selected' ;
+									<?php
+										foreach ($backend_templates as $key => $value) {
+											echo "\t\t\t\t<option value=\"" . tohtml($value) . "\"";
+											if ((!empty($v_backend_template)) && ( $value == trim($v_backend_template, "'"))){
+												echo ' selected' ;
+											}
+											echo ">" . tohtml($value) . "</option>\n";
 										}
-										echo ">".htmlentities($value)."</option>\n";
-									}
-								?>
+									?>
 							</select>
 						</div>
-					<?=""; }?>
+						<?php } ?>
 					<?php if (!empty($_SESSION['PROXY_SYSTEM'])) { echo ""; ?>
 						<div class="u-mb10">
-							<label for="v_proxy_template" class="form-label">
-								<?= _("Proxy Template") . "<span class='optional'>" . strtoupper($_SESSION["PROXY_SYSTEM"]) . "</span>" ?>
-							</label>
+								<label for="v_proxy_template" class="form-label">
+									<?= tohtml( _("Proxy Template")) ?> <span class="optional"><?= tohtml(strtoupper($_SESSION["PROXY_SYSTEM"])) ?></span>
+								</label>
 							<select class="form-select" name="v_proxy_template" id="v_proxy_template">
 								<?php
 									foreach ($proxy_templates as $key => $value) {
-										echo "\t\t\t\t<option value=\"".htmlentities($value)."\"";
+										echo "\t\t\t\t<option value=\"" . tohtml($value) . "\"";
 										if ((!empty($v_proxy_template)) && ( $value == trim($v_proxy_template, "'"))){
 											echo ' selected' ;
 										}
-										echo ">".htmlentities($value)."</option>\n";
+										echo ">" . tohtml($value) . "</option>\n";
 									}
 								?>
 							</select>
 						</div>
-					<?=""; }?>
+						<?php } ?>
 				</div>
 			</details>
 			<details class="collapse" id="dns-options">
 				<summary class="collapse-header">
-					<?= _("DNS") ?>
+					<?= tohtml( _("DNS")) ?>
 				</summary>
 				<div class="collapse-content">
 					<div class="u-mb10">
 						<label for="v_dns_template" class="form-label">
-							<?= _("DNS Template") . "<span class='optional'>" . strtoupper($_SESSION["DNS_SYSTEM"]) . "</span>" ?>
+							<?= tohtml( _("DNS Template")) ?> <span class="optional"><?= tohtml(strtoupper($_SESSION["DNS_SYSTEM"])) ?></span>
 						</label>
 						<select class="form-select" name="v_dns_template" id="v_dns_template">
-							<?php
-								foreach ($dns_templates as $key => $value) {
-									echo "\t\t\t\t<option value=\"".htmlentities($value)."\"";
-									if ((!empty($v_dns_template)) && ( $value == trim($v_dns_template, "'"))){
-										echo ' selected' ;
+								<?php
+									foreach ($dns_templates as $key => $value) {
+										echo "\t\t\t\t<option value=\"" . tohtml($value) . "\"";
+										if ((!empty($v_dns_template)) && ( $value == trim($v_dns_template, "'"))){
+											echo ' selected' ;
+										}
+										echo ">" . tohtml($value) . "</option>\n";
 									}
-									echo ">".htmlentities($value)."</option>\n";
-								}
-							?>
+								?>
 						</select>
 					</div>
 					<div class="u-mb10">
-						<label for="v_dns_domains" class="form-label"><?= _("DNS Zones") ?></label>
+						<label for="v_dns_domains" class="form-label"><?= tohtml( _("DNS Zones")) ?></label>
 						<div class="u-pos-relative">
-							<input type="text" class="form-control" name="v_dns_domains" id="v_dns_domains" value="<?= htmlentities(trim($v_dns_domains, "'")) ?>">
-							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= _("Unlimited") ?>">
+							<input type="text" class="form-control" name="v_dns_domains" id="v_dns_domains" value="<?= tohtml(trim($v_dns_domains, "'")) ?>">
+							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= tohtml( _("Unlimited")) ?>">
 								<i class="fas fa-infinity"></i>
 							</button>
 						</div>
 					</div>
 					<div class="u-mb10">
 						<label for="v_dns_records" class="form-label">
-							<?= _("DNS Records") ?> <span class="optional">(<?= _("per domain") ?>)</span>
+							<?= tohtml( _("DNS Records")) ?> <span class="optional">(<?= tohtml( _("per domain")) ?>)</span>
 						</label>
