Главная Обзор Помощь
Вход
yosoyhendrix
/
hestiacp
1
0
Ответвить 0
Файлы Задачи 0 Запросы на слияние 0 Вики
Просмотр исходного кода

Add missing HTML/url encoding (5245-chunk7) (#5252)

* Add missing HTML/url encoding (5245-chunk7)
Was reports that some missing HTML encoding could lead to XSS/javascript injection.

Reviewable chunk of #5245 , which grew too large.
divinity76 2 недель назад
Родитель
cc160cc1ef
Сommit
0b63cdd8f3
2 измененных файлов с 118 добавлено и 118 удалено
Разделённый вид Показать статистику Diff
  1. 30 30
      web/templates/pages/add_dns.php
  2. 88 88
      web/templates/pages/list_web.php

+ 30 - 30
web/templates/pages/add_dns.php
Просмотреть файл 

@@ -3,13 +3,13 @@
 
 	<div class="toolbar-inner">
 
 		<div class="toolbar-buttons">
 
 			<a class="button button-secondary button-back js-button-back" href="/list/dns/">
 
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
 
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 
 			</a>
 
 		</div>
 
 		<div class="toolbar-buttons">
 
 			<?php if (($_SESSION["role"] == "admin" && $accept === "true") || $_SESSION["role"] !== "admin") { ?>
 
 				<button type="submit" class="button" form="main-form">
 
-					<i class="fas fa-floppy-disk icon-purple"></i><?= _("Save") ?>
 
+					<i class="fas fa-floppy-disk icon-purple"></i><?= tohtml( _("Save")) ?>
 
 				</button>
 
 			<?php } ?>
 
 		</div>
 
@@ -21,54 +21,54 @@
 
 
 	<form
 
 		x-data="{
 
-			showAdvanced: <?= empty($v_adv) ? "false" : "true" ?>
 
+			showAdvanced: <?= tohtml(empty($v_adv) ? "false" : "true") ?>
 
 		}"
 
 		id="main-form"
 
 		name="v_add_dns"
 
 		method="post"
 
 	>
 
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
 
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 
 		<input type="hidden" name="ok" value="Add">
 
 
 		<div class="form-container">
 
-			<h1 class="u-mb20"><?= _("Add DNS Zone") ?></h1>
 
+			<h1 class="u-mb20"><?= tohtml( _("Add DNS Zone")) ?></h1>
 
 			<?php show_alert_message($_SESSION); ?>
 
 			<?php if ($_SESSION["role"] == "admin" && $accept !== "true") { ?>
 
 				<div class="alert alert-danger" role="alert">
 
 					<i class="fas fa-exclamation"></i>
 
-					<p><?= htmlify_trans(sprintf(_("It is strongly advised to {create a standard user account} before adding %s to the server due to the increased privileges the admin account possesses and potential security risks."), _('a dns domain')), '</a>', '<a href="/add/user/">'); ?></p>
 
+					<p><?= htmlify_trans(sprintf(_("It is strongly advised to {create a standard user account} before adding %s to the server due to the increased privileges the admin account possesses and potential security risks."), _('a dns domain')), '</a>', '<a href="/add/user/">') ?></p>
 
 				</div>
 
 			<?php } ?>
 
 			<?php if ($_SESSION["role"] == "admin" && empty($accept)) { ?>
 
 				<div class="u-side-by-side u-mt20">
 
-					<a href="/add/user/" class="button u-width-full u-mr10"><?= _("Add User") ?></a>
 
-					<a href="/add/dns/?accept=true" class="button button-danger u-width-full u-ml10"><?= _("Continue") ?></a>
 
+					<a href="/add/user/" class="button u-width-full u-mr10"><?= tohtml( _("Add User")) ?></a>
 
+					<a href="/add/dns/?<?= tohtml(http_build_query(["accept" => 'true'])) ?>" class="button button-danger u-width-full u-ml10"><?= tohtml( _("Continue")) ?></a>
 
