Fix multiple issues (#1899)

* Update top_js.html

Fix: "Warning: The type attribute for the script element is not needed and should be omitted."

* Update end_js.html

Fix: "Warning: The type attribute for the script element is not needed and should be omitted."

* Update css.html

Fix: "Warning: The type attribute for the link element is not needed and should be omitted."

* Update main.php

Fix php style

* Update main.php

* Update main.php

* Update policies.php

* Update policies.php

* Update secure_login.php

* Update query-3.6.0.min.js

* Update top_js.html

* Update footer.html

* Update header.html

* Update header.html

* Update index.php

Fix php style

* Update main.php

Fix php style and optimize code

* Update index.php

Fix php style and optimize code

* Update index.php

* Update css.html

Fix load custom theme

* Update hotkeys.html

Optimize code, fix error

* Update hotkeys.html

fix }

* Update index.php

* Fix XSS issue with list rrd

* Fix XSS issue on search page

* Fix XSS issue on login page

- Remove hidden user field
- htmlspecialchars username
- Delete old session when generate new session.

* XSS issue with $_GET['user']

* Update changelog + improve regenerate session code

* Allow static files to be cached

Change release branch or enable debug mode to disable the caching

* Force redirect user to login

* Improve error message 

Replace "Message" sub.domain.com allready exsists with rv-add-web-domain idn lalal.xxx.nu
Error: xxx.nu belongs to a different user

* Fix issues with login screen

* Update changelog

Co-authored-by: s0t <s0t@users.noreply.github.com>

CHANGELOG.md

@@ -20,6 +20,10 @@ All notable changes to this project will be documented in this file.
 - Increased minimal memory requirements for ClamD / ClamAV.  #1840
 - Restore of backup did not rebuild the "Forced SSL" and "HSTS" config on new account #1862
 - Keep changes made by /install/upgrade/manual/install_awstats_geopip.sh on update HestiaCP (via Discord)
+- Refactor/improve PHP and HTML code @s0t (#1860)
+- Fixed XSS vulnerability in login page and a few other locations @briansemrau / @numanturle
+- Delete old session after after session_regenerate_id() @briansemrau
+- Improve error message when domain all ready exists on different account.
 - Fixed an issue where phpmyadmin did not update when Postgresql was availble.
 
 ## [1.4.2] - Service release

func/domain.sh

@@ -924,10 +924,18 @@ is_base_domain_owner(){
                     parse_object_kv_list "$web"
                     if [ -z "$ALLOW_USERS" ] ||  [ "$ALLOW_USERS" != "yes" ]; then
                         # Don't care if $basedomain all ready exists only if the owner is of the base domain is the current user
-                        is_domain_new "" $basedomain
+                        test=$(is_domain_new "" $basedomain)
+                        if [ $? -ne 0 ]; then
+                            echo "Error: $basedomain belongs to a different user";
+                            exit 1;
+                        fi
                     fi
                 else
-                    is_domain_new "" $basedomain
+                    test=$(is_domain_new "" $basedomain);
+                    if [ $? -ne 0 ]; then
+                        echo "Error: $basedomain belongs to a different user";
+                        exit 1;
+                    fi
                 fi
             fi
         fi

web/delete/web/index.php

@@ -3,32 +3,32 @@
 error_reporting(NULL);
 ob_start();
 session_start();
-include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
+include($_SERVER['DOCUMENT_ROOT'] . '/inc/main.php');
 
 // Check token
 if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
     header('location: /login/');
-    exit();
+    exit;
 }
 
 // Delete as someone else?
 if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
-    $user=$_GET['user'];
+    $user = $_GET['user'];
 }
 
 if (!empty($_GET['domain'])) {
     $v_username = escapeshellarg($user);
     $v_domain = escapeshellarg($_GET['domain']);
-    exec (HESTIA_CMD."v-delete-web-domain ".$v_username." ".$v_domain." 'yes'", $output, $return_var);
-    check_return_code($return_var,$output);
+    exec (HESTIA_CMD . 'v-delete-web-domain ' . $v_username . ' ' . $v_domain . " 'yes'", $output, $return_var);
+    check_return_code($return_var, $output);
     unset($output);
 }
 
 $back = $_SESSION['back'];
 if (!empty($back)) {
-    header("Location: ".$back);
+    header('Location: ' . $back);
     exit;
 }
 
-header("Location: /list/web/");
+header('Location: /list/web/');
 exit;

