Staging/1.5.9 (#2443)

* Prepare Release of 1.5.9
* Update translations
* Update versions
* Remove Vesta Filemanger list directory

* Small bugs due to xss changes
* Typo in function name...
* And remove not needed line
* Fix linting error
* Fix mysql error in installer
* Fix error in push to apt script
* Fix multiple more issues
* Consolidate upgrade messages and include version for third party software. (#2435)
* Fix bug with $user and escapeshellarg breaking certian features
* Update changelogs

Co-authored-by: Raphael Schneeberger <rs@scit.ch>

.drone.yml

@@ -160,7 +160,7 @@ steps:
         port: 22
         command_timeout: 2m
         script:
-            - freight-add ./hestia/*.deb apt/bionic apt/focal apt/strech apt/buster apt/bullseye
+            - freight-add ./hestia/*.deb apt/bionic apt/focal apt/stretch apt/buster apt/bullseye
             - freight-cache
             - rm -fr ./hestia/
   
@@ -169,4 +169,4 @@ trigger:
 
 ---
 kind: signature
-hmac: 31806a1e5357c43d17d24ef797995fb9952a1d883ad282fd152d7d0378112213
+hmac: 07f845f902f859c97c78a346d340f7fb8d4b1242581a242e592b149c13428f50

CHANGELOG.md

@@ -1,6 +1,20 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## [1.5.9] - Service release
+
+### Bugfixes
+
+- Fixed multiple XSS vulnerabilities in the web user interface. [CVE-2022-0752](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0752) / [CVE-2022-0753](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0753)
+- Fixed an issues with mariadb.sys user didn't work properly on MariaDB 10.6.x installs #2427
+- Change ipverse.net urls to new format hosted on Github #2429 and forum
+- Allow PTR to be used on domain.com 
+
+### Dependencies
+
+- Update PHPMailer to 6.6.0 (https://github.com/PHPMailer/PHPMailer/releases/tag/v6.6.0)
+- Update Filegator to 7.7.2 (https://github.com/filegator/filegator/releases/tag/v7.7.2)
+
 ## [1.5.8] - Service release
 
 ### Features

func/upgrade.sh

@@ -556,7 +556,7 @@ upgrade_b2_tool(){
         if version_ge "$b2_version" "$b2_v"; then
             echo "[ * ] Backblaze CLI tool is up to date ($b2_v)..."
         else
-            echo "[ * ] Upgrading Backblaze CLI tool to version v$b2_v..."
+            echo "[ * ] Upgrading Backblaze CLI tool to version $b2_v..."
             rm $b2cli
             wget -O $b2cli $b2lnk > /dev/null 2>&1
             chmod +x $b2cli > /dev/null 2>&1
@@ -581,7 +581,7 @@ upgrade_phpmyadmin() {
             fi
         else
             # Display upgrade information
-            echo "[ * ] Upgrading phpMyAdmin to version v$pma_v..."
+            echo "[ * ] Upgrading phpMyAdmin to version $pma_v..."
             [ -d /usr/share/phpmyadmin ] || mkdir -p /usr/share/phpmyadmin
 
             # Download latest phpMyAdmin release
@@ -629,7 +629,7 @@ upgrade_filemanager() {
             fm_version="1.0.0"
         fi
         if [ "$fm_version" != "$fm_v" ]; then 
-            echo "[ ! ] Updating File Manager..."
+            echo "[ ! ] Upgrading File Manager to version $fm_v..."
             # Reinstall the File Manager
             $HESTIA/bin/v-delete-sys-filemanager quiet yes
             $HESTIA/bin/v-add-sys-filemanager quiet
@@ -657,7 +657,7 @@ upgrade_roundcube(){
         else
             rc_version=$(cat /var/lib/roundcube/index.php | grep -o -E '[0-9].[0-9].[0-9]+' | head -1);
             if [ "$rc_version" != "$rc_v" ]; then
-                echo "[ ! ] Upgrading Roundcube to version v$rc_v..."
+                echo "[ ! ] Upgrading Roundcube to version $rc_v..."
                 $HESTIA/bin/v-add-sys-roundcube
             else
                 echo "[ * ] Roundcube is up to date ($rc_v)..."
@@ -670,7 +670,7 @@ upgrade_rainloop(){
     if [ -n "$(echo "$WEBMAIL_SYSTEM" | grep -w 'rainloop')" ]; then
         rl_version=$(cat /var/lib/rainloop/data/VERSION);
         if [ "$rl_version" != "$rl_v" ]; then
-            echo "[ ! ] Upgrading Rainloop to version v$rl_v..."
+            echo "[ ! ] Upgrading Rainloop to version $rl_v..."
             $HESTIA/bin/v-add-sys-rainloop
         else
             echo "[ * ] Rainloop is up to date ($rl_v)..."
@@ -685,7 +685,7 @@ upgrade_phpmailer(){
     fi
     phpm_version=$(cat $HESTIA/web/inc/vendor/phpmailer/phpmailer/VERSION);
     if [ "$phpm_version" != "$pm_v" ]; then
-    echo "[ ! ] Upgrading PHPmailer..."
+    echo "[ ! ] Upgrading PHPmailer to version $pm_v..."
         $HESTIA/bin/v-add-sys-phpmailer
     else
         echo "[ * ] PHPmailer is up to date ($pm_v)..."

install/hst-install-debian.sh

@@ -31,7 +31,7 @@ HESTIA_INSTALL_DIR="$HESTIA/install/deb"
 VERBOSE='no'
 
 # Define software versions
-HESTIA_INSTALL_VER='1.5.9~alpha'
+HESTIA_INSTALL_VER='1.5.9'
 # Dependencies
 pma_v='5.1.3'
 rc_v="1.5.2"
@@ -1532,7 +1532,7 @@ if [ "$mysql" = 'yes' ]; then
     mysql -e "DELETE FROM mysql.global_priv WHERE User='';"
     # Drop test database
     mysql -e "DROP DATABASE IF EXISTS test"
-    mysql -e "DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%"
+    mysql -e "DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%'"
     
     mysql -e "FLUSH PRIVILEGES;"
 fi

install/hst-install-ubuntu.sh

@@ -31,7 +31,7 @@ HESTIA_INSTALL_DIR="$HESTIA/install/deb"
 VERBOSE='no'
 
 # Define software versions
-HESTIA_INSTALL_VER='1.5.9~alpha'
+HESTIA_INSTALL_VER='1.5.9'
 # Dependencies
 pma_v='5.1.3'
 rc_v="1.5.2"
@@ -1551,7 +1551,7 @@ if [ "$mysql" = 'yes' ]; then
     mysql -e "DELETE FROM mysql.global_priv WHERE User='';"
     # Drop test database
     mysql -e "DROP DATABASE IF EXISTS test"
-    mysql -e "DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%"
+    mysql -e "DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%'"
     
     mysql -e "FLUSH PRIVILEGES;"
 fi

install/upgrade/manual/migrate_ngnix_apache_nginx-php-fpm.sh

@@ -8,6 +8,8 @@
 #----------------------------------------------------------#
 
 # Includes
+# shellcheck source=/etc/hestiacp/hestia.conf
+source /etc/hestiacp/hestia.conf
 # shellcheck source=/usr/local/hestia/func/main.sh
 source $HESTIA/func/main.sh
 # shellcheck source=/usr/local/hestia/conf/hestia.conf

install/upgrade/upgrade.conf

@@ -50,10 +50,10 @@ rl_v='1.16.0'
 # UPGRADE_UPDATE_FILEMANAGER_CONFIG: Updates only the configuration file if changes are made but now new issue has been issued!
 UPGRADE_UPDATE_FILEMANAGER_CONFIG='false'
 # Set version of File manager to update during upgrade if not already installed
-fm_v='7.7.1'
+fm_v='7.7.2'
 