 				</div>
 
 			<?php } ?>
 
 			<?php if (($_SESSION["role"] == "admin" && $accept === "true") || $_SESSION["role"] !== "admin") { ?>
 
 				<div class="u-mb10">
 
-					<label for="v_domain" class="form-label"><?= _("Domain") ?></label>
 
-					<input type="text" class="form-control" name="v_domain" id="v_domain" value="<?= htmlentities(trim($v_domain, "'")) ?>" required>
 
+					<label for="v_domain" class="form-label"><?= tohtml( _("Domain")) ?></label>
 
+					<input type="text" class="form-control" name="v_domain" id="v_domain" value="<?= tohtml(trim($v_domain, "'")) ?>" required>
 
 				</div>
 
 				<div class="u-mb10">
 
-					<label for="v_ip" class="form-label"><?= _("IP Address") ?></label>
 
+					<label for="v_ip" class="form-label"><?= tohtml( _("IP Address")) ?></label>
 
 					<div class="u-pos-relative">
 
 						<select class="form-select" tabindex="-1" onchange="this.nextElementSibling.value=this.value">
 
 							<option value="">clear</option>
 
-							<?php
 
-								foreach ($v_ips as $ip => $value) {
 
-									$display_ip = empty($value['NAT']) ? $ip : "{$value['NAT']}";
 
-									echo "<option value='{$display_ip}'>" . htmlentities($display_ip) . "</option>\n";
 
-								}
 
-							?>
 
-						</select>
 
-						<input type="text" class="form-control list-editor" name="v_ip" id="v_ip" value="<?= htmlentities(trim($v_ip, "'")) ?>">
 
+								<?php
 
+									foreach ($v_ips as $ip => $value) {
 
+										$display_ip = empty($value['NAT']) ? $ip : "{$value['NAT']}";
 
+										echo "<option value=\"" . tohtml($display_ip) . "\">" . tohtml($display_ip) . "</option>\n";
 
+									}
 
+								?>
 
+							</select>
 
+						<input type="text" class="form-control list-editor" name="v_ip" id="v_ip" value="<?= tohtml(trim($v_ip, "'")) ?>">
 
 					</div>
 
 				</div>
 
 				<?php if ($_SESSION["userContext"] === "admin" || ($_SESSION["userContext"] === "user" && $_SESSION["POLICY_USER_EDIT_DNS_TEMPLATES"] === "yes")) { ?>
 
 					<div class="u-mb10">
 
 						<label for="v_template" class="form-label">
 
-							<?= _("Template") . "<span class='optional'>" . strtoupper($_SESSION["DNS_SYSTEM"]) . "</span>" ?>
 
+							<?= tohtml( _("Template")) ?> <span class="optional"><?= tohtml(strtoupper($_SESSION["DNS_SYSTEM"])) ?></span>
 
 						</label>
 
 						<select class="form-select" name="v_template" id="v_template">
 
 							<?php
 
@@ -86,7 +86,7 @@
 
 				<?php } ?>
 
 				<div class="u-mb20 u-mt20">
 
 					<button x-on:click="showAdvanced = !showAdvanced" type="button" class="button button-secondary">
 
-						<?= _("Advanced Options") ?>
 
+						<?= tohtml( _("Advanced Options")) ?>
 
 					</button>
 
 				</div>
 
 				<div x-cloak x-show="showAdvanced" id="advtable">
 
@@ -94,30 +94,30 @@
 
 						<div class="form-check u-mb10">
 
 							<input class="form-check-input" type="checkbox" name="v_dnssec" id="v_dnssec" value="yes" <?php if ($v_dnssec === 'yes'){ echo ' checked'; } ?>>
 
 							<label for="v_dnssec">
 
-								<?= _("Enable DNSSEC") ?>
 
+								<?= tohtml( _("Enable DNSSEC")) ?>
 
 							</label>
 
 						</div>
 
 					<?php } ?>
 
 					<div class="u-mb10">
 
 						<label for="v_exp" class="form-label">
 
-							<?= _("Expiration Date") ?> <span class="optional">(<?= _("YYYY-MM-DD") ?>)</span>
 