web/hotkeys.html

@@ -1,3 +1,21 @@
+<?php	
+function Keyboard_Shortcut($num, $name, $keys) {
+$return = 
+'    <tr>
+        <td colspan="2"><br /><br /><br /><a name="' . $num . '">' . $num . '. ' . $name . '</a><br /><br /></td>
+    </tr>
+';
+foreach ($keys as $key=>$text) {
+$return .=
+'    <tr>
+        <td class=\'shortcut\'><span class="kbd">' . str_replace(['^', '#'], ['Ctrl</span> + <span class="kbd">', 'Shift</span> + <span class="kbd">'], $key) . '</span></td>
+        <td>' . $text . '</td>
+    </tr>
+';
+}
+return $return;
+}
+?>
 <style>
 table span.kbd {
     background: #fafafa none repeat scroll 0 0;
@@ -20,470 +38,70 @@ body {
 <title>Hestia Keyboard Shortcuts</title>
 <center>
 <h2>Keyboard Shortcuts</h2>
-<table cellspacing='3' width=500px>
-    <tr>
-        <td colspan='2'><a name=1>1. Control Panel</a><br><br></td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">↑</span>
-        </td>
-        <td>
-            Move cursor up
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">↓</span>
-        </td>
-        <td>
-            Move cursor down
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">1</span>
-        </td>
-        <td>
-            List user accounts / USER
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">2</span>
-        </td>
-        <td>
-            List web domains / WEB
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">3</span>
-        </td>
-        <td>
-            List dns domains / DNS
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">4</span>
-        </td>
-        <td>
-            List mail domains / MAIL
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">5</span>
-        </td>
-        <td>
-            List databases / DB
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">6</span>
-        </td>
-        <td>
-            List cron jobs / CRON
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">7</span>
-        </td>
-        <td>
-            List user backups / BACKUP
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">ctr</span> + <span class="kbd">1</span>
-        </td>
-        <td>
-            List hosting packages / Packages
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">ctr</span> + <span class="kbd">2</span>
-        </td>
-        <td>
-            List ip addresses / IP
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">ctr</span> + <span class="kbd">3</span>
-        </td>
-        <td>
-            List rrd graphs / Grapsh
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">ctr</span> + <span class="kbd">4</span>
-        </td>
-        <td>
-            List user stats / Statistics
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">ctr</span> + <span class="kbd">5</span>
-        </td>
-        <td>
-            List user action log / Log
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">ctr</span> + <span class="kbd">6</span>
-        </td>
-        <td>
-            List software updates / Updates
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">ctr</span> + <span class="kbd">7</span>
-        </td>
-        <td>
-            List firewall rules / Firewall
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">ctr</span> + <span class="kbd">8</span>
-        </td>
-        <td>
-            List services / Server
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">ctr</span> + <span class="kbd">9</span>
-        </td>
-        <td>
-            List server status / CPU MEM NET DISK
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">ctr</span> + <span class="kbd">0</span>
-        </td>
-        <td>
-            List user files / File Manager
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">f</span>
-        </td>
-        <td>
-            Find user objects / Focus on search bar
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">h</span>
-        </td>
-        <td>
-            Show help / Help
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">n</span>
-        </td>
-        <td>
-            Add new object
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">e</span>
-        </td>
-        <td>
-            Edit selected object
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">s</span>
-        </td>
-        <td>
-            Suspend selected object
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">d</span>
-        </td>
-        <td>
-            Delete selected object
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">ctr</span> + <span class="kbd">a</span>
-        </td>
-        <td>
-            Select/deselect all objects
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">shift</span> + <span class="kbd">↑</span>
-        </td>
-        <td>
-            Select/deselect object above cursor
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">shift</span> + <span class="kbd">↓</span>
-        </td>
-        <td>
-            Select/deselect object below cursor
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">ctrl</span> + <span class="kbd">enter</span>
-        </td>
-        <td>
-            Save form
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">ctrl</span> + <span class="kbd">backspace</span>
-        </td>
-        <td>
-            Go back to previous listing
-        </td>
-    </tr>
-    <tr>
-        <td colspan='2'><br><br><br><a name=2>2. File Manager</a><br><br></td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">tab</span>
-        </td>
-        <td>
-            Switch between left and right file list
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">←</span>
-        </td>
-        <td>
-            Switch between left and right file list
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">→</span>
-        </td>
-        <td>
-            Switch between left and right file list
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">↑</span>