 						<div class="u-pos-relative">
-							<input type="text" class="form-control" name="v_dns_records" id="v_dns_records" value="<?= htmlentities(trim($v_dns_records, "'")) ?>">
-							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= _("Unlimited") ?>">
+							<input type="text" class="form-control" name="v_dns_records" id="v_dns_records" value="<?= tohtml(trim($v_dns_records, "'")) ?>">
+							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= tohtml( _("Unlimited")) ?>">
 								<i class="fas fa-infinity"></i>
 							</button>
 						</div>
 					</div>
 					<?php if (isset($_SESSION["DNS_SYSTEM"]) && !empty($_SESSION["DNS_SYSTEM"])) { ?>
-						<p class="form-label u-mb10"><?= _("Name Servers") ?></p>
+						<p class="form-label u-mb10"><?= tohtml( _("Name Servers")) ?></p>
 						<div class="u-mb5">
-							<input type="text" class="form-control" name="v_ns1" value="<?= htmlentities(trim($v_ns1, "'")) ?>">
+							<input type="text" class="form-control" name="v_ns1" value="<?= tohtml(trim($v_ns1, "'")) ?>">
 						</div>
 						<div class="u-mb5">
-							<input type="text" class="form-control" name="v_ns2" value="<?= htmlentities(trim($v_ns2, "'")) ?>">
+							<input type="text" class="form-control" name="v_ns2" value="<?= tohtml(trim($v_ns2, "'")) ?>">
 						</div>
 						<?php require $_SERVER["HESTIA"] . "/web/templates/includes/extra-ns-fields.php"; ?>
 						<button type="button" class="form-link u-mt20 js-add-ns" <?php if ($v_ns8) echo 'style="display:none;"'; ?>>
-							<?= _("Add Name Server") ?>
+							<?= tohtml( _("Add Name Server")) ?>
 						</button>
 					<?php } ?>
 				</div>
 			</details>
 			<details class="collapse" id="mail-options">
 				<summary class="collapse-header">
-					<?= _("MAIL") ?>
+					<?= tohtml( _("MAIL")) ?>
 				</summary>
 				<div class="collapse-content">
 					<div class="u-mb10">
-						<label for="v_mail_domains" class="form-label"><?= _("Mail Domains") ?></label>
+						<label for="v_mail_domains" class="form-label"><?= tohtml( _("Mail Domains")) ?></label>
 						<div class="u-pos-relative">
-							<input type="text" class="form-control" name="v_mail_domains" id="v_mail_domains" value="<?= htmlentities(trim($v_mail_domains, "'")) ?>">
-							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= _("Unlimited") ?>">
+							<input type="text" class="form-control" name="v_mail_domains" id="v_mail_domains" value="<?= tohtml(trim($v_mail_domains, "'")) ?>">
+							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= tohtml( _("Unlimited")) ?>">
 								<i class="fas fa-infinity"></i>
 							</button>
 						</div>
 					</div>
 					<div class="u-mb10">
 						<label for="v_mail_accounts" class="form-label">
-							<?= _("Mail Accounts") ?> <span class="optional">(<?= _("per domain") ?>)</span>
+							<?= tohtml( _("Mail Accounts")) ?> <span class="optional">(<?= tohtml( _("per domain")) ?>)</span>
 						</label>
 						<div class="u-pos-relative">
-							<input type="text" class="form-control" name="v_mail_accounts" id="v_mail_accounts" value="<?= htmlentities(trim($v_mail_accounts, "'")) ?>">
-							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= _("Unlimited") ?>">
+							<input type="text" class="form-control" name="v_mail_accounts" id="v_mail_accounts" value="<?= tohtml(trim($v_mail_accounts, "'")) ?>">
+							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= tohtml( _("Unlimited")) ?>">
 								<i class="fas fa-infinity"></i>
 							</button>
 						</div>
 					</div>
 					<div class="u-mb10">
 						<label for="v_ratelimit" class="form-label">
-							<?= _("Rate Limit") ?> <span class="optional">(<?= _("per account / hour") ?>)</span>
+							<?= tohtml( _("Rate Limit")) ?> <span class="optional">(<?= tohtml( _("per account / hour")) ?>)</span>
 						</label>
-						<input type="text" class="form-control" name="v_ratelimit" id="v_ratelimit" value="<?= htmlentities(trim($v_ratelimit, "'")) ?>">