+							<?= tohtml( _("Expiration Date")) ?> <span class="optional">(<?= tohtml( _("YYYY-MM-DD")) ?>)</span>
 
 						</label>
 
-						<input type="text" class="form-control" name="v_exp" id="v_exp" value="<?= htmlentities(trim($v_exp, "'")) ?>">
 
+						<input type="text" class="form-control" name="v_exp" id="v_exp" value="<?= tohtml(trim($v_exp, "'")) ?>">
 
 					</div>
 
 					<div class="u-mb10">
 
-						<label for="v_ttl" class="form-label"><?= _("TTL") ?></label>
 
-						<input type="text" class="form-control" name="v_ttl" id="v_ttl" value="<?= htmlentities(trim($v_ttl, "'")) ?>">
 
+						<label for="v_ttl" class="form-label"><?= tohtml( _("TTL")) ?></label>
 
+						<input type="text" class="form-control" name="v_ttl" id="v_ttl" value="<?= tohtml(trim($v_ttl, "'")) ?>">
 
 					</div>
 
-					<p class="form-label u-mb10"><?= _("Name Servers") ?></p>
 
+					<p class="form-label u-mb10"><?= tohtml( _("Name Servers")) ?></p>
 
 					<div class="u-mb5">
 
-						<input type="text" class="form-control" name="v_ns1" value="<?= htmlentities(trim($v_ns1, "'")) ?>">
 
+						<input type="text" class="form-control" name="v_ns1" value="<?= tohtml(trim($v_ns1, "'")) ?>">
 
 					</div>
 
 					<div class="u-mb5">
 
-						<input type="text" class="form-control" name="v_ns2" value="<?= htmlentities(trim($v_ns2, "'")) ?>">
 
+						<input type="text" class="form-control" name="v_ns2" value="<?= tohtml(trim($v_ns2, "'")) ?>">
 
 					</div>
 
 					<?php require $_SERVER["HESTIA"] . "/web/templates/includes/extra-ns-fields.php"; ?>
 
 					<button type="button" class="form-link u-mt20 js-add-ns" <?php if ($v_ns8) echo 'style="display:none;"'; ?>>
 
-						<?= _("Add Name Server") ?>
 
+						<?= tohtml( _("Add Name Server")) ?>
 
 					</button>
 
 				</div>
 
 			<?php } ?>

+ 88 - 88
web/templates/pages/list_web.php
Просмотреть файл 

@@ -4,52 +4,52 @@
 
 		<div class="toolbar-buttons">
 
 			<?php if ($read_only !== "true") { ?>
 
 				<a href="/add/web/" class="button button-secondary js-button-create">
 
-					<i class="fas fa-circle-plus icon-green"></i><?= _("Add Web Domain") ?>
 
+					<i class="fas fa-circle-plus icon-green"></i><?= tohtml( _("Add Web Domain")) ?>
 
 				</a>
 
 			<?php } ?>
 
 		</div>
 
 		<div class="toolbar-right">
 
 			<div class="toolbar-sorting">
 
-				<button class="toolbar-sorting-toggle js-toggle-sorting-menu" type="button" title="<?= _("Sort items") ?>">
 
-					<?= _("Sort by") ?>:
 
+				<button class="toolbar-sorting-toggle js-toggle-sorting-menu" type="button" title="<?= tohtml( _("Sort items")) ?>">
 
+					<?= tohtml( _("Sort by")) ?>:
 
 					<span class="u-text-bold">
 
-						<?php if ($_SESSION['userSortOrder'] === 'name') { $label = ('Name'); } else { $label = _('Date'); } ?>
 
-						<?= $label?> <i class="fas fa-arrow-down-a-z"></i>
 
+							<?php if ($_SESSION['userSortOrder'] === 'name') { $label = _('Name'); } else { $label = _('Date'); } ?>
 