 # Set version of PHPMailer to update during upgrade if not already installed
-pm_v='6.5.3'
+pm_v='6.6.0'
 
 # Backblaze
 b2_v='3.2.0'

src/deb/hestia/control

@@ -1,7 +1,7 @@
 Source: hestia
 Package: hestia
 Priority: optional
-Version: 1.5.9~alpha
+Version: 1.5.9
 Section: admin
 Maintainer: HestiaCP <info@hestiacp.com>
 Homepage: https://www.hestiacp.com

web/add/db/index.php

@@ -115,7 +115,7 @@ if (!empty($_POST['ok'])) {
         $hostname = exec('hostname');
         $from = "noreply@".$hostname;
         $from_name = _('Hestia Control Panel');
-        $mailtext = sprintf(_('DATABASE_READY'), $user."_".$_POST['v_database'], $user."_".$_POST['v_dbuser'], $_POST['v_password'], $db_admin_link);
+        $mailtext = sprintf(_('DATABASE_READY'), $user_plain."_".$_POST['v_database'], $user_plain."_".$_POST['v_dbuser'], $_POST['v_password'], $db_admin_link);
         send_email($to, $subject, $mailtext, $from, $from_name);
     }
 

web/add/key/index.php

@@ -16,11 +16,9 @@ if (!empty($_POST['ok'])) {
     }
 
     if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
-        $user = $_GET['user'];
+        $user = escapeshellarg($_GET['user']);
     }
 
-    $user = escapeshellarg($user);
-
     if (!$_SESSION['error_msg']) {
         if ($_POST) {
             //key if key already exists

web/add/mail/index.php

@@ -5,24 +5,17 @@ $TAB = 'MAIL';
 // Main include
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
-// Get all user domains
-exec(HESTIA_CMD."v-list-mail-domains ".escapeshellarg($user)." json", $output, $return_var);
-$user_domains = json_decode(implode('', $output), true);
-$user_domains = array_keys($user_domains);
-unset($output);
-
 exec(HESTIA_CMD."v-list-sys-webmail json", $output, $return_var);
 $webmail_clients = json_decode(implode('', $output), true);
 unset($output);
 
 $v_domain = $_GET['domain'];
 if (!empty($v_domain)) {
-    if (!in_array($v_domain, $user_domains)) {
-        header("Location: /list/mail/");
-        exit;
-    }
     // Set webmail alias
-    exec(HESTIA_CMD."v-list-mail-domain ".escapeshellarg($user)." ".escapeshellarg($v_domain)." json", $output, $return_var);
+    exec(HESTIA_CMD."v-list-mail-domain ".$user." ".escapeshellarg($v_domain)." json", $output, $return_var);
+    if($return_var > 0){
+        check_return_code_redirect($return_var, $output, '/list/mail/');
+    }
     $data = json_decode(implode('', $output), true);
     unset($output);
     $v_webmail_alias = $data[$v_domain]['WEBMAIL_ALIAS'];

web/add/web/index.php

@@ -75,9 +75,7 @@ if (!empty($_POST['ok'])) {
     $aliases_arr = array_filter($aliases_arr);
     $aliases = implode(",", $aliases_arr);
     $aliases = escapeshellarg($aliases);
-    if (empty($_POST['v_aliases'])) {
-        $aliases = 'none';
-    }
+
 
     // Define proxy extensions
     $v_proxy_ext = $_POST['v_proxy_ext'];
@@ -104,7 +102,7 @@ if (!empty($_POST['ok'])) {
     $v_stats_password = $data[$v_domain]['STATS_PASSWORD'];
     $v_custom_doc_domain = $_POST['v-custom-doc-domain'];
     $v_custom_doc_folder = $_POST['v-custom-doc-folder'];
-    $v_custom_doc_root_prepath = '/home/'.$user.'/web/';
+    $v_custom_doc_root_prepath = '/home/'.$user_plain.'/web/';
 
     $v_ftp = $_POST['v_ftp'];
     $v_ftp_user = $_POST['v_ftp_user'];
@@ -118,9 +116,9 @@ if (!empty($_POST['ok'])) {
     $user_config = json_decode(implode('', $output), true);
     unset($output);
 
-    $v_template = $user_config[$user]['TEMPLATE'];
-    $v_backend_template = $user_config[$user]['BACKEND_TEMPLATE'];
-    $v_proxy_template = $user_config[$user]['PROXY_TEMPLATE'];
+    $v_template = $user_config[$user_plain]['TEMPLATE'];
+    $v_backend_template = $user_config[$user_plain]['BACKEND_TEMPLATE'];
+    $v_proxy_template = $user_config[$user_plain]['PROXY_TEMPLATE'];
 
     // Set advanced option checkmark
     if (!empty($_POST['v_proxy'])) {
@@ -414,7 +412,7 @@ if (!empty($_POST['ok'])) {
                     }
                 }
 
-                $v_ftp_user_data['v_ftp_user'] = preg_replace("/^".$user."_/i", "", $v_ftp_user_data['v_ftp_user']);
+                $v_ftp_user_data['v_ftp_user'] = preg_replace("/^".$user_plain."_/i", "", $v_ftp_user_data['v_ftp_user']);
                 $v_ftp_username      = $v_ftp_user_data['v_ftp_user'];
                 $v_ftp_username_full = $user . '_' . $v_ftp_user_data['v_ftp_user'];
                 $v_ftp_user = escapeshellarg($v_ftp_user_data['v_ftp_user']);
@@ -433,7 +431,7 @@ if (!empty($_POST['ok'])) {
                         $subject = _("FTP login credentials");
                         $from = "noreply@".$v_domain;
                         $from_name = _('Hestia Control Panel');
-                        $mailtext = sprintf(_('FTP_ACCOUNT_READY'), $v_domain, $user, $v_ftp_user_data['v_ftp_user'], $v_ftp_user_data['v_ftp_password']);
+                        $mailtext = sprintf(_('FTP_ACCOUNT_READY'), $v_domain, $user_plain, $v_ftp_user_data['v_ftp_user'], $v_ftp_user_data['v_ftp_password']);
                         send_email($to, $subject, $mailtext, $from, $from_name);
                         unset($v_ftp_email);
                     }
@@ -486,9 +484,9 @@ if (!empty($_POST['ok'])) {
 }
 
 // Define user variables
-$v_ftp_user_prepath = $panel[$user]['HOME'] . "/web";
-$v_ftp_email = $panel[$user]['CONTACT'];
-$v_custom_doc_root_prepath = '/home/'.$user.'/web/';
+$v_ftp_user_prepath = $panel[$user_plain]['HOME'] . "/web";
+$v_ftp_email = $panel[$user_plain]['CONTACT'];
+$v_custom_doc_root_prepath = '/home/'.$user_plain.'/web/';
 
 if ($_POST['v_ssl_forcessl'] != 'no') {
     $v_ssl_forcessl = 'yes';
@@ -503,14 +501,13 @@ unset($output);
 exec(HESTIA_CMD."v-list-web-templates json", $output, $return_var);
 $templates = json_decode(implode('', $output), true);
 unset($output);
-$v_template = (!empty($_POST['v_template'])) ? $_POST['v_template'] : $user_config[$user]['WEB_TEMPLATE'];
-
+$v_template = (!empty($_POST['v_template'])) ? $_POST['v_template'] : $user_config[$user_plain]['WEB_TEMPLATE'];
 // List backend templates
 if (!empty($_SESSION['WEB_BACKEND'])) {
     exec(HESTIA_CMD."v-list-web-templates-backend json", $output, $return_var);
     $backend_templates = json_decode(implode('', $output), true);
     unset($output);
-    $v_backend_template = (!empty($_POST['v_backend_template'])) ? $_POST['v_backend_template'] : $user_config[$user]['BACKEND_TEMPLATE'];
+    $v_backend_template = (!empty($_POST['v_backend_template'])) ? $_POST['v_backend_template'] : $user_config[$user_plain]['BACKEND_TEMPLATE'];
 }
 
 // List proxy templates
@@ -518,7 +515,7 @@ if (!empty($_SESSION['PROXY_SYSTEM'])) {
     exec(HESTIA_CMD."v-list-web-templates-proxy json", $output, $return_var);
     $proxy_templates = json_decode(implode('', $output), true);
     unset($output);
-    $v_proxy_template = (!empty($_POST['v_proxy_template'])) ? $_POST['v_proxy_template'] : $user_config[$user]['PROXY_TEMPLATE'];
+    $v_proxy_template = (!empty($_POST['v_proxy_template'])) ? $_POST['v_proxy_template'] : $user_config[$user_plain]['PROXY_TEMPLATE'];
 }
 