-        </td>
-        <td>
-            Move cursor up
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">↓</span>
-        </td>
-        <td>
-            Move cursor down
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">insert</span>
-        </td>
-        <td>
-            Select file or directory
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">space</span>
-        </td>
-        <td>
-            Select file or directory (as INSERT)
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">shift</span> + <span class="kbd">↑</span>
-        </td>
-        <td>
-             Select/deselect file above cursor
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">shift</span> + <span class="kbd">↓</span>
-        </td>
-        <td>
-              Select/deselect file below cursor
-        </td>
-    </tr>
-
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">enter</span>
-        </td>
-        <td>
-            Change directory / run association action
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">ctr</span> + <span class="kbd">a</span>
-        </td>
-        <td>
-            Select all files and directories
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">ctr</span> + <span class="kbd">c</span>
-        </td>
-        <td>
-            Copy selected files from active tab to inactive
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">ctr</span> + <span class="kbd">x</span>
-        </td>
-        <td>
-            Cut selected files to clipboard
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">ctr</span> + <span class="kbd">v</span>
-        </td>
-        <td>
-            Paste from clipboard to current dir
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">ctr</span> + <span class="kbd">m</span>
-        </td>
-        <td>
-            Move selected files from active tab to inactive
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">ctr</span> + <span class="kbd">d</span>
-        </td>
-        <td>
-            Delete selected files
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">del</span>
-        </td>
-        <td>
-            Delete selected files
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">n</span>
-        </td>
-        <td>
-            Create new file
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">e</span>
-        </td>
-        <td>
-            Edit selected file
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">r</span>
-        </td>
-        <td>
-            Rename selected file
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">m</span>
-        </td>
-        <td>
-            Move selected file
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">d</span>
-        </td>
-        <td>
-            Delete selected file
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">g</span>
-        </td>
-        <td>
-            Download selected file
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">f</span>
-        </td>
-        <td>
-            Search file
-        </td>
-    </tr>
-    <tr>
-        <td colspan='2'><br><br><br><a name=3>3. File Editor</a><br><br></td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">ctr</span> + <span class="kbd">s</span>
-        </td>
-        <td>
-            Save file
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">ctr</span> + <span class="kbd">n</span>
-        </td>
-        <td>
-            New file
-        </td>
-    </tr>
-    <tr>
-        <td class='shortcut'>
-            <span class="kbd">ctr</span> + <span class="kbd">o</span>
-        </td>
-        <td>
-            Open file
-        </td>
-    </tr>
+<table cellspacing="3" width="500px">
+<?=
+Keyboard_Shortcut(1, 'Control Panel', [
+'↑'=>'Move cursor up',
+'↓'=>'Move cursor down',
+'1'=>'List user accounts / USER',
+'2'=>'List web domains / WEB',
+'3'=>'List dns domains / DNS',
+'4'=>'List mail domains / MAIL',
+'5'=>'List databases / DB',
+'6'=>'List cron jobs / CRON',
+'7'=>'List user backups / BACKUP',
+'^1'=>'List hosting packages / Packages',
+'^2'=>'List IP addresses / IP',
+'^3'=>'List rrd graphs / Grapsh',
+'^4'=>'List user stats / Statistics',
+'^5'=>'List user action log / Log',
+'^6'=>'List software updates / Updates',
+'^7'=>'List firewall rules / Firewall',
+'^8'=>'List services / Server',
+'^9'=>'List server status / CPU MEM NET DISK',
+'^0'=>'List user files / File Manager',
+'f'=>'Find user objects / Focus on search bar',
+'h'=>'Show help / Help',
+'n'=>'Add new object',
+'e'=>'Edit selected object',
+'s'=>'Suspend selected object',
+'d'=>'Delete selected object',
+'^a'=>'Select/deselect all objects',
+'#↑'=>'Select/deselect object above cursor',
+'#↓'=>'Select/deselect object below cursor',
+'^Enter'=>'Save form',
+'^Backspace'=>'Go back to previous listing',
+]).
+Keyboard_Shortcut(2, 'File Manager', [
+'Tab'=>'Switch between left and right file list',
+'←'=>'Switch between left and right file list',
+'→'=>'Switch between left and right file list',
+'↑'=>'Move cursor up',
+'↓'=>'Move cursor down',
+'Insert'=>'Select file or directory',
+'Space'=>'Select file or directory (as INSERT)',
+'#↑'=>' Select/deselect file above cursor',
+'#↓'=>'Select/deselect file below cursor',
+'Enter'=>'Change directory / run association action',
+'^a'=>'Select all files and directories',
+'^c'=>'Copy selected files from active tab to inactive',
+'^x'=>'Cut selected files to clipboard',
+'^v'=>'Paste from clipboard to current dir',
+'^m'=>'Move selected files from active tab to inactive',
+'^d'=>'Delete selected files',
+'Del'=>'Delete selected files',
+'n'=>'Create new file',
+'e'=>'Edit selected file',
+'r'=>'Rename selected file',
+'m'=>'Move selected file',
+'d'=>'Delete selected file',
+'g'=>'Download selected file',
+'f'=>'Search file',
+]).
+Keyboard_Shortcut(3, 'File Editor', [
+'^s'=>'Save file',
+'^n'=>'New file',
+'^o'=>'Open file',
+])
+?>
+</table>