+						<?= tohtml($label) ?> <i class="fas fa-arrow-down-a-z"></i>
 
 					</span>
 
 				</button>
 
 				<ul class="toolbar-sorting-menu js-sorting-menu u-hidden">
 
 					<li data-entity="sort-bandwidth" data-sort-as-int="1">
 
-						<span class="name"><?= _("Bandwidth") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 
+						<span class="name"><?= tohtml( _("Bandwidth")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 
 					</li>
 
 					<li data-entity="sort-date" data-sort-as-int="1">
 
-						<span class="name <?php if ($_SESSION['userSortOrder'] === 'date') { echo 'active'; } ?>"><?= _("Date") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 
+						<span class="name <?php if ($_SESSION['userSortOrder'] === 'date') { echo 'active'; } ?>"><?= tohtml( _("Date")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 
 					</li>
 
 					<li data-entity="sort-disk" data-sort-as-int="1">
 
-						<span class="name"><?= _("Disk") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 
+						<span class="name"><?= tohtml( _("Disk")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 
 					</li>
 
 					<li data-entity="sort-name">
 
-						<span class="name <?php if ($_SESSION['userSortOrder'] === 'name') { echo 'active'; } ?>"><?= _("Name") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 
+						<span class="name <?php if ($_SESSION['userSortOrder'] === 'name') { echo 'active'; } ?>"><?= tohtml( _("Name")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 
 					</li>
 
 					<li data-entity="sort-ip" data-sort-as-int="1">
 
-						<span class="name"><?= _("IP Address") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 
+						<span class="name"><?= tohtml( _("IP Address")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 
 					</li>
 
 				</ul>
 
 				<?php if ($read_only !== "true") { ?>
 
 					<form x-data x-bind="BulkEdit" action="/bulk/web/" method="post">
 
-						<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
 
+						<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 
 						<select class="form-select" name="action">
 
-							<option value=""><?= _("Apply to selected") ?></option>
 
+							<option value=""><?= tohtml( _("Apply to selected")) ?></option>
 
 							<?php if ($_SESSION["userContext"] === "admin") { ?>
 
-								<option value="rebuild"><?= _("Rebuild") ?></option>
 
+								<option value="rebuild"><?= tohtml( _("Rebuild")) ?></option>
 
 							<?php } ?>
 
-							<option value="suspend"><?= _("Suspend") ?></option>
 
-							<option value="unsuspend"><?= _("Unsuspend") ?></option>
 
+							<option value="suspend"><?= tohtml( _("Suspend")) ?></option>
 
+							<option value="unsuspend"><?= tohtml( _("Unsuspend")) ?></option>
 
 							<?php if ($_SESSION["PROXY_SYSTEM"] == "nginx" || $_SESSION["WEB_SYSTEM"] == "nginx") { ?>
 
-								<option value="purge"><?= _("Purge Nginx Cache") ?></option>
 
+								<option value="purge"><?= tohtml( _("Purge Nginx Cache")) ?></option>
 
 							<?php } ?>
 
-							<option value="delete"><?= _("Delete") ?></option>
 
+							<option value="delete"><?= tohtml( _("Delete")) ?></option>
 
 						</select>
 
-						<button type="submit" class="toolbar-input-submit" title="<?= _("Apply to selected") ?>">
 
+						<button type="submit" class="toolbar-input-submit" title="<?= tohtml( _("Apply to selected")) ?>">
 
 							<i class="fas fa-arrow-right"></i>
 
 						</button>
 
 					</form>
 
@@ -57,9 +57,9 @@
 
 			</div>
 
 			<div class="toolbar-search">
 
 				<form action="/search/" method="get">
 
-					<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
 
-					<input type="search" class="form-control js-search-input" name="q" value="<? echo isset($_POST['q']) ? htmlspecialchars($_POST['q']) : '' ?>" title="<?= _("Search") ?>">
 
-					<button type="submit" class="toolbar-input-submit" title="<?= _("Search") ?>">
 
+					<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 
+					<input type="search" class="form-control js-search-input" name="q" value="<?= tohtml($_GET['q'] ?? '') ?>" title="<?= tohtml( _("Search")) ?>">
 