 // List IP addresses
@@ -532,7 +529,7 @@ $stats = json_decode(implode('', $output), true);
 unset($output);
 
 // Get all user domains
-exec(HESTIA_CMD."v-list-web-domains ".escapeshellarg($user)." json", $output, $return_var);
+exec(HESTIA_CMD."v-list-web-domains ".$user." json", $output, $return_var);
 $user_domains = json_decode(implode('', $output), true);
 $user_domains = array_keys($user_domains);
 unset($output);

web/add/webapp/index.php

@@ -18,19 +18,15 @@ if (($_SESSION['user'] == 'admin') && (!empty($_GET['user']))) {
     $user=escapeshellarg($_GET['user']);
 }
 
-// Get all user domains
-exec(HESTIA_CMD."v-list-web-domains ".escapeshellarg($user)." json", $output, $return_var);
-$user_domains = json_decode(implode('', $output), true);
-$user_domains = array_keys($user_domains);
-unset($output);
-
-// List domain
+// Check if domain belongs to the user
 $v_domain = $_GET['domain'];
-if (!in_array($v_domain, $user_domains)) {
-    header("Location: /list/web/");
-    exit;
+exec(HESTIA_CMD."v-list-web-domain ".$user." ".escapeshellarg($v_domain)." json", $output, $return_var);
+if ($return_var > 0){
+    check_return_code_redirect($return_var, $output, '/list/web/');
 }
 
+unset($output);
+
 // Check GET request
 if (!empty($_GET['app'])) {
     $app = basename($_GET['app']);

web/delete/mail/index.php

@@ -5,7 +5,7 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
 // Delete as someone else?
 if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
-    $user=scapeshellarg($user);
+    $user=escapeshellarg($user);
 }
 
 // Check token

web/delete/notification/index.php

@@ -11,7 +11,6 @@ if ($_GET['delete'] == 1) {
     check_return_code($return_var, $output);
     unset($output);
 } else {
-    $v_username = escapeshellarg($user);
     $v_id = escapeshellarg((int)$_GET['notification_id']);
     exec(HESTIA_CMD."v-acknowledge-user-notification ".$user." ".$v_id, $output, $return_var);
     check_return_code($return_var, $output);

web/edit/db/index.php

@@ -26,7 +26,7 @@ unset($output);
 
 // Parse database
 $v_username = $user;
-$v_dbuser =  preg_replace("/^".$user."_/", "", $data[$v_database]['DBUSER']);
+$v_dbuser =  preg_replace("/^".$user_plain."_/", "", $data[$v_database]['DBUSER']);
 $v_password = "";
 $v_host = $data[$v_database]['HOST'];
 $v_type = $data[$v_database]['TYPE'];
@@ -50,10 +50,10 @@ if (!empty($_POST['save'])) {
     // Change database user
     if (($v_dbuser != $_POST['v_dbuser']) && (empty($_SESSION['error_msg']))) {
         $v_dbuser = escapeshellarg($v_dbuser);
-        exec(HESTIA_CMD."v-change-database-user ".$v_username." ".escapeshellarg($v_database)." ".$v_dbuser, $output, $return_var);
+        exec(HESTIA_CMD."v-change-database-user ".$user." ".escapeshellarg($v_database)." ".$v_dbuser, $output, $return_var);
         check_return_code($return_var, $output);
         unset($output);
-        $v_dbuser = $user."_".preg_replace("/^".$user."_/", "", $_POST['v_dbuser']);
+        $v_dbuser = $_POST['v_dbuser'];
     }
 
     // Change database password
@@ -65,7 +65,7 @@ if (!empty($_POST['save'])) {
             $fp = fopen($v_password, "w");
             fwrite($fp, $_POST['v_password']."\n");
             fclose($fp);
-            exec(HESTIA_CMD."v-change-database-password ".$v_username." ".escapeshellarg($v_database)." ".$v_password, $output, $return_var);
+            exec(HESTIA_CMD."v-change-database-password ".$user." ".escapeshellarg($v_database)." ".$v_password, $output, $return_var);
             check_return_code($return_var, $output);
             unset($output);
             unlink($v_password);

web/edit/mail/index.php

@@ -19,16 +19,6 @@ if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
 
 $v_username = $user;
 
-// Get all user domains
-exec(HESTIA_CMD."v-list-mail-domains ".escapeshellarg($user)." json", $output, $return_var);
-$user_domains = json_decode(implode('', $output), true);
-$user_domains = array_keys($user_domains);
-unset($output);
-
-exec(HESTIA_CMD."v-list-sys-webmail json", $output, $return_var);
-$webmail_clients = json_decode(implode('', $output), true);
-unset($output);
-
 // List mail domain
 if ((!empty($_GET['domain'])) && (empty($_GET['account']))) {
     $v_domain = $_GET['domain'];
@@ -130,14 +120,15 @@ if ((!empty($_GET['domain'])) && (!empty($_GET['account']))) {
 
 // Check POST request for mail domain
 if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (empty($_GET['account']))) {
-    $v_domain = $_POST['v_domain'];
-    if (!in_array($v_domain, $user_domains)) {
-        check_return_code(3, ["Unknown domain"]);
-    }
-
     // Check token
     verify_csrf($_POST);
-
+    
+    
+    exec(HESTIA_CMD."v-list-mail-domain ".$user." ".escapeshellarg($v_domain)." json", $output, $return_var);
+    $data = json_decode(implode('', $output), true);
+    check_return_code_redirect($return_var, $output, '/list/mail/');
+    unset($output);
+    
     // Delete antispam
     if (($v_antispam == 'yes') && (empty($_POST['v_antispam'])) && (empty($_SESSION['error_msg']))) {
         exec(HESTIA_CMD."v-delete-mail-domain-antispam ".$v_username." ".escapeshellarg($v_domain), $output, $return_var);
@@ -463,15 +454,15 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco
         }
     }
 
-    $v_domain = $_POST['v_domain'];
-    if (!in_array($v_domain, $user_domains)) {
-        check_return_code(3, ["Unknown domain"]);
-    }
-
     $v_account = $_POST['v_account'];
     $v_send_email = $_POST['v_send_email'];
     $v_credentials = $_POST['v_credentials'];
 
+    exec(HESTIA_CMD."v-list-mail-account ".$user." ".escapeshellarg($v_domain)." ".escapeshellarg($v_account)." json", $output, $return_var);
+    $data = json_decode(implode('', $output), true);
+    check_return_code_redirect($return_var, $output, '/list/mail/');
+    unset($output);
+
     // Change password
     if ((!empty($_POST['v_password'])) && (empty($_SESSION['error_msg']))) {
         if (!validate_password($_POST['v_password'])) {

web/edit/web/index.php

@@ -32,7 +32,6 @@ $data = json_decode(implode('', $output), true);
 unset($output);
 
 // Parse domain
-$v_username = $user;
 $v_ip = $data[$v_domain]['IP'];
 $v_template = $data[$v_domain]['TPL'];
 $v_aliases = str_replace(',', "\n", $data[$v_domain]['ALIAS']);
@@ -82,14 +81,14 @@ $v_stats_user = $data[$v_domain]['STATS_USER'];
 if (!empty($v_stats_user)) {
     $v_stats_password = "";
 }
-$v_custom_doc_root_prepath = '/home/'.$v_username.'/web/';
+$v_custom_doc_root_prepath = '/home/'.$user_plain.'/web/';
 
 if (!empty($data[$v_domain]['CUSTOM_DOCROOT'])) {
     $v_custom_doc_root = realpath($data[$v_domain]['CUSTOM_DOCROOT']) . DIRECTORY_SEPARATOR;
 }
 
 if (!empty($v_custom_doc_root) &&
-    false !== preg_match('/\/home\/'.$v_username.'\/web\/([[:alnum:]].*?)\/public_html\/([[:alnum:]].*)?/', $v_custom_doc_root, $matches)) {
+    false !== preg_match('/\/home\/'.$user_plain.'\/web\/([[:alnum:]].*?)\/public_html\/([[:alnum:]].*)?/', $v_custom_doc_root, $matches)) {
     // Regex for extracting target web domain and custom document root. Regex test: https://regex101.com/r/2CLvIF/1
 
     if (!empty($matches[1])) {
@@ -120,9 +119,9 @@ if (!empty($v_ftp_user)) {
 }
 
 if ($v_custom_doc_domain != '') {
-    $v_ftp_user_prepath = '/home/'.$v_username.'/web/'.$v_custom_doc_domain;
+    $v_ftp_user_prepath = '/home/'.$user_plain.'/web/'.$v_custom_doc_domain;
 } else {
-    $v_ftp_user_prepath = '/home/'.$v_username.'/web/'.$v_domain;
+    $v_ftp_user_prepath = '/home/'.$user_plain.'/web/'.$v_domain;
 }
 