+						<input type="text" class="form-control" name="v_ratelimit" id="v_ratelimit" value="<?= tohtml(trim($v_ratelimit, "'")) ?>">
 					</div>
 				</div>
 			</details>
 			<details class="collapse" id="database-options">
 				<summary class="collapse-header">
-					<?= _("DB") ?>
+					<?= tohtml( _("DB")) ?>
 				</summary>
 				<div class="collapse-content">
 					<div class="u-mb10">
-						<label for="v_databases" class="form-label"><?= _("Databases") ?></label>
+						<label for="v_databases" class="form-label"><?= tohtml( _("Databases")) ?></label>
 						<div class="u-pos-relative">
-							<input type="text" class="form-control" name="v_databases" id="v_databases" value="<?= htmlentities(trim($v_databases, "'")) ?>">
-							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= _("Unlimited") ?>">
+							<input type="text" class="form-control" name="v_databases" id="v_databases" value="<?= tohtml(trim($v_databases, "'")) ?>">
+							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= tohtml( _("Unlimited")) ?>">
 								<i class="fas fa-infinity"></i>
 							</button>
 						</div>
@@ -253,28 +253,28 @@
 			</details>
 			<details class="collapse" id="system-options">
 				<summary class="collapse-header">
-					<?= _("System") ?>
+					<?= tohtml( _("System")) ?>
 				</summary>
 				<div class="collapse-content">
 					<div class="u-mb10">
-						<label for="v_cron_jobs" class="form-label"><?= _("Cron Jobs") ?></label>
+						<label for="v_cron_jobs" class="form-label"><?= tohtml( _("Cron Jobs")) ?></label>
 						<div class="u-pos-relative">
-							<input type="text" class="form-control" name="v_cron_jobs" id="v_cron_jobs" value="<?= htmlentities(trim($v_cron_jobs, "'")) ?>">
-							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= _("Unlimited") ?>">
+							<input type="text" class="form-control" name="v_cron_jobs" id="v_cron_jobs" value="<?= tohtml(trim($v_cron_jobs, "'")) ?>">
+							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= tohtml( _("Unlimited")) ?>">
 								<i class="fas fa-infinity"></i>
 							</button>
 						</div>
 					</div>
 					<div class="u-mb10">
-						<label for="v_shell" class="form-label"><?= _("SSH Access") ?></label>
+						<label for="v_shell" class="form-label"><?= tohtml( _("SSH Access")) ?></label>
 						<select class="form-select" name="v_shell" id="v_shell">
 							<?php foreach ($shells as $key => $value): ?>
-								<option value="<?= htmlentities($value) ?>"
+								<option value="<?= tohtml($value) ?>"
 									<?php if (!empty($v_shell) && $value == trim($v_shell, "''")): ?>
 										selected
 									<?php endif; ?>
 								>
-									<?= htmlentities($value) ?>
+									<?= tohtml($value) ?>
 								</option>
 							<?php endforeach; ?>
 						</select>
@@ -285,59 +285,59 @@
 			<?php if ($_SESSION['RESOURCES_LIMIT'] == 'yes') { ?>
 				<details class="collapse" id="system-resources-options">
 				<summary class="collapse-header">
-					<?= _("System Resources") ?>
+					<?= tohtml( _("System Resources")) ?>
 				</summary>
 				<div class="collapse-content">
 					<div class="u-mb10">
 						<label for="cfs_quota" class="form-label">
-							<?= _("CPU Quota (in %)") ?>
+							<?= tohtml( _("CPU Quota (in %)")) ?>
 						</label>
 						<div class="u-pos-relative">
-							<input type="text" class="form-control" name="v_cpu_quota" id="v_cpu_quota" value="<?= htmlentities(trim($v_cpu_quota, "'")) ?>">
-							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= _("Unlimited") ?>">
+							<input type="text" class="form-control" name="v_cpu_quota" id="v_cpu_quota" value="<?= tohtml(trim($v_cpu_quota, "'")) ?>">
+							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= tohtml( _("Unlimited")) ?>">
 								<i class="fas fa-infinity"></i>
 							</button>
 						</div>
-						<small class="form-text text-muted"><?= _("CPUQuota=20% ensures that the executed processes will never get more than 20% CPU time on one CPU.") ?></small>
+						<small class="form-text text-muted"><?= tohtml( _("CPUQuota=20% ensures that the executed processes will never get more than 20% CPU time on one CPU.")) ?></small>