+					<button type="submit" class="toolbar-input-submit" title="<?= tohtml( _("Search")) ?>">
 
 						<i class="fas fa-magnifying-glass"></i>
 
 					</button>
 
 				</form>
 
@@ -71,20 +71,20 @@
 
 
 <div class="container">
 
 
-	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= _("Web Domains") ?></h1>
 
+	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= tohtml( _("Web Domains")) ?></h1>
 
 
 	<div class="units-table js-units-container">
 
 		<div class="units-table-header">
 
-			<div class="units-table-cell">
 
-				<input type="checkbox" class="js-toggle-all-checkbox" title="<?= _("Select all") ?>" <?= $display_mode ?>>
 
-			</div>
 
-			<div class="units-table-cell"><?= _("Name") ?></div>
 
+				<div class="units-table-cell">
 
+					<input type="checkbox" class="js-toggle-all-checkbox" title="<?= tohtml( _("Select all")) ?>"<?= $display_mode === "disabled" ? " disabled" : "" ?>>
 
+				</div>
 
+			<div class="units-table-cell"><?= tohtml( _("Name")) ?></div>
 
 			<div class="units-table-cell"></div>
 
-			<div class="units-table-cell u-text-center"><?= _("IP Address") ?></div>
 
-			<div class="units-table-cell u-text-center"><?= _("Disk") ?></div>
 
-			<div class="units-table-cell u-text-center"><?= _("Bandwidth") ?></div>
 
-			<div class="units-table-cell u-text-center"><?= _("SSL") ?></div>
 
-			<div class="units-table-cell u-text-center"><?= _("Statistics") ?></div>
 
+			<div class="units-table-cell u-text-center"><?= tohtml( _("IP Address")) ?></div>
 
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Disk")) ?></div>
 
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Bandwidth")) ?></div>
 
+			<div class="units-table-cell u-text-center"><?= tohtml( _("SSL")) ?></div>
 
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Statistics")) ?></div>
 
 		</div>
 
 
 		<!-- Begin web domain list item loop -->
 
@@ -189,21 +189,21 @@
 
 				$vstats_scheme = $has_ssl ? 'https' : 'http';
 
 			?>
 
 			<div class="units-table-row <?php if ($data[$key]['SUSPENDED'] == 'yes') echo 'disabled'; ?> js-unit"
 
-				data-sort-ip="<?= str_replace(".", "", $data[$key]["IP"]) ?>"
 
-				data-sort-date="<?= strtotime($data[$key]["DATE"] . " " . $data[$key]["TIME"]) ?>"
 
-				data-sort-name="<?= $key ?>"
 
-				data-sort-bandwidth="<?= $data[$key]["U_BANDWIDTH"] ?>"
 
-				data-sort-disk="<?= $data[$key]["U_DISK"] ?>">
 
+				data-sort-ip="<?= tohtml(str_replace(".", "", $data[$key]["IP"])) ?>"
 
+				data-sort-date="<?= tohtml(strtotime($data[$key]["DATE"] . " " . $data[$key]["TIME"])) ?>"
 
+				data-sort-name="<?= tohtml($key) ?>"
 
+				data-sort-bandwidth="<?= tohtml($data[$key]["U_BANDWIDTH"]) ?>"
 
+				data-sort-disk="<?= tohtml($data[$key]["U_DISK"]) ?>">
 
 				<div class="units-table-cell">
 
 					<div>
 
-						<input id="check<?= $i ?>" class="js-unit-checkbox" type="checkbox" title="<?= _("Select") ?>" name="domain[]" value="<?= $key ?>" <?= $display_mode ?>>
 
-						<label for="check<?= $i ?>" class="u-hide-desktop"><?= _("Select") ?></label>
 
+						<input id="check<?= tohtml($i) ?>" class="js-unit-checkbox" type="checkbox" title="<?= tohtml( _("Select")) ?>" name="domain[]" value="<?= tohtml($key) ?>"<?= $display_mode === "disabled" ? " disabled" : "" ?>>
 
+						<label for="check<?= tohtml($i) ?>" class="u-hide-desktop"><?= tohtml( _("Select")) ?></label>
 