web/inc/main.php

@@ -3,36 +3,46 @@
 session_start();
 
 define('HESTIA_CMD', '/usr/bin/sudo /usr/local/hestia/bin/');
-define('JS_LATEST_UPDATE', time());
-define('DEFAULT_PHP_VERSION', "php-" . exec('php -r "echo (float)phpversion();"'));
+if ($_SESSION['RELEASE_BRANCH'] == 'release' && $_SESSION['DEBUG_MODE'] == 'false') {
+    define('JS_LATEST_UPDATE','v=' . $_SESSION['VERSION']);
+}else{
+    define('JS_LATEST_UPDATE','r=' . time());
+}
+define('DEFAULT_PHP_VERSION', 'php-' . exec('php -r "echo (float)phpversion();"'));
+
+function destroy_sessions(){
+    unset($_SESSION);
+    session_unset();
+    session_destroy();
+}
 
 $i = 0;
 
 // Saving user IPs to the session for preventing session hijacking
 $user_combined_ip = $_SERVER['REMOTE_ADDR'];
 
-if (isset($_SERVER['HTTP_CLIENT_IP'])){
-    $user_combined_ip .=  '|'. $_SERVER['HTTP_CLIENT_IP'];
+if (isset($_SERVER['HTTP_CLIENT_IP'])) {
+    $user_combined_ip .= '|' . $_SERVER['HTTP_CLIENT_IP'];
 }
-if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])){
-    $user_combined_ip .=  '|'. $_SERVER['HTTP_X_FORWARDED_FOR'];
+if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
+    $user_combined_ip .= '|' . $_SERVER['HTTP_X_FORWARDED_FOR'];
 }
-if (isset($_SERVER['HTTP_FORWARDED_FOR'])){
-    $user_combined_ip .=  '|'. $_SERVER['HTTP_FORWARDED_FOR'];
+if (isset($_SERVER['HTTP_FORWARDED_FOR'])) {
+    $user_combined_ip .= '|' . $_SERVER['HTTP_FORWARDED_FOR'];
 }
-if (isset($_SERVER['HTTP_X_FORWARDED'])){
-    $user_combined_ip .=  '|'. $_SERVER['HTTP_X_FORWARDED'];
+if (isset($_SERVER['HTTP_X_FORWARDED'])) {
+    $user_combined_ip .= '|' . $_SERVER['HTTP_X_FORWARDED'];
 }
-if (isset($_SERVER['HTTP_FORWARDED'])){
-    $user_combined_ip .=  '|'. $_SERVER['HTTP_FORWARDED'];
+if (isset($_SERVER['HTTP_FORWARDED'])) {
+    $user_combined_ip .= '|' . $_SERVER['HTTP_FORWARDED'];
 }
-if (isset($_SERVER['HTTP_CF_CONNECTING_IP'])){
-    if(!empty($_SERVER['HTTP_CF_CONNECTING_IP'])){
+if (isset($_SERVER['HTTP_CF_CONNECTING_IP'])) {
+    if (!empty($_SERVER['HTTP_CF_CONNECTING_IP'])) {
       $user_combined_ip = $_SERVER['HTTP_CF_CONNECTING_IP'];
     }
 }
 
-if (!isset($_SESSION['user_combined_ip'])){
+if (!isset($_SESSION['user_combined_ip'])) {
     $_SESSION['user_combined_ip'] = $user_combined_ip;
 }
 
@@ -40,11 +50,9 @@ if (!isset($_SESSION['user_combined_ip'])){
 if ($_SESSION['user_combined_ip'] != $user_combined_ip && $_SERVER['REMOTE_ADDR'] != '127.0.0.1'){
     $v_user = escapeshellarg($_SESSION['user']);
     $v_session_id = escapeshellarg($_SESSION['token']);
-    exec(HESTIA_CMD."v-log-user-logout ".$v_user." ".$v_session_id, $output, $return_var);
-    session_destroy();
-    session_start();
-    $_SESSION['request_uri'] = $_SERVER['REQUEST_URI'];
-    header("Location: /login/");
+    exec(HESTIA_CMD . 'v-log-user-logout ' . $v_user . ' ' . $v_session_id, $output, $return_var);
+    destroy_sessions();
+    header('Location: /login/');
     exit;
 }
 // Load Hestia Config directly
@@ -52,23 +60,21 @@ if ($_SESSION['user_combined_ip'] != $user_combined_ip && $_SERVER['REMOTE_ADDR'
 
 // Check system settings
 if ((!isset($_SESSION['VERSION'])) && (!defined('NO_AUTH_REQUIRED'))) {
-    session_destroy();
-    session_start();
-    $_SESSION['request_uri'] = $_SERVER['REQUEST_URI'];
-    header("Location: /login/");
+    destroy_sessions();
+    header('Location: /login/');
     exit;
 }
 
 // Check user session
 if ((!isset($_SESSION['user'])) && (!defined('NO_AUTH_REQUIRED'))) {
-    $_SESSION['request_uri'] = $_SERVER['REQUEST_URI'];
-    header("Location: /login/");
+    destroy_sessions();
+    header('Location: /login/');
     exit;
 }
 
 // Generate CSRF Token
 if (isset($_SESSION['user'])) {
-    if(!isset($_SESSION['token'])){
+    if (!isset($_SESSION['token'])){
         $token = bin2hex(file_get_contents('/dev/urandom', false, null, 0, 16));
         $_SESSION['token'] = $token;
     }
@@ -76,14 +82,15 @@ if (isset($_SESSION['user'])) {
 
 if (!defined('NO_AUTH_REQUIRED')){
     if (empty($_SESSION['LAST_ACTIVITY']) || empty($_SESSION['INACTIVE_SESSION_TIMEOUT'])){
-        session_destroy();
-        header("Location: /login/");
-    } else if ($_SESSION['INACTIVE_SESSION_TIMEOUT'] * 60 + $_SESSION['LAST_ACTIVITY'] < time()) {
+        destroy_sessions();
+        header('Location: /login/');
+    } elseif ($_SESSION['INACTIVE_SESSION_TIMEOUT'] * 60 + $_SESSION['LAST_ACTIVITY'] < time()) {
         $v_user = escapeshellarg($_SESSION['user']);
         $v_session_id = escapeshellarg($_SESSION['token']);
-        exec(HESTIA_CMD."v-log-user-logout ".$v_user." ".$v_session_id, $output, $return_var);
-        session_destroy();
-        header("Location: /login/");
+        exec(HESTIA_CMD . 'v-log-user-logout ' . $v_user . ' ' . $v_session_id, $output, $return_var);
+        destroy_sessions();
+        header('Location: /login/');
+        exit;
     } else {
         $_SESSION['LAST_ACTIVITY'] = time();
     }
@@ -97,11 +104,11 @@ if (isset($_SESSION['look']) && ($_SESSION['userContext'] === 'admin')) {
     $user = $_SESSION['look'];
 }
 