 					</div>
 
 					<div class="u-mb10">
 						<label for="cfs_period" class="form-label">
-							<?= _("CPU Quota Period (in ms for milliseconds or s for seconds.)") ?>
+							<?= tohtml( _("CPU Quota Period (in ms for milliseconds or s for seconds.)")) ?>
 						</label>
 						<div class="u-pos-relative">
-							<input type="text" class="form-control" name="v_cpu_quota_period" id="v_cpu_quota_period" value="<?= htmlentities(trim($v_cpu_quota_period, "'")) ?>">
-							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= _("Unlimited") ?>">
+							<input type="text" class="form-control" name="v_cpu_quota_period" id="v_cpu_quota_period" value="<?= tohtml(trim($v_cpu_quota_period, "'")) ?>">
+							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= tohtml( _("Unlimited")) ?>">
 								<i class="fas fa-infinity"></i>
 							</button>
 						</div>
-						<small class="form-text text-muted"><?= _("CPUQuotaPeriodSec=10ms to request that the CPU quota is measured in periods of 10ms.") ?></small>
+						<small class="form-text text-muted"><?= tohtml( _("CPUQuotaPeriodSec=10ms to request that the CPU quota is measured in periods of 10ms.")) ?></small>
 					</div>
 
 					<div class="u-mb10">
 						<label for="memory_limit" class="form-label">
-							<?= _("Memory Limit (in bytes or with units like '2G')") ?>
+							<?= tohtml( _("Memory Limit (in bytes or with units like '2G')")) ?>
 						</label>
 						<div class="u-pos-relative">
-							<input type="text" class="form-control" name="v_memory_limit" id="v_memory_limit" value="<?= htmlentities(trim($v_memory_limit, "'")) ?>">
-							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= _("Unlimited") ?>">
+							<input type="text" class="form-control" name="v_memory_limit" id="v_memory_limit" value="<?= tohtml(trim($v_memory_limit, "'")) ?>">
+							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= tohtml( _("Unlimited")) ?>">
 								<i class="fas fa-infinity"></i>
 							</button>
 						</div>
-						<small class="form-text text-muted"><?= _("Takes a memory size in bytes. If the value is suffixed with K, M, G or T, the specified memory size is parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes (with the base 1024), respectively") ?></small>
+						<small class="form-text text-muted"><?= tohtml( _("Takes a memory size in bytes. If the value is suffixed with K, M, G or T, the specified memory size is parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes (with the base 1024), respectively")) ?></small>
 					</div>
 
 					<div class="u-mb10">
 						<label for="swap_limit" class="form-label">
-							<?= _("Swap Limit (in bytes or with units like '2G')") ?>
+							<?= tohtml( _("Swap Limit (in bytes or with units like '2G')")) ?>
 						</label>
 						<div class="u-pos-relative">
-							<input type="text" class="form-control" name="v_swap_limit" id="v_swap_limit" value="<?= htmlentities(trim($v_swap_limit, "'")) ?>">
-							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= _("Unlimited") ?>">
+							<input type="text" class="form-control" name="v_swap_limit" id="v_swap_limit" value="<?= tohtml(trim($v_swap_limit, "'")) ?>">
+							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= tohtml( _("Unlimited")) ?>">
 								<i class="fas fa-infinity"></i>
 							</button>
 						</div>
-						<small class="form-text text-muted"><?= _("Takes a swap size in bytes. If the value is suffixed with K, M, G or T, the specified swap size is parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes (with the base 1024), respectively") ?></small>
+						<small class="form-text text-muted"><?= tohtml( _("Takes a swap size in bytes. If the value is suffixed with K, M, G or T, the specified swap size is parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes (with the base 1024), respectively")) ?></small>
 					</div>
 				</div>
 			</details>

web/templates/pages/edit_server_nginx.php