 					</div>
 
 				</div>
 
 				<div class="units-table-cell units-table-heading-cell u-text-bold">
 
-					<span class="u-hide-desktop"><?= _("Name") ?>:</span>
 
+					<span class="u-hide-desktop"><?= tohtml( _("Name")) ?>:</span>
 
 					<?php if ($read_only === "true") { ?>
 
-						<?= $key ?>
 
+						<?= tohtml($key) ?>
 
 					<?php } else {
 
 						$aliases = explode(',', $data[$key]['ALIAS']);
 
 						$alias_new = array();
 
@@ -213,16 +213,16 @@
 
 							}
 
 						}
 
 						?>
 
-						<a href="/edit/web/?domain=<?= $key ?>&token=<?= $_SESSION['token'] ?>" title="<?= _("Edit Domain") ?>: <?= $key ?>">
 
-							<?= $key ?>
 
-							<?php
 
-								if (!empty($alias_new) && !empty($data[$key]['ALIAS'])) {
 
-									$aliases = implode(', ', $alias_new);
 
-									echo "<p class='hint u-max-width300 u-text-truncate'>($aliases)</p>";
 
-								}
 
-							?>
 
-						</a>
 
-					<?php } ?>
 
+						<a href="/edit/web/?<?= tohtml(http_build_query(["domain" => $key, "token" => $_SESSION['token']])) ?>" title="<?= tohtml( _("Edit Domain")) ?>: <?= tohtml($key) ?>">
 
+							<?= tohtml($key) ?>
 
+								<?php
 
+									if (!empty($alias_new) && !empty($data[$key]['ALIAS'])) {
 
+										$aliases = implode(', ', $alias_new);
 
+										echo "<p class='hint u-max-width300 u-text-truncate'>(" . tohtml($aliases) . ")</p>";
 
+									}
 
+								?>
 
+							</a>
 
+						<?php } ?>
 
 				</div>
 
 				<div class="units-table-cell">
 
 					<ul class="units-table-row-actions">
 
@@ -230,26 +230,26 @@
 
 							<li class="units-table-row-action shortcut-w" data-key-action="href">
 
 								<a
 
 									class="units-table-row-action-link"
 
-									href="<?= $vstats_scheme ?>://<?= $key ?>/vstats/"
 
+									href="<?= tohtml($vstats_scheme) ?>://<?= tohtml($key) ?>/vstats/"
 
 									target="_blank"
 
 									rel="noopener"
 
-									title="<?= _("Statistics") ?>"
 
+									title="<?= tohtml( _("Statistics")) ?>"
 
 								>
 
 									<i class="fas fa-chart-bar icon-maroon"></i>
 
-									<span class="u-hide-desktop"><?= _("Statistics") ?></span>
 
+									<span class="u-hide-desktop"><?= tohtml( _("Statistics")) ?></span>
 
 								</a>
 
 							</li>
 
 						<?php } ?>
 
 						<li class="units-table-row-action" data-key-action="href">
 
 							<a
 
 								class="units-table-row-action-link"
 
-								href="http://<?= $key ?>/"
 
+								href="http://<?= tohtml($key) ?>/"
 
 								target="_blank"
 
 								rel="noopener"
 
-								title="<?= _("Visit") ?>"
 
+								title="<?= tohtml( _("Visit")) ?>"
 
 							>
 
 								<i class="fas fa-square-up-right icon-lightblue"></i>
 
-								<span class="u-hide-desktop"><?= _("Visit") ?></span>
 
+								<span class="u-hide-desktop"><?= tohtml( _("Visit")) ?></span>
 
 							</a>
 
 						</li>
 
 						<?php if ($read_only !== "true") { ?>
 
@@ -257,90 +257,90 @@
 
 								<li class="units-table-row-action shortcut-enter" data-key-action="href">
 
 									<a
 
 										class="units-table-row-action-link"
 
-										href="/edit/web/?domain=<?= $key ?>&token=<?= $_SESSION["token"] ?>"
 