-require_once(dirname(__FILE__).'/i18n.php');
+require_once(dirname(__FILE__) . '/i18n.php');
 
 function check_error($return_var) {
     if ( $return_var > 0 ) {
-        header("Location: /error/");
+        header('Location: /error/');
         exit;
     }
 }
@@ -109,7 +116,7 @@ function check_error($return_var) {
 function check_return_code($return_var,$output) {
     if ($return_var != 0) {
         $error = implode('<br>', $output);
-        if (empty($error)) $error = sprintf(_('Error code:'),$return_var);
+        if (empty($error)) $error = sprintf(_('Error code:'), $return_var);
         $_SESSION['error_msg'] = $error;
     }
 }
@@ -124,7 +131,7 @@ function render_page($user, $TAB, $page) {
     // Panel
     top_panel(empty($_SESSION['look']) ? $_SESSION['user'] : $_SESSION['look'], $TAB);
 
-    // Extarct global variables
+    // Extract global variables
     // I think those variables should be passed via arguments
     extract($GLOBALS, EXTR_SKIP);
 
@@ -132,13 +139,13 @@ function render_page($user, $TAB, $page) {
     @include_once(dirname(__DIR__) . '/inc/policies.php');
 
     // Body
-    include($__template_dir . "pages/$page.html");
+    include($__template_dir . 'pages/' . $page . '.html');
 
     // Including common js files
     @include_once(dirname(__DIR__) . '/templates/includes/end_js.html');
     // Including page specific js file
-    if(file_exists($__pages_js_dir.$page.'.js'))
-       echo '<script type="text/javascript" src="/js/pages/'.$page.'.js?'.JS_LATEST_UPDATE.'"></script>';
+    if(file_exists($__pages_js_dir . $page . '.js'))
+       echo '<script src="/js/pages/' . $page . '.js?' . JS_LATEST_UPDATE . '"></script>';
 
     // Footer
     include($__template_dir . 'footer.html');
@@ -146,12 +153,12 @@ function render_page($user, $TAB, $page) {
 
 function top_panel($user, $TAB) {
     global $panel;
-    $command = HESTIA_CMD."v-list-user ".escapeshellarg($user)." 'json'";
+    $command = HESTIA_CMD . 'v-list-user ' . escapeshellarg($user) . " 'json'";
     exec ($command, $output, $return_var);
     if ( $return_var > 0 ) {
-        echo "<span style='font-size: 18px;'><b>ERROR: Unable to retrieve account details.</b><br>Please <b><a href='/login/'>log in</a></b> again.</span>";
-        session_destroy();
-        header("Location: /login/");
+        echo '<span style="font-size: 18px;"><b>ERROR: Unable to retrieve account details.</b><br>Please <b><a href="/login/">log in</a></b> again.</span>';
+        destroy_sessions();
+        header('Location: /login/');
         exit;
     }
     $panel = json_decode(implode('', $output), true);
@@ -159,9 +166,9 @@ function top_panel($user, $TAB) {
 
     // Log out active sessions for suspended users
     if (($panel[$user]['SUSPENDED'] === 'yes') && ($_SESSION['POLICY_USER_VIEW_SUSPENDED'] !== 'yes')) {
-        $_SESSION['error_msg'] = "You have been logged out. Please log in again.";
-        session_destroy();
-        header("Location: /login/");
+        $_SESSION['error_msg'] = 'You have been logged out. Please log in again.';
+        destroy_sessions();
+        header('Location: /login/');
     }
 
     // Reset user permissions if changed while logged in
@@ -188,59 +195,45 @@ function top_panel($user, $TAB) {
     // Set home location URLs
     if (($_SESSION['userContext'] === 'admin') && (!isset($_SESSION['look']))) {
         // Display users list for administrators unless they are impersonating a user account
-        $home_url = "/list/user/";
+        $home_url = '/list/user/';
     } else {
         // Set home location URL based on available package features from account
-        if($panel[$user]['WEB_DOMAINS'] != "0") {
-            $home_url = "/list/web/";
-        } else if ($panel[$user]['DNS_DOMAINS'] != "0") {
-            $home_url = "/list/dns/";
-        } else if ($panel[$user]['MAIL_DOMAINS'] != "0") {
-            $home_url = "/list/mail/";
-        } else if ($panel[$user]['DATABASES'] != "0") {
-            $home_url = "/list/db/";
-        } else if ($panel[$user]['CRON_JOBS'] != "0") {
-            $home_url = "/list/cron/";
-        } else if ($panel[$user]['BACKUPS'] != "0") {
-            $home_url = "/list/backups/";
+        if ($panel[$user]['WEB_DOMAINS'] != '0') {
+            $home_url = '/list/web/';
+        } elseif ($panel[$user]['DNS_DOMAINS'] != '0') {
+            $home_url = '/list/dns/';
+        } elseif ($panel[$user]['MAIL_DOMAINS'] != '0') {
+            $home_url = '/list/mail/';
+        } elseif ($panel[$user]['DATABASES'] != '0') {
+            $home_url = '/list/db/';
+        } elseif ($panel[$user]['CRON_JOBS'] != '0') {
+            $home_url = '/list/cron/';
+        } elseif ($panel[$user]['BACKUPS'] != '0') {
+            $home_url = '/list/backups/';
         }
     }
 