@@ -3,15 +3,15 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/server/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 			<a href="/edit/server/php/" class="button button-secondary">
-				<i class="fas fa-pencil icon-orange"></i><?= _("Configure") ?> PHP
+				<i class="fas fa-pencil icon-orange"></i><?= tohtml( _("Configure")) ?> PHP
 			</a>
 		</div>
 		<div class="toolbar-buttons">
 			<button type="submit" class="button" form="main-form">
-				<i class="fas fa-floppy-disk icon-purple"></i><?= _("Save") ?>
+				<i class="fas fa-floppy-disk icon-purple"></i><?= tohtml( _("Save")) ?>
 			</button>
 		</div>
 	</div>
@@ -21,73 +21,73 @@
 <div class="container">
 
 	<form id="main-form" name="v_configure_server" method="post">
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<input type="hidden" name="save" value="save">
 
 		<div class="form-container">
-			<h1 class="u-mb20"><?= _("Configure Server") ?>: <?= $v_service_name ?></h1>
+			<h1 class="u-mb20"><?= tohtml( _("Configure Server")) ?>: <?= tohtml($v_service_name) ?></h1>
 			<?php show_alert_message($_SESSION); ?>
 			<div class="js-basic-options">
 				<div class="u-mb10">
 					<label for="v_worker_processes" class="form-label">worker_processes</label>
-					<input type="text" class="form-control" data-regexp="worker_processes" data-prev-value="<?= htmlentities($v_worker_processes) ?>" name="v_worker_processes" id="v_worker_processes" value="<?= htmlentities($v_worker_processes) ?>">
+					<input type="text" class="form-control" data-regexp="worker_processes" data-prev-value="<?= tohtml($v_worker_processes) ?>" name="v_worker_processes" id="v_worker_processes" value="<?= tohtml($v_worker_processes) ?>">
 				</div>
 				<div class="u-mb10">
 					<label for="v_worker_connections" class="form-label">worker_connections</label>
-					<input type="text" class="form-control" data-regexp="worker_connections" data-prev-value="<?= htmlentities($v_worker_connections) ?>" name="v_worker_connections" id="v_worker_connections" value="<?= htmlentities($v_worker_connections) ?>">
+					<input type="text" class="form-control" data-regexp="worker_connections" data-prev-value="<?= tohtml($v_worker_connections) ?>" name="v_worker_connections" id="v_worker_connections" value="<?= tohtml($v_worker_connections) ?>">
 				</div>
 				<div class="u-mb10">
 					<label for="v_client_max_body_size" class="form-label">client_max_body_size</label>
-					<input type="text" class="form-control" data-regexp="client_max_body_size" data-prev-value="<?= htmlentities($v_client_max_body_size) ?>" name="v_client_max_body_size" id="v_client_max_body_size" value="<?= htmlentities($v_client_max_body_size) ?>">
+					<input type="text" class="form-control" data-regexp="client_max_body_size" data-prev-value="<?= tohtml($v_client_max_body_size) ?>" name="v_client_max_body_size" id="v_client_max_body_size" value="<?= tohtml($v_client_max_body_size) ?>">
 				</div>
 				<div class="u-mb10">
 					<label for="v_send_timeout" class="form-label">send_timeout</label>
-					<input type="text" class="form-control" data-regexp="send_timeout" data-prev-value="<?= htmlentities($v_send_timeout) ?>" name="v_send_timeout" id="v_send_timeout" value="<?= htmlentities($v_send_timeout) ?>">
+					<input type="text" class="form-control" data-regexp="send_timeout" data-prev-value="<?= tohtml($v_send_timeout) ?>" name="v_send_timeout" id="v_send_timeout" value="<?= tohtml($v_send_timeout) ?>">
 				</div>
 				<div class="u-mb10">
 					<label for="v_proxy_connect_timeout" class="form-label">proxy_connect_timeout</label>
-					<input type="text" class="form-control" data-regexp="proxy_connect_timeout" data-prev-value="<?= htmlentities($v_proxy_connect_timeout) ?>" name="v_proxy_connect_timeout" id="v_proxy_connect_timeout" value="<?= htmlentities($v_proxy_connect_timeout) ?>">
+					<input type="text" class="form-control" data-regexp="proxy_connect_timeout" data-prev-value="<?= tohtml($v_proxy_connect_timeout) ?>" name="v_proxy_connect_timeout" id="v_proxy_connect_timeout" value="<?= tohtml($v_proxy_connect_timeout) ?>">