 
@@ -186,7 +185,7 @@ if (!empty($_POST['save'])) {
     }
 
     if (($v_ip != $_POST['v_ip']) && (empty($_SESSION['error_msg']))) {
-        exec(HESTIA_CMD."v-change-web-domain-ip ".$v_username." ".escapeshellarg($v_domain)." ".escapeshellarg($_POST['v_ip'])." 'no'", $output, $return_var);
+        exec(HESTIA_CMD."v-change-web-domain-ip ".$user." ".escapeshellarg($v_domain)." ".escapeshellarg($_POST['v_ip'])." 'no'", $output, $return_var);
         check_return_code($return_var, $output);
         $restart_web = 'yes';
         $restart_proxy = 'yes';
@@ -195,10 +194,10 @@ if (!empty($_POST['save'])) {
 
     // Change dns domain IP
     if (($v_ip != $_POST['v_ip']) && (empty($_SESSION['error_msg']))) {
-        exec(HESTIA_CMD."v-list-dns-domain ".$v_username." ".escapeshellarg($v_domain)." json", $output, $return_var);
+        exec(HESTIA_CMD."v-list-dns-domain ".$user." ".escapeshellarg($v_domain)." json", $output, $return_var);
         unset($output);
         if ($return_var == 0) {
-            exec(HESTIA_CMD."v-change-dns-domain-ip ".$v_username." ".escapeshellarg($v_domain)." ".escapeshellarg($v_newip_public)." 'no'", $output, $return_var);
+            exec(HESTIA_CMD."v-change-dns-domain-ip ".$user." ".escapeshellarg($v_domain)." ".escapeshellarg($v_newip_public)." 'no'", $output, $return_var);
             check_return_code($return_var, $output);
             unset($output);
             $restart_dns = 'yes';
@@ -208,10 +207,10 @@ if (!empty($_POST['save'])) {
     // Change dns ip for each alias
     if (($v_ip != $_POST['v_ip']) && (empty($_SESSION['error_msg']))) {
         foreach ($valiases as $v_alias) {
-            exec(HESTIA_CMD."v-list-dns-domain ".$v_username." ".escapeshellarg($v_alias)." json", $output, $return_var);
+            exec(HESTIA_CMD."v-list-dns-domain ".$user." ".escapeshellarg($v_alias)." json", $output, $return_var);
             unset($output);
             if ($return_var == 0) {
-                exec(HESTIA_CMD."v-change-dns-domain-ip ".$v_username." ".escapeshellarg($v_alias)." ".escapeshellarg($v_newip_public), $output, $return_var);
+                exec(HESTIA_CMD."v-change-dns-domain-ip ".$user." ".escapeshellarg($v_alias)." ".escapeshellarg($v_newip_public), $output, $return_var);
                 check_return_code($return_var, $output);
                 unset($output);
                 $restart_dns = 'yes';
@@ -221,10 +220,10 @@ if (!empty($_POST['save'])) {
 
     // Change mail domain IP
     if (($v_ip != $_POST['v_ip']) && (empty($_SESSION['error_msg']))) {
-        exec(HESTIA_CMD."v-list-mail-domain ".$v_username." ".escapeshellarg($v_domain)." json", $output, $return_var);
+        exec(HESTIA_CMD."v-list-mail-domain ".$user." ".escapeshellarg($v_domain)." json", $output, $return_var);
         unset($output);
         if ($return_var == 0) {
-            exec(HESTIA_CMD."v-rebuild-mail-domain ".$v_username." ".escapeshellarg($v_domain), $output, $return_var);
+            exec(HESTIA_CMD."v-rebuild-mail-domain ".$user." ".escapeshellarg($v_domain), $output, $return_var);
             check_return_code($return_var, $output);
             unset($output);
             $restart_email = 'yes';
@@ -235,7 +234,7 @@ if (!empty($_POST['save'])) {
     if (($_SESSION['POLICY_USER_EDIT_WEB_TEMPLATES'] == 'yes') || ($_SESSION['userContext'] === "admin")) {
         // Change template
         if (($v_template != $_POST['v_template']) && (empty($_SESSION['error_msg']))) {
-            exec(HESTIA_CMD."v-change-web-domain-tpl ".$v_username." ".escapeshellarg($v_domain)." ".escapeshellarg($_POST['v_template'])." 'no'", $output, $return_var);
+            exec(HESTIA_CMD."v-change-web-domain-tpl ".$user." ".escapeshellarg($v_domain)." ".escapeshellarg($_POST['v_template'])." 'no'", $output, $return_var);
             check_return_code($return_var, $output);
             unset($output);
             $restart_web = 'yes';
@@ -244,7 +243,7 @@ if (!empty($_POST['save'])) {
         // Change backend template
         if ((!empty($_SESSION['WEB_BACKEND'])) && ($v_backend_template != $_POST['v_backend_template'])  && (empty($_SESSION['error_msg']))) {
             $v_backend_template = $_POST['v_backend_template'];
-            exec(HESTIA_CMD."v-change-web-domain-backend-tpl ".$v_username." ".escapeshellarg($v_domain)." ".escapeshellarg($v_backend_template), $output, $return_var);
+            exec(HESTIA_CMD."v-change-web-domain-backend-tpl ".$user." ".escapeshellarg($v_domain)." ".escapeshellarg($v_backend_template), $output, $return_var);
             check_return_code($return_var, $output);
             unset($output);
         }
@@ -255,11 +254,11 @@ if (!empty($_POST['save'])) {
                 if (empty($_POST['v_nginx_cache_duration'])) {
                     $_POST['v_nginx_cache_duration'] = "2m";
                 }
-                exec(HESTIA_CMD."v-add-fastcgi-cache ".$v_username." ".escapeshellarg($v_domain).' '. escapeshellarg($_POST['v_nginx_cache_duration']), $output, $return_var);
+                exec(HESTIA_CMD."v-add-fastcgi-cache ".$user." ".escapeshellarg($v_domain).' '. escapeshellarg($_POST['v_nginx_cache_duration']), $output, $return_var);
                 check_return_code($return_var, $output);
                 unset($output);
             } else {
-                exec(HESTIA_CMD."v-delete-fastcgi-cache ".$v_username." ".escapeshellarg($v_domain), $output, $return_var);
+                exec(HESTIA_CMD."v-delete-fastcgi-cache ".$user." ".escapeshellarg($v_domain), $output, $return_var);
                 check_return_code($return_var, $output);
                 unset($output);
             }
@@ -268,7 +267,7 @@ if (!empty($_POST['save'])) {
 