-    include(dirname(__FILE__).'/../templates/includes/panel.html');
-
+    include(dirname(__FILE__) . '/../templates/includes/panel.html');
 }
 
 function translate_date($date){
-  $date = strtotime($date);
-  return strftime("%d &nbsp;", $date)._(strftime("%b", $date)).strftime(" &nbsp;%Y", $date);
+    $date = strtotime($date);
+    return strftime('%d &nbsp;', $date) . _(strftime('%b', $date)) . strftime(' &nbsp;%Y', $date);
 }
 
 function humanize_time($usage) {
     if ( $usage > 60 ) {
         $usage = $usage / 60;
         if ( $usage > 24 ) {
-             $usage = $usage / 24;
-
+            $usage = $usage / 24;
             $usage = number_format($usage);
-            if ( $usage == 1 ) {
-                $usage = $usage." "._('day');
-            } else {
-                $usage = $usage." "._('days');
-            }
+            $usage .= ' ' . _('day' . ($usage != 1) ?: 's');
         } else {
             $usage = number_format($usage);
-            if ( $usage == 1 ) {
-                $usage = $usage." "._('hour');
-            } else {
-                $usage = $usage." "._('hours');
-            }
+            $usage .= ' ' . _('hour' . ($usage != 1) ?: 's');
         }
     } else {
-        if ( $usage == 1 ) {
-            $usage = $usage." "._('minute');
-        } else {
-            $usage = $usage." "._('minutes');
-        }
+        $usage .= ' ' . _('minute' . ($usage != 1) ?: 's');
     }
     return $usage;
 }
@@ -249,74 +242,64 @@ function humanize_usage_size($usage) {
     if ( $usage > 1024 ) {
         $usage = $usage / 1024;
         if ( $usage > 1024 ) {
+            $usage = $usage / 1024 ;
+            if ( $usage > 1024 ) {
                 $usage = $usage / 1024 ;
-                if ( $usage > 1024 ) {
-                    $usage = $usage / 1024 ;
-                    $usage = number_format($usage, 2);
-                } else {
-                    $usage = number_format($usage, 2);
-                }
+                $usage = number_format($usage, 2);
+            } else {
+                $usage = number_format($usage, 2);
+            }
         } else {
             $usage = number_format($usage, 2);
         }
     }
-
     return $usage;
 }
 
 function humanize_usage_measure($usage) {
     $measure = 'kb';
-
     if ( $usage > 1024 ) {
         $usage = $usage / 1024;
         if ( $usage > 1024 ) {
                 $usage = $usage / 1024 ;
-                if ( $usage > 1024 ) {
-                    $measure = 'pb';
-                } else {
-                    $measure = 'tb';
-                }
+                $measure = ( $usage > 1024 ) ? 'pb' : 'tb';
         } else {
             $measure = 'gb';
         }
     } else {
         $measure = 'mb';
     }
-
     return _($measure);
 }
 
-
 function get_percentage($used,$total) {
-    if (!isset($total)) $total =  0;
-    if (!isset($used)) $used =  0;
+    if (!isset($total)) $total = 0;
+    if (!isset($used)) $used = 0;
     if ( $total == 0 ) {
         $percent = 0;
     } else {
         $percent = $used / $total;
         $percent = $percent * 100;
         $percent = number_format($percent, 0, '', '');
-        if ( $percent > 100 ) {
-            $percent = 100;
-        }
         if ( $percent < 0 ) {
             $percent = 0;
+        } elseif ( $percent > 100 ) {
+            $percent = 100;
         }
-
     }
     return $percent;
 }
 