 				</div>
 				<div class="u-mb10">
 					<label for="v_proxy_send_timeout" class="form-label">proxy_send_timeout</label>
-					<input type="text" class="form-control" data-regexp="proxy_send_timeout" data-prev-value="<?= htmlentities($v_proxy_send_timeout) ?>" name="v_proxy_send_timeout" id="v_proxy_send_timeout" value="<?= htmlentities($v_proxy_send_timeout) ?>">
+					<input type="text" class="form-control" data-regexp="proxy_send_timeout" data-prev-value="<?= tohtml($v_proxy_send_timeout) ?>" name="v_proxy_send_timeout" id="v_proxy_send_timeout" value="<?= tohtml($v_proxy_send_timeout) ?>">
 				</div>
 				<div class="u-mb10">
 					<label for="v_proxy_read_timeout" class="form-label">proxy_read_timeout</label>
-					<input type="text" class="form-control" data-regexp="proxy_read_timeout" data-prev-value="<?= htmlentities($v_proxy_read_timeout) ?>" name="v_proxy_read_timeout" id="v_proxy_read_timeout" value="<?= htmlentities($v_proxy_read_timeout) ?>">
+					<input type="text" class="form-control" data-regexp="proxy_read_timeout" data-prev-value="<?= tohtml($v_proxy_read_timeout) ?>" name="v_proxy_read_timeout" id="v_proxy_read_timeout" value="<?= tohtml($v_proxy_read_timeout) ?>">
 				</div>
 				<div class="u-mb10">
 					<label for="v_gzip" class="form-label">gzip</label>
-					<input type="text" class="form-control" data-regexp="gzip" data-prev-value="<?= htmlentities($v_gzip) ?>" name="v_gzip" id="v_gzip" value="<?= htmlentities($v_gzip) ?>">
+					<input type="text" class="form-control" data-regexp="gzip" data-prev-value="<?= tohtml($v_gzip) ?>" name="v_gzip" id="v_gzip" value="<?= tohtml($v_gzip) ?>">
 				</div>
 				<div class="u-mb10">
 					<label for="v_gzip_comp_level" class="form-label">gzip_comp_level</label>
-					<input type="text" class="form-control" data-regexp="gzip_comp_level" data-prev-value="<?= htmlentities($v_gzip_comp_level) ?>" name="v_gzip_comp_level" id="v_gzip_comp_level" value="<?= htmlentities($v_gzip_comp_level) ?>">
+					<input type="text" class="form-control" data-regexp="gzip_comp_level" data-prev-value="<?= tohtml($v_gzip_comp_level) ?>" name="v_gzip_comp_level" id="v_gzip_comp_level" value="<?= tohtml($v_gzip_comp_level) ?>">
 				</div>
 				<div class="u-mb20">
 					<label for="v_charset" class="form-label">charset</label>
-					<input type="text" class="form-control" data-regexp="charset" data-prev-value="<?= htmlentities($v_charset) ?>" name="v_charset" id="v_charset" value="<?= htmlentities($v_charset) ?>">
+					<input type="text" class="form-control" data-regexp="charset" data-prev-value="<?= tohtml($v_charset) ?>" name="v_charset" id="v_charset" value="<?= tohtml($v_charset) ?>">
 				</div>
 				<div class="u-mb20">
 					<button type="button" class="button button-secondary js-toggle-options">
-						<?= _("Advanced Options") ?>
+						<?= tohtml( _("Advanced Options")) ?>
 					</button>
 				</div>
 			</div>
 			<div class="js-advanced-options <?php if (empty($v_adv)) echo 'u-hidden'; ?>">
 				<div class="u-mb20">
 					<button type="button" class="button button-secondary js-toggle-options">
-						<?= _("Basic Options") ?>
+						<?= tohtml( _("Basic Options")) ?>
 					</button>
 				</div>
 				<div class="u-mb20">
-					<label for="v_config" class="form-label"><?= $v_config_path ?></label>
-					<textarea class="form-control u-min-height600 u-allow-resize u-console js-advanced-textarea" name="v_config" id="v_config"><?= $v_config ?></textarea>
+					<label for="v_config" class="form-label"><?= tohtml($v_config_path) ?></label>
+					<textarea class="form-control u-min-height600 u-allow-resize u-console js-advanced-textarea" name="v_config" id="v_config"><?= tohtml($v_config) ?></textarea>
 				</div>
 				<div class="form-check">
 					<input class="form-check-input" type="checkbox" name="v_restart" id="v_restart" checked>
 					<label for="v_restart">
-						<?= _("Restart") ?>
+						<?= tohtml( _("Restart")) ?>
 					</label>
 				</div>
 			</div>