-										title="<?= _("Edit Domain") ?>"
 
+										href="/edit/web/?<?= tohtml(http_build_query(["domain" => $key, "token" => $_SESSION["token"]])) ?>"
 
+										title="<?= tohtml( _("Edit Domain")) ?>"
 
 									>
 
 										<i class="fas fa-pencil icon-orange"></i>
 
-										<span class="u-hide-desktop"><?= _("Edit Domain") ?></span>
 
+										<span class="u-hide-desktop"><?= tohtml( _("Edit Domain")) ?></span>
 
 									</a>
 
 								</li>
 
 								<li class="units-table-row-action" data-key-action="href">
 
 									<a
 
 										class="units-table-row-action-link"
 
-										href="/download/site/?site=<?= $key ?>&token=<?= $_SESSION["token"] ?>"
 
-										title="<?= _("Download Site") ?>"
 
+										href="/download/site/?<?= tohtml(http_build_query(["site" => $key, "token" => $_SESSION["token"]])) ?>"
 
+										title="<?= tohtml( _("Download Site")) ?>"
 
 									>
 
 										<i class="fas fa-download icon-orange"></i>
 
-										<span class="u-hide-desktop"><?= _("Download Site") ?></span>
 
+										<span class="u-hide-desktop"><?= tohtml( _("Download Site")) ?></span>
 
 									</a>
 
 								</li>
 
 							<?php } ?>
 
 							<li class="units-table-row-action shortcut-l" data-key-action="href">
 
 								<a
 
 									class="units-table-row-action-link"
 
-									href="/list/web-log/?domain=<?= $key ?>&type=access#"
 
-									title="<?= _("View Logs") ?>"
 
+									href="/list/web-log/?<?= tohtml(http_build_query(["domain" => $key, "type" => "access"])) ?>#"
 
+									title="<?= tohtml( _("View Logs")) ?>"
 
 								>
 
 									<i class="fas fa-binoculars icon-purple"></i>
 
-									<span class="u-hide-desktop"><?= _("View Logs") ?></span>
 
+									<span class="u-hide-desktop"><?= tohtml( _("View Logs")) ?></span>
 
 								</a>
 
 							</li>
 
 							<li class="units-table-row-action shortcut-s" data-key-action="js">
 
 								<a
 
 									class="units-table-row-action-link data-controls js-confirm-action"
 
-									href="/<?= $spnd_action ?>/web/?domain=<?= $key ?>&token=<?= $_SESSION["token"] ?>"
 
-									title="<?= $spnd_action_title ?>"
 
-									data-confirm-title="<?= $spnd_action_title ?>"
 
-									data-confirm-message="<?= sprintf($spnd_confirmation, $key) ?>"
 
+									href="/<?= tohtml($spnd_action) ?>/web/?<?= tohtml(http_build_query(["domain" => $key, "token" => $_SESSION["token"]])) ?>"
 
+									title="<?= tohtml($spnd_action_title) ?>"
 
+									data-confirm-title="<?= tohtml($spnd_action_title) ?>"
 
+									data-confirm-message="<?= tohtml(sprintf($spnd_confirmation, $key)) ?>"
 
 								>
 
-									<i class="fas <?= $spnd_icon ?> <?= $spnd_icon_class ?>"></i>
 
-									<span class="u-hide-desktop"><?= $spnd_action_title ?></span>
 
+									<i class="fas <?= tohtml($spnd_icon) ?> <?= tohtml($spnd_icon_class) ?>"></i>
 
+									<span class="u-hide-desktop"><?= tohtml($spnd_action_title) ?></span>
 
 								</a>
 
 							</li>
 
 							<li class="units-table-row-action shortcut-delete" data-key-action="js">
 
 								<a
 
 									class="units-table-row-action-link data-controls js-confirm-action"
 
-									href="/delete/web/?domain=<?= $key ?>&token=<?= $_SESSION["token"] ?>"
 
-									title="<?= _("Delete") ?>"
 
-									data-confirm-title="<?= _("Delete") ?>"
 