-function send_email($to,$subject,$mailtext,$from) {
+function send_email($to, $subject, $mailtext, $from) {
     $charset = "utf-8";
-    $to = '<'.$to.'>';
-    $boundary = '--' . md5( uniqid("myboundary") );
+    $to = '<' . $to . '>';
+    $boundary = '--' . md5( uniqid('myboundary') );
     $priorities = array( '1 (Highest)', '2 (High)', '3 (Normal)', '4 (Low)', '5 (Lowest)' );
     $priority = $priorities[2];
-    $ctencoding = "8bit";
+    $ctencoding = '8bit';
     $sep = chr(13) . chr(10);
-    $disposition = "inline";
-    $subject = "=?$charset?B?".base64_encode($subject)."?=";
+    $disposition = 'inline';
+    $subject = "=?$charset?B?" . base64_encode($subject) . '?=';
     $header = "From: $from \nX-Priority: $priority\nCC:\n";
     $header .= "Mime-Version: 1.0\nContent-Type: text/plain; charset=$charset \n";
     $header .= "Content-Transfer-Encoding: $ctencoding\nX-Mailer: Php/libMailv1.3\n";
@@ -325,37 +308,17 @@ function send_email($to,$subject,$mailtext,$from) {
 }
 
 function list_timezones() {
-    $tz = new DateTimeZone('AKST');
-    $timezone_offsets['AKST'] = $tz->getOffset(new DateTime);
-    $tz = new DateTimeZone('AKDT');
-    $timezone_offsets['AKDT'] = $tz->getOffset(new DateTime);
-    $tz = new DateTimeZone('PST');
-    $timezone_offsets['PST'] = $tz->getOffset(new DateTime);
-    $tz = new DateTimeZone('PDT');
-    $timezone_offsets['PDT'] = $tz->getOffset(new DateTime);
-    $tz = new DateTimeZone('MST');
-    $timezone_offsets['MST'] = $tz->getOffset(new DateTime);
-    $tz = new DateTimeZone('MDT');
-    $timezone_offsets['MDT'] = $tz->getOffset(new DateTime);
-    $tz = new DateTimeZone('CST');
-    $timezone_offsets['CST'] = $tz->getOffset(new DateTime);
-    $tz = new DateTimeZone('CDT');
-    $timezone_offsets['CDT'] = $tz->getOffset(new DateTime);
-    $tz = new DateTimeZone('EST');
-    $timezone_offsets['EST'] = $tz->getOffset(new DateTime);
-    $tz = new DateTimeZone('EDT');
-    $timezone_offsets['EDT'] = $tz->getOffset(new DateTime);
-    $tz = new DateTimeZone('AST');
-    $timezone_offsets['AST'] = $tz->getOffset(new DateTime);
-    $tz = new DateTimeZone('ADT');
-    $timezone_offsets['ADT'] = $tz->getOffset(new DateTime);
-
-    foreach(DateTimeZone::listIdentifiers() as $timezone){
+    foreach(['AKST', 'AKDT', 'PST', 'PDT', 'MST', 'MDT', 'CST', 'CDT', 'EST', 'EDT', 'AST', 'ADT'] as $timezone) {
+        $tz = new DateTimeZone($timezone);
+        $timezone_offsets[$timezone] = $tz->getOffset(new DateTime);
+    }
+ 
+    foreach(DateTimeZone::listIdentifiers() as $timezone) {
         $tz = new DateTimeZone($timezone);
         $timezone_offsets[$timezone] = $tz->getOffset(new DateTime);
     }
 
-    foreach($timezone_offsets as $timezone => $offset){
+    foreach($timezone_offsets as $timezone => $offset) {
         $offset_prefix = $offset < 0 ? '-' : '+';
         $offset_formatted = gmdate( 'H:i', abs($offset) );
         $pretty_offset = "UTC${offset_prefix}${offset_formatted}";
@@ -382,11 +345,11 @@ function list_timezones() {
  * @return string
  */
 function is_it_mysql_or_mariadb() {
-    exec (HESTIA_CMD."v-list-sys-services json", $output, $return_var);
+    exec (HESTIA_CMD . 'v-list-sys-services json', $output, $return_var);
     $data = json_decode(implode('', $output), true);
     unset($output);
-    $mysqltype='mysql';
-    if (isset($data['mariadb'])) $mysqltype='mariadb';
+    $mysqltype = 'mysql';
+    if (isset($data['mariadb'])) $mysqltype = 'mariadb';
     return $mysqltype;
 }
 
@@ -406,13 +369,13 @@ function load_hestia_config() {
  * @return array
  */
 function backendtpl_with_webdomains() {
-    exec (HESTIA_CMD . "v-list-users json", $output, $return_var);
+    exec (HESTIA_CMD . 'v-list-users json', $output, $return_var);
     $users = json_decode(implode('', $output), true);
     unset($output);
 
     $backend_list=[];
     foreach ($users as $user => $user_details) {
-        exec (HESTIA_CMD . "v-list-web-domains ". escapeshellarg($user) . " json", $output, $return_var);
+        exec (HESTIA_CMD . 'v-list-web-domains '. escapeshellarg($user) . ' json', $output, $return_var);
         $domains = json_decode(implode('', $output), true);
         unset($output);
 