         // Delete proxy support
         if ((!empty($_SESSION['PROXY_SYSTEM'])) && (!empty($v_proxy)) && (empty($_POST['v_proxy'])) && (empty($_SESSION['error_msg']))) {
-            exec(HESTIA_CMD."v-delete-web-domain-proxy ".$v_username." ".escapeshellarg($v_domain)." 'no'", $output, $return_var);
+            exec(HESTIA_CMD."v-delete-web-domain-proxy ".$user." ".escapeshellarg($v_domain)." 'no'", $output, $return_var);
             check_return_code($return_var, $output);
             unset($output);
             unset($v_proxy);
@@ -287,7 +286,7 @@ if (!empty($_POST['save'])) {
                 if (!empty($_POST['v_proxy_template'])) {
                     $v_proxy_template = $_POST['v_proxy_template'];
                 }
-                exec(HESTIA_CMD."v-change-web-domain-proxy-tpl ".$v_username." ".escapeshellarg($v_domain)." ".escapeshellarg($v_proxy_template)." ".escapeshellarg($ext)." 'no'", $output, $return_var);
+                exec(HESTIA_CMD."v-change-web-domain-proxy-tpl ".$user." ".escapeshellarg($v_domain)." ".escapeshellarg($v_proxy_template)." ".escapeshellarg($ext)." 'no'", $output, $return_var);
                 check_return_code($return_var, $output);
                 $v_proxy_ext = str_replace(',', ', ', $ext);
                 unset($output);
@@ -306,7 +305,7 @@ if (!empty($_POST['save'])) {
                 $ext = str_replace(' ', ",", $ext);
                 $v_proxy_ext = str_replace(',', ', ', $ext);
             }
-            exec(HESTIA_CMD."v-add-web-domain-proxy ".$v_username." ".escapeshellarg($v_domain)." ".escapeshellarg($v_proxy_template)." ".escapeshellarg($ext)." 'no'", $output, $return_var);
+            exec(HESTIA_CMD."v-add-web-domain-proxy ".$user." ".escapeshellarg($v_domain)." ".escapeshellarg($v_proxy_template)." ".escapeshellarg($ext)." 'no'", $output, $return_var);
             check_return_code($return_var, $output);
             unset($output);
             $restart_proxy = 'yes';
@@ -325,15 +324,15 @@ if (!empty($_POST['save'])) {
             if ((empty($_SESSION['error_msg'])) && (!empty($alias))) {
                 $restart_web = 'yes';
                 $restart_proxy = 'yes';
-                exec(HESTIA_CMD."v-delete-web-domain-alias ".$v_username." ".escapeshellarg($v_domain)." ".escapeshellarg($alias)." 'no'", $output, $return_var);
+                exec(HESTIA_CMD."v-delete-web-domain-alias ".$user." ".escapeshellarg($v_domain)." ".escapeshellarg($alias)." 'no'", $output, $return_var);
                 check_return_code($return_var, $output);
                 unset($output);
 
                 if (empty($_SESSION['error_msg'])) {
-                    exec(HESTIA_CMD."v-list-dns-domain ".$v_username." ".escapeshellarg($v_domain), $output, $return_var);
+                    exec(HESTIA_CMD."v-list-dns-domain ".$user." ".escapeshellarg($v_domain), $output, $return_var);
                     unset($output);
                     if ($return_var == 0) {
-                        exec(HESTIA_CMD."v-delete-dns-on-web-alias ".$v_username." ".escapeshellarg($v_domain)." ".escapeshellarg($alias)." 'no'", $output, $return_var);
+                        exec(HESTIA_CMD."v-delete-dns-on-web-alias ".$user." ".escapeshellarg($v_domain)." ".escapeshellarg($alias)." 'no'", $output, $return_var);
                         check_return_code($return_var, $output);
                         unset($output);
                         $restart_dns = 'yes';
@@ -347,14 +346,14 @@ if (!empty($_POST['save'])) {
             if ((empty($_SESSION['error_msg'])) && (!empty($alias))) {
                 $restart_web = 'yes';
                 $restart_proxy = 'yes';
-                exec(HESTIA_CMD."v-add-web-domain-alias ".$v_username." ".escapeshellarg($v_domain)." ".escapeshellarg($alias)." 'no'", $output, $return_var);
+                exec(HESTIA_CMD."v-add-web-domain-alias ".$user." ".escapeshellarg($v_domain)." ".escapeshellarg($alias)." 'no'", $output, $return_var);
                 check_return_code($return_var, $output);
                 unset($output);
                 if (empty($_SESSION['error_msg'])) {
-                    exec(HESTIA_CMD."v-list-dns-domain ".$v_username." ".escapeshellarg($v_domain), $output, $return_var);
+                    exec(HESTIA_CMD."v-list-dns-domain ".$user." ".escapeshellarg($v_domain), $output, $return_var);
                     unset($output);
                     if ($return_var == 0) {
-                        exec(HESTIA_CMD."v-add-dns-on-web-alias ".$v_username." ".escapeshellarg($alias)." ".escapeshellarg($v_newip_public ?: $v_ip_public)." no", $output, $return_var);
+                        exec(HESTIA_CMD."v-add-dns-on-web-alias ".$user." ".escapeshellarg($alias)." ".escapeshellarg($v_newip_public ?: $v_ip_public)." no", $output, $return_var);
                         check_return_code($return_var, $output);
                         unset($output);
                         $restart_dns = 'yes';
@@ -398,7 +397,7 @@ if (!empty($_POST['save'])) {
         if ((!empty($v_stats)) && ($_POST['v_stats'] == $v_stats) && (empty($_SESSION['error_msg']))) {
             // Update statistics configuration when changing domain aliases
             $v_stats = escapeshellarg($_POST['v_stats']);
-            exec(HESTIA_CMD."v-change-web-domain-stats ".$v_username." ".escapeshellarg($v_domain)." ".$v_stats, $output, $return_var);
+            exec(HESTIA_CMD."v-change-web-domain-stats ".$user." ".escapeshellarg($v_domain)." ".$v_stats, $output, $return_var);
             check_return_code($return_var, $output);
             unset($output);
         }
@@ -498,7 +497,7 @@ if (!empty($_POST['save'])) {
 
     // Delete SSL certificate
     if (($v_ssl == 'yes') && (empty($_POST['v_ssl'])) && (empty($_SESSION['error_msg']))) {
-        exec(HESTIA_CMD."v-delete-web-domain-ssl ".$v_username." ".escapeshellarg($v_domain)." 'no'", $output, $return_var);
+        exec(HESTIA_CMD."v-delete-web-domain-ssl ".$user." ".escapeshellarg($v_domain)." 'no'", $output, $return_var);
         check_return_code($return_var, $output);
         unset($output);
         $v_ssl_crt = '';
@@ -654,7 +653,7 @@ if (!empty($_POST['save'])) {
 
     // Delete web stats
     if ((!empty($v_stats)) && ($_POST['v_stats'] == 'none') && (empty($_SESSION['error_msg']))) {
-        exec(HESTIA_CMD."v-delete-web-domain-stats ".$v_username." ".escapeshellarg($v_domain), $output, $return_var);
+        exec(HESTIA_CMD."v-delete-web-domain-stats ".$user." ".escapeshellarg($v_domain), $output, $return_var);
         check_return_code($return_var, $output);
         unset($output);
         $v_stats = '';
@@ -663,7 +662,7 @@ if (!empty($_POST['save'])) {
     // Change web stats engine
     if ((!empty($v_stats)) && ($_POST['v_stats'] != $v_stats) && (empty($_SESSION['error_msg']))) {
         $v_stats = escapeshellarg($_POST['v_stats']);
-        exec(HESTIA_CMD."v-change-web-domain-stats ".$v_username." ".escapeshellarg($v_domain)." ".$v_stats, $output, $return_var);
+        exec(HESTIA_CMD."v-change-web-domain-stats ".$user." ".escapeshellarg($v_domain)." ".$v_stats, $output, $return_var);
         check_return_code($return_var, $output);
         unset($output);
     }
@@ -671,14 +670,14 @@ if (!empty($_POST['save'])) {
     // Add web stats
     if ((empty($v_stats)) && ($_POST['v_stats'] != 'none') && (empty($_SESSION['error_msg']))) {
         $v_stats = escapeshellarg($_POST['v_stats']);
-        exec(HESTIA_CMD."v-add-web-domain-stats ".$v_username." ".escapeshellarg($v_domain)." ".$v_stats, $output, $return_var);
+        exec(HESTIA_CMD."v-add-web-domain-stats ".$user." ".escapeshellarg($v_domain)." ".$v_stats, $output, $return_var);
         check_return_code($return_var, $output);
         unset($output);
     }
 