-									data-confirm-message="<?= sprintf(_("Are you sure you want to delete domain %s?"), $key) ?>"
 
+									href="/delete/web/?<?= tohtml(http_build_query(["domain" => $key, "token" => $_SESSION["token"]])) ?>"
 
+									title="<?= tohtml( _("Delete")) ?>"
 
+									data-confirm-title="<?= tohtml( _("Delete")) ?>"
 
+									data-confirm-message="<?= tohtml(sprintf(_("Are you sure you want to delete domain %s?"), $key)) ?>"
 
 								>
 
 									<i class="fas fa-trash icon-red"></i>
 
-									<span class="u-hide-desktop"><?= _("Delete") ?></span>
 
+									<span class="u-hide-desktop"><?= tohtml( _("Delete")) ?></span>
 
 								</a>
 
 							</li>
 
 						<?php } ?>
 
 					</ul>
 
 				</div>
 
 				<div class="units-table-cell u-text-center-desktop">
 
-					<span class="u-hide-desktop u-text-bold"><?= _("IP Address") ?>:</span>
 
-					<?= empty($ips[$data[$key]["IP"]]["NAT"]) ? $data[$key]["IP"] : "{$ips[$data[$key]["IP"]]["NAT"]}" ?>
 
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("IP Address")) ?>:</span>
 
+					<?= tohtml(empty($ips[$data[$key]["IP"]]["NAT"]) ? $data[$key]["IP"] : "{$ips[$data[$key]["IP"]]["NAT"]}") ?>
 
 				</div>
 
 				<div class="units-table-cell u-text-center-desktop">
 
-					<span class="u-hide-desktop u-text-bold"><?= _("Disk") ?>:</span>
 
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Disk")) ?>:</span>
 
 					<span class="u-text-bold">
 
-						<?= humanize_usage_size($data[$key]["U_DISK"]) ?>
 
+						<?= tohtml(humanize_usage_size($data[$key]["U_DISK"])) ?>
 
 					</span>
 
 					<span class="u-text-small">
 
-						<?= humanize_usage_measure($data[$key]["U_DISK"]) ?>
 
+						<?= tohtml(humanize_usage_measure($data[$key]["U_DISK"])) ?>
 
 					</span>
 
 				</div>
 
 				<div class="units-table-cell u-text-center-desktop">
 
-					<span class="u-hide-desktop u-text-bold"><?= _("Bandwidth") ?>:</span>
 
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Bandwidth")) ?>:</span>
 
 					<span class="u-text-bold">
 
-						<?= humanize_usage_size($data[$key]["U_BANDWIDTH"]) ?>
 
+						<?= tohtml(humanize_usage_size($data[$key]["U_BANDWIDTH"])) ?>
 
 					</span>
 
 					<span class="u-text-small">
 
-						<?= humanize_usage_measure($data[$key]["U_BANDWIDTH"]) ?>
 
+						<?= tohtml(humanize_usage_measure($data[$key]["U_BANDWIDTH"])) ?>
 
 					</span>
 
 				</div>
 
 				<div class="units-table-cell u-text-center-desktop">
 
-					<span class="u-hide-desktop u-text-bold"><?= _("SSL") ?>:</span>
 
-					<i class="fas <?= $icon_ssl ?>" title="<?= $title_ssl ?>"></i>
 
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("SSL")) ?>:</span>
 
+					<i class="fas <?= tohtml($icon_ssl) ?>" title="<?= tohtml($title_ssl) ?>"></i>
 
 				</div>
 
 				<div class="units-table-cell u-text-center-desktop">
 
-					<span class="u-hide-desktop u-text-bold"><?= _("Statistics") ?>:</span>
 
-					<i class="fas <?= $icon_webstats ?>" title="<?= $title_webstats ?>"></i>
 
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Statistics")) ?>:</span>
 
+					<i class="fas <?= tohtml($icon_webstats) ?>" title="<?= tohtml($title_webstats) ?>"></i>
 
 				</div>
 
 			</div>
 
 		<?php } ?>