     // Delete web stats authorization
     if ((!empty($v_stats_user)) && (empty($_POST['v_stats_auth'])) && (empty($_SESSION['error_msg']))) {
-        exec(HESTIA_CMD."v-delete-web-domain-stats-user ".$v_username." ".escapeshellarg($v_domain), $output, $return_var);
+        exec(HESTIA_CMD."v-delete-web-domain-stats-user ".$user." ".escapeshellarg($v_domain), $output, $return_var);
         check_return_code($return_var, $output);
         unset($output);
         $v_stats_user = '';
@@ -705,7 +704,7 @@ if (!empty($_POST['save'])) {
             $fp = fopen($v_stats_password, "w");
             fwrite($fp, $_POST['v_stats_password']."\n");
             fclose($fp);
-            exec(HESTIA_CMD."v-add-web-domain-stats-user ".$v_username." ".escapeshellarg($v_domain)." ".$v_stats_user." ".$v_stats_password, $output, $return_var);
+            exec(HESTIA_CMD."v-add-web-domain-stats-user ".$user." ".escapeshellarg($v_domain)." ".$v_stats_user." ".$v_stats_password, $output, $return_var);
             check_return_code($return_var, $output);
             unset($output);
             unlink($v_stats_password);
@@ -734,7 +733,7 @@ if (!empty($_POST['save'])) {
             $fp = fopen($v_stats_password, "w");
             fwrite($fp, $_POST['v_stats_password']."\n");
             fclose($fp);
-            exec(HESTIA_CMD."v-add-web-domain-stats-user ".$v_username." ".escapeshellarg($v_domain)." ".$v_stats_user." ".$v_stats_password, $output, $return_var);
+            exec(HESTIA_CMD."v-add-web-domain-stats-user ".$user." ".escapeshellarg($v_domain)." ".$v_stats_user." ".$v_stats_password, $output, $return_var);
             check_return_code($return_var, $output);
             unset($output);
             unlink($v_stats_password);
@@ -779,7 +778,7 @@ if (!empty($_POST['save'])) {
                     $fp = fopen($v_ftp_password, "w");
                     fwrite($fp, $v_ftp_user_data['v_ftp_password']."\n");
                     fclose($fp);
-                    exec(HESTIA_CMD."v-add-web-domain-ftp ".$v_username." ".escapeshellarg($v_domain)." ".$v_ftp_user." ".$v_ftp_password . " " . $v_ftp_path, $output, $return_var);
+                    exec(HESTIA_CMD."v-add-web-domain-ftp ".$user." ".escapeshellarg($v_domain)." ".$v_ftp_user." ".$v_ftp_password . " " . $v_ftp_path, $output, $return_var);
                     check_return_code($return_var, $output);
                     if ((!empty($v_ftp_user_data['v_ftp_email'])) && (empty($_SESSION['error_msg']))) {
                         $to = $v_ftp_user_data['v_ftp_email'];
@@ -817,8 +816,8 @@ if (!empty($_POST['save'])) {
 
             // Delete FTP account
             if ($v_ftp_user_data['delete'] == 1) {
-                $v_ftp_username = $user . '_' . $v_ftp_user_data['v_ftp_user'];
-                exec(HESTIA_CMD."v-delete-web-domain-ftp ".$v_username." ".escapeshellarg($v_domain)." ".$v_ftp_username, $output, $return_var);
+                $v_ftp_username = $user_plain . '_' . $v_ftp_user_data['v_ftp_user'];
+                exec(HESTIA_CMD."v-delete-web-domain-ftp ".$user." ".escapeshellarg($v_domain)." ".escapeshellarg($v_ftp_username), $output, $return_var);
                 check_return_code($return_var, $output);
                 unset($output);
 
@@ -842,11 +841,11 @@ if (!empty($_POST['save'])) {
 
                 // Change FTP account path
                 $v_ftp_username_for_emailing = $v_ftp_user_data['v_ftp_user'];
-                $v_ftp_username = $user . '_' . $v_ftp_user_data['v_ftp_user']; //preg_replace("/^".$user."_/", "", $v_ftp_user_data['v_ftp_user']);
+                $v_ftp_username = $user_plain . '_' . $v_ftp_user_data['v_ftp_user']; //preg_replace("/^".$user."_/", "", $v_ftp_user_data['v_ftp_user']);
                 $v_ftp_username = escapeshellarg($v_ftp_username);
                 $v_ftp_path = escapeshellarg(trim($v_ftp_user_data['v_ftp_path']));
                 if (escapeshellarg(trim($v_ftp_user_data['v_ftp_path_prev'])) != $v_ftp_path) {
-                    exec(HESTIA_CMD."v-change-web-domain-ftp-path ".$v_username." ".escapeshellarg($v_domain)." ".$v_ftp_username." ".$v_ftp_path, $output, $return_var);
+                    exec(HESTIA_CMD."v-change-web-domain-ftp-path ".$user." ".escapeshellarg($v_domain)." ".$v_ftp_username." ".$v_ftp_path, $output, $return_var);
                 }
 
                 // Change FTP account password
@@ -855,7 +854,7 @@ if (!empty($_POST['save'])) {
                     $fp = fopen($v_ftp_password, "w");
                     fwrite($fp, $v_ftp_user_data['v_ftp_password']."\n");
                     fclose($fp);
-                    exec(HESTIA_CMD."v-change-web-domain-ftp-password ".$v_username." ".escapeshellarg($v_domain)." ".$v_ftp_username." ".$v_ftp_password, $output, $return_var);
+                    exec(HESTIA_CMD."v-change-web-domain-ftp-password ".$user." ".escapeshellarg($v_domain)." ".$v_ftp_username." ".$v_ftp_password, $output, $return_var);
                     unlink($v_ftp_password);
 
                     $to = $v_ftp_user_data['v_ftp_email'];
@@ -883,7 +882,7 @@ if (!empty($_POST['save'])) {
     }
     //custom docoot with check box disabled
     if (!empty($v_custom_doc_root) && empty($_POST['v_custom_doc_root_check'])) {
-        exec(HESTIA_CMD."v-change-web-domain-docroot ".$v_username." ".escapeshellarg($v_domain)." default", $output, $return_var);
+        exec(HESTIA_CMD."v-change-web-domain-docroot ".$user." ".escapeshellarg($v_domain)." default", $output, $return_var);
         check_return_code($return_var, $output);
         unset($output);
         unset($_POST['v-custom-doc-domain'], $_POST['v-custom-doc-folder']);
@@ -893,14 +892,14 @@ if (!empty($_POST['save'])) {
 
     if (!empty($_POST['v-custom-doc-domain']) && !empty($_POST['v_custom_doc_root_check']) && $v_custom_doc_root_prepath.$v_custom_doc_domain.'/public_html'.$v_custom_doc_folder != $v_custom_doc_root) {
         if ($_POST['v-custom-doc-domain'] == $v_domain && empty($_POST['v-custom-doc-folder'])) {
-            exec(HESTIA_CMD."v-change-web-domain-docroot ".$v_username." ".escapeshellarg($v_domain)." default", $output, $return_var);
+            exec(HESTIA_CMD."v-change-web-domain-docroot ".$user." ".escapeshellarg($v_domain)." default", $output, $return_var);
             check_return_code($return_var, $output);
             unset($output);
         } else {
             $v_custom_doc_folder = escapeshellarg(rtrim($_POST['v-custom-doc-folder'], '/'));
             $v_custom_doc_domain = escapeshellarg($_POST['v-custom-doc-domain']);
 
-            exec(HESTIA_CMD."v-change-web-domain-docroot ".$v_username." ".escapeshellarg($v_domain)." ".$v_custom_doc_domain." ".$v_custom_doc_folder ." yes", $output, $return_var);
+            exec(HESTIA_CMD."v-change-web-domain-docroot ".$user." ".escapeshellarg($v_domain)." ".$v_custom_doc_domain." ".$v_custom_doc_folder ." yes", $output, $return_var);
             check_return_code($return_var, $output);
             unset($output);
             $v_custom_doc_root = 1;
@@ -912,7 +911,7 @@ if (!empty($_POST['save'])) {
     }
 
     if (!empty($v_redirect) && empty($_POST['v-redirect-checkbox'])) {
-        exec(HESTIA_CMD."v-delete-web-domain-redirect ".$v_username." ".escapeshellarg($v_domain), $output, $return_var);
+        exec(HESTIA_CMD."v-delete-web-domain-redirect ".$user." ".escapeshellarg($v_domain), $output, $return_var);
         check_return_code($return_var, $output);
         unset($output);
         unset($_POST['v-redirect']);
@@ -927,7 +926,7 @@ if (!empty($_POST['save'])) {
                 if ($_POST['v-redirect']  == 'custom') {
                     $_POST['v-redirect'] = $_POST['v-redirect-custom'];
                 }
-                exec(HESTIA_CMD."v-add-web-domain-redirect ".$v_username." ".escapeshellarg($v_domain)." ".escapeshellarg($_POST['v-redirect'])." ".escapeshellarg($_POST['v-redirect-code']), $output, $return_var);
+                exec(HESTIA_CMD."v-add-web-domain-redirect ".$user." ".escapeshellarg($v_domain)." ".escapeshellarg($_POST['v-redirect'])." ".escapeshellarg($_POST['v-redirect-code']), $output, $return_var);
                 check_return_code($return_var, $output);
                 unset($output);
                 $restart_web = 'yes';
@@ -938,7 +937,7 @@ if (!empty($_POST['save'])) {
                 $_POST['v-redirect'] = $_POST['v-redirect-custom'];
             }
             if ($_POST['v-redirect'] != $v_redirect || $_POST['v-redirect-code'] != $v_redirect_code) {
-                exec(HESTIA_CMD."v-add-web-domain-redirect ".$v_username." ".escapeshellarg($v_domain)." ".escapeshellarg($_POST['v-redirect'])." ".escapeshellarg($_POST['v-redirect-code']), $output, $return_var);
+                exec(HESTIA_CMD."v-add-web-domain-redirect ".$user." ".escapeshellarg($v_domain)." ".escapeshellarg($_POST['v-redirect'])." ".escapeshellarg($_POST['v-redirect-code']), $output, $return_var);
                 check_return_code($return_var, $output);
                 unset($output);
                 $restart_web = 'yes';
@@ -985,7 +984,7 @@ foreach ($v_ftp_users_raw as $v_ftp_user_index => $v_ftp_user_val) {
     }
     $v_ftp_users[] = array(
         'is_new'            => 0,
-        'v_ftp_user'        => preg_replace("/^".$user."_/", "", $v_ftp_user_val),
+        'v_ftp_user'        => preg_replace("/^".$user_plain."_/", "", $v_ftp_user_val),
         'v_ftp_password'    => $v_ftp_password,
         'v_ftp_path'        => (isset($v_ftp_users_paths_raw[$v_ftp_user_index]) ? $v_ftp_users_paths_raw[$v_ftp_user_index] : ''),
         'v_ftp_email'       => $v_ftp_email,

web/inc/main.php

@@ -114,10 +114,12 @@ if (!defined('NO_AUTH_REQUIRED')) {
 
 if (isset($_SESSION['user'])) {
     $user = escapeshellarg($_SESSION['user']);
+    $user_plain = htmlentities($_SESSION['user']);
 }
 
 if (isset($_SESSION['look']) && ($_SESSION['userContext'] === 'admin')) {
     $user = escapeshellarg($_SESSION['look']);
+    $user_plain = htmlentities($_SESSION['look']);
 }
 
 require_once(dirname(__FILE__) . '/i18n.php');
@@ -203,7 +205,7 @@ function verify_csrf($method, $return = false)
 function show_error_panel($data){
     if (!empty($data['error_msg'])) {
         $msg_icon = 'fa-exclamation-circle status-icon red';
-        $msg_text = $data['error_msg'];
+        $msg_text = htmlentities($data['error_msg']);
         $msg_id = 'vst-error';
     } else {
         if (!empty($data['ok_msg'])) {
@@ -213,7 +215,7 @@ function show_error_panel($data){
     }
     }
     ?>
-        <span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=htmlentities($msg_text);?></span>
+        <span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
     <?php
 }
 

web/list/directory/index.php

@@ -1,23 +0,0 @@
-<?php
-include($_SERVER['DOCUMENT_ROOT'] . "/inc/main.php");
-
-// Check login_as feature
-if (($_SESSION['userContext'] === 'admin') && (!empty($_SESSION['look']))) {
-    $user=$_SESSION['look'];
-}
-
-if (empty($panel)) {
-    $command = HESTIA_CMD."v-list-user ".escapeshellarg($user)." 'json'";
-    exec ($command, $output, $return_var);
-    if ( $return_var > 0 ) {
-        header("Location: /error/");
-        exit;
-    }
-    $panel = json_decode(implode('', $output), true);
-}
-
-$path_a = !empty($_REQUEST['dir_a']) ? htmlentities($_REQUEST['dir_a']) : '';
-$path_b = !empty($_REQUEST['dir_b']) ? htmlentities($_REQUEST['dir_b']) : '';
-$GLOBAL_JS  = '<script type="text/javascript">GLOBAL.START_DIR_A = "' . $path_a . '";</script>';
-$GLOBAL_JS .= '<script type="text/javascript">GLOBAL.START_DIR_B = "' . $path_b . '";</script>';
-$GLOBAL_JS .= '<script type="text/javascript">GLOBAL.ROOT_DIR = "' . $panel[$user]['HOME'] . '";</script>';

web/list/dns/index.php

@@ -6,7 +6,7 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
 // Data & Render page
 if (empty($_GET['domain'])){
-    exec (HESTIA_CMD."v-list-dns-domains ".escapeshellarg($user)." 'json'", $output, $return_var);
+    exec (HESTIA_CMD."v-list-dns-domains ".$user." 'json'", $output, $return_var);
     $data = json_decode(implode('', $output), true);
     if($_SESSION['userSortOrder'] == 'name'){
         ksort($data);
@@ -17,7 +17,7 @@ if (empty($_GET['domain'])){
 
     render_page($user, $TAB, 'list_dns');
 } else {
-    exec (HESTIA_CMD."v-list-dns-records ".escapeshellarg($user)." ".escapeshellarg($_GET['domain'])." 'json'", $output, $return_var);
+    exec (HESTIA_CMD."v-list-dns-records ".$user." ".escapeshellarg($_GET['domain'])." 'json'", $output, $return_var);
     $data = json_decode(implode('', $output), true);
     if($_SESSION['userSortOrder'] == 'name'){
         ksort($data);

web/list/key/index.php

@@ -5,11 +5,13 @@ $TAB = 'USER';
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
 if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
-    $user = htmlspecialchars($_GET['user']);
+    $user = escapeshellarg($_GET['user']);
 }
 
-exec (HESTIA_CMD . "v-list-user-ssh-key ".escapeshellarg($user)." json", $output, $return_var);
-
+exec (HESTIA_CMD . "v-list-user-ssh-key ".$user." json", $output, $return_var);
+if($return_var > 0){
+    check_return_code_redirect($return_var,$output,'/');
+}
 $data = json_decode(implode('', $output), true);
 
 // Render page\

web/list/log/auth/index.php

@@ -9,13 +9,12 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 if (($_SESSION['userContext'] === 'admin') && (isset($_SESSION['look']))) {
     $v_username = escapeshellarg($_SESSION['look']);
 } else if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
-    $v_username = escapeshellarg($_GET['user']);
-} else {
-    $v_username = escapeshellarg($_SESSION['user']);
+    $user = escapeshellarg($_GET['user']);
 }
 
-exec(HESTIA_CMD."v-list-user-auth-log ".$v_username." json", $output, $return_var);
-check_return_code($return_var,$output);
+exec(HESTIA_CMD."v-list-user-auth-log ".$user." json", $output, $return_var);
+check_return_code_redirect($return_var,$outoput, '/');
+
 $data = json_decode(implode('', $output), true);
 $data = array_reverse($data);
 unset($output);

web/list/mail/index.php

@@ -17,22 +17,22 @@ if (empty($_GET['domain'])){
 
     render_page($user, $TAB, 'list_mail');
 } else if (!empty($_GET['dns'])) {
-        exec (HESTIA_CMD."v-list-mail-domain ".escapeshellarg($user)." ".escapeshellarg($_GET['domain'])." json", $output, $return_var);
+        exec (HESTIA_CMD."v-list-mail-domain ".$user." ".escapeshellarg($_GET['domain'])." json", $output, $return_var);
         $data = json_decode(implode('', $output), true);
         $data = array_reverse($data, true);
         unset($output);
-        exec (HESTIA_CMD."v-list-user-ips ".escapeshellarg($user)." json", $output, $return_var);
+        exec (HESTIA_CMD."v-list-user-ips ".$user." json", $output, $return_var);
         $ips = json_decode(implode('', $output), true);
         $ips = array_reverse($ips, true);
         unset($output);
-        exec (HESTIA_CMD."v-list-mail-domain-dkim-dns ".escapeshellarg($user)." ".escapeshellarg($_GET['domain'])." json", $output, $return_var);
+        exec (HESTIA_CMD."v-list-mail-domain-dkim-dns ".$user." ".escapeshellarg($_GET['domain'])." json", $output, $return_var);
         $dkim = json_decode(implode('', $output), true);
         $dkim = array_reverse($dkim, true);
         unset($output);
 
         render_page($user, $TAB, 'list_mail_dns');
 } else {
-    exec (HESTIA_CMD."v-list-mail-accounts ".escapeshellarg($user)." ".escapeshellarg($_GET['domain'])." json", $output, $return_var);
+    exec (HESTIA_CMD."v-list-mail-accounts ".$user." ".escapeshellarg($_GET['domain'])." json", $output, $return_var);
     $data = json_decode(implode('', $output), true);
     if($_SESSION['userSortOrder'] == 'name'){
         ksort($data);

web/list/web/index.php

@@ -5,7 +5,7 @@ $TAB = 'WEB';
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
 // Data
-exec (HESTIA_CMD."v-list-web-domains ".escapeshellarg($user)." 'json'", $output, $return_var);
+exec (HESTIA_CMD."v-list-web-domains ".$user." 'json'", $output, $return_var);
 $data = json_decode(implode('', $output), true);
 if ($_SESSION['userSortOrder'] == 'name') {
     ksort($data);

web/login/index.php

@@ -111,7 +111,7 @@ function authenticate_user($user, $password, $twofa = '')
             if($return_var == 5){
                 $error = '<a class="error">' . _('Account has been suspended') . '</a>';   
             }elseif($return_var == 1){
-                $error = '<a class="error">' . _('Unsuported hash method') . '</a>';     
+                $error = '<a class="error">' . _('Unsupported hash method') . '</a>';     
             }else{
                 $error = '<a class="error">' . _('Invalid username or password') . '</a>';    
             }

web/templates/pages/add_db.html

@@ -227,6 +227,6 @@
 </div>
 
 <script>
-GLOBAL.DB_USER_PREFIX = "<?php echo htmlentities($user.'_');?>";
-GLOBAL.DB_DBNAME_PREFIX = "<?php echo htmlentities($user.'_')?>";
+GLOBAL.DB_USER_PREFIX = "<?=$user_plain;?>";
+GLOBAL.DB_DBNAME_PREFIX = "<?=$user_plain;?>";
 </script>

web/templates/pages/add_web.html

@@ -489,7 +489,7 @@
 				<tr>
 					<td class="vst-text step-left input-label">
 						<?=_('Username');?><br>
-						<span style="font-size: 10pt; color:#777;"><?=sprintf(_('Prefix %s will be added to username automatically'),$user."_");?></span>
+						<span style="font-size: 10pt; color:#777;"><?=sprintf(_('Prefix %s will be added to username automatically'),$user_plain."_");?></span>
 					</td>
 				</tr>
 				<tr>
@@ -536,6 +536,6 @@
 	  </div>
 
 	<script>
-		GLOBAL.FTP_USER_PREFIX = "<?=htmlentities($user.'_');?>";
+		GLOBAL.FTP_USER_PREFIX =  "<?=$user_plain.'_';?>";
 		GLOBAL.FTP_USER_PREPATH = "<?=htmlentities($v_ftp_user_prepath);?>";
 	</script>

web/templates/pages/edit_db.html

@@ -126,6 +126,6 @@
 </div>
 <?php if ($v_type == 'pgsql'){ $user=strtolower($user); } ?>
 <script>
-    GLOBAL.DB_USER_PREFIX = "<?php echo htmlentities($user.'_');?>";
-    GLOBAL.DB_DBNAME_PREFIX = "<?php echo htmlentities($user.'_')?>";
+    GLOBAL.DB_USER_PREFIX = "<?=$user_plain;?>";
+    GLOBAL.DB_DBNAME_PREFIX =  "<?=$user_plain;?>";
 </script>

web/templates/pages/edit_web.html

@@ -544,7 +544,7 @@
 													<tr>
 														<td class="vst-text step-left input-label">
 															<?=_('Username');?><br>
-															<span style="font-size: 10pt; color:#777;"><?=sprintf(_('Prefix %s will be added to username automatically'),$user."_");?></span>
+															<span style="font-size: 10pt; color:#777;"><?=sprintf(_('Prefix %s will be added to username automatically'),$user_plain."_");?></span>
 														</td>
 													</tr>
 													<tr>
@@ -624,7 +624,7 @@
 			<tr>
 				<td class="vst-text step-left input-label">
 					<?=_('Username');?><br>
-					<span style="font-size: 10pt; color:#777;"><?=sprintf(_('Prefix %s will be added to username automatically'),$user."_");?></span>
+					<span style="font-size: 10pt; color:#777;"><?=sprintf(_('Prefix %s will be added to username automatically'),$user_plain."_");?></span>
 				</td>
 			</tr>
 			<tr>
@@ -670,5 +670,5 @@
 	</div>
 </div>
 <script>
-	GLOBAL.FTP_USER_PREFIX = "<?php echo htmlentities($user.'_') ?>";
+	GLOBAL.FTP_USER_PREFIX =  "<?=$user_plain.'_';?>";
 </script>

web/templates/pages/list_db.html

@@ -147,7 +147,7 @@
 										<div class="actions-panel__col actions-panel__logs shortcut-enter" key-action="href"><a href="/edit/db/?database=<?=$key?>&token=<?=$_SESSION['token']?>" title="<?=_('Editing Database');?>"><i class="fas fa-pencil-alt status-icon orange status-icon dim"></i></a></div>
 									<?php } ?>
 									<?php if ($data[$key]['TYPE'] == 'mysql' && isset($_SESSION['PHPMYADMIN_KEY']) && $_SESSION['PHPMYADMIN_KEY'] != '') { $time = time(); ?>
-										<div class="actions-panel__col actions-panel__logs shortcut-enter" key-action="href"><a target="_blank" href="<?=$db_myadmin_link;?>/hestia-sso.php?database=<?=$key;?>&user=<?=$user;?>&exp=<?=$time;?>&hestia_token=<?=password_hash($key.$user.$_SESSION['user_combined_ip'].$time.$_SESSION['PHPMYADMIN_KEY'], PASSWORD_DEFAULT)?>" title="<?=_('phpMyAdmin');?>"><i class="fas fa-sign-in-alt status-icon orange status-icon dim"></i></a></div>
+										<div class="actions-panel__col actions-panel__logs shortcut-enter" key-action="href"><a target="_blank" href="<?=$db_myadmin_link;?>/hestia-sso.php?database=<?=$key;?>&user=<?=$user_plain;?>&exp=<?=$time;?>&hestia_token=<?=password_hash($key.$user_plain.$_SESSION['user_combined_ip'].$time.$_SESSION['PHPMYADMIN_KEY'], PASSWORD_DEFAULT)?>" title="<?=_('phpMyAdmin');?>"><i class="fas fa-sign-in-alt status-icon orange status-icon dim"></i></a></div>
 									<?php } ?>
 									<div class="actions-panel__col actions-panel__suspend shortcut-s" key-action="js">
 										<a id="<?=$spnd_action ?>_link_<?=$i?>" class="data-controls do_<?=$spnd_action?>" title="<?=_($spnd_action)?>">