web/inc/policies.php

@@ -1,15 +1,10 @@
 <?php
 
-    if (($_SESSION['userContext'] === 'user') && ($panel[$user]['SUSPENDED'] === 'yes') && ($_SESSION['POLICY_USER_VIEW_SUSPENDED'] === 'yes')) {
-      $read_only='true';
-    }
-    
-    if (($_SESSION['userContext'] === 'admin') && ($_SESSION['look'] === 'admin') && ($_SESSION['POLICY_SYSTEM_PROTECTED_ADMIN'] === 'yes')) {
-      $read_only='true';
+    if ((($_SESSION['userContext'] === 'user') && ($panel[$user]['SUSPENDED'] === 'yes') && ($_SESSION['POLICY_USER_VIEW_SUSPENDED'] === 'yes')) ||
+       (($_SESSION['userContext'] === 'admin') && ($_SESSION['look'] === 'admin') && ($_SESSION['POLICY_SYSTEM_PROTECTED_ADMIN'] === 'yes'))) {
+      $read_only = 'true';
     }
 
     if ($read_only === 'true') {
-      $display_mode='disabled';
+      $display_mode = 'disabled';
     }
-
-?>

web/inc/secure_login.php

@@ -1,15 +1,15 @@
 <?php
 
-$login_url_skip=0;
-if ($_SERVER['SCRIPT_FILENAME']=='/usr/local/hestia/web/reset/mail/index.php') $login_url_skip=1;
-if ($_SERVER['SCRIPT_FILENAME']=='/usr/local/hestia/web//reset/mail/index.php') $login_url_skip=1;
-if ($_SERVER['SCRIPT_FILENAME']=='/usr/local/hestia/web/reset/mail/set-ar.php') $login_url_skip=1;
-if ($_SERVER['SCRIPT_FILENAME']=='/usr/local/hestia/web//reset/mail/set-ar.php') $login_url_skip=1;
-if ($_SERVER['SCRIPT_FILENAME']=='/usr/local/hestia/web/reset/mail/get-ar.php') $login_url_skip=1;
-if ($_SERVER['SCRIPT_FILENAME']=='/usr/local/hestia/web//reset/mail/get-ar.php') $login_url_skip=1;
-if (substr($_SERVER['SCRIPT_FILENAME'], 0, 21)=='/usr/local/hestia/bin/') $login_url_skip=1;
+$login_url_skip = 0;
+if (($_SERVER['SCRIPT_FILENAME']=='/usr/local/hestia/web/reset/mail/index.php') ||
+    ($_SERVER['SCRIPT_FILENAME']=='/usr/local/hestia/web//reset/mail/index.php') ||
+    ($_SERVER['SCRIPT_FILENAME']=='/usr/local/hestia/web/reset/mail/set-ar.php') ||
+    ($_SERVER['SCRIPT_FILENAME']=='/usr/local/hestia/web//reset/mail/set-ar.php') ||
+    ($_SERVER['SCRIPT_FILENAME']=='/usr/local/hestia/web/reset/mail/get-ar.php') ||
+    ($_SERVER['SCRIPT_FILENAME']=='/usr/local/hestia/web//reset/mail/get-ar.php') ||
+    (substr($_SERVER['SCRIPT_FILENAME'], 0, 21)=='/usr/local/hestia/bin/')) $login_url_skip = 1;
 
-if ($login_url_skip==0) {
+if ($login_url_skip == 0) {
     if (!isset($login_url_loaded)) {
         $login_url_loaded=1;
         if (file_exists('/usr/local/hestia/web/inc/login_url.php')) {

web/index.php

@@ -1,7 +1,3 @@
 <?php
 session_start();
-if (isset($_SESSION['user'])) {
-    header("Location: /list/user/");
-} else {
-    header("Location: /login/");
-}
+header('Location: /' . (isset($_SESSION['user']) ? 'list/user' : 'login') . '/');

web/list/rrd/index.php

@@ -16,6 +16,11 @@ exec (HESTIA_CMD."v-list-sys-rrd json", $output, $return_var);
 $data = json_decode(implode('', $output), true);
 unset($output);
 
+$period=$_GET['period'];
+if (!in_array($period, array('daily', 'weekly', 'monthly', 'yearly'))) {
+    $period = 'daily';
+}
+
 // Render page
 render_page($user, $TAB, 'list_rrd');
 

web/login/index.php

@@ -2,7 +2,7 @@
 
 define('NO_AUTH_REQUIRED',true);
 // Main include
-include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
+include($_SERVER['DOCUMENT_ROOT'] . '/inc/main.php');
 
 $TAB = 'login';
 
@@ -33,12 +33,12 @@ if (isset($_SESSION['user'])) {
                 reset($data);
                 $_SESSION['look'] = key($data);
                 // Log impersonation events
-                exec (HESTIA_CMD . "v-log-action ".$v_impersonator." 'Info' 'Security' 'Logged in as another user (User: $v_user)'", $output, $return_var);
+                exec (HESTIA_CMD . 'v-log-action ' . $v_impersonator . " 'Info' 'Security' 'Logged in as another user (User: $v_user)'", $output, $return_var);
                 exec (HESTIA_CMD . "v-log-action system 'Warning' 'Security' 'User impersonation session started (User: $v_user, Administrator: $v_impersonator)'", $output, $return_var);
                 // Reset account details for File Manager to impersonated user
                 unset($_SESSION['_sf2_attributes']);
                 unset($_SESSION['_sf2_meta']);
-                header("Location: /login/");
+                header('Location: /login/');
             }
         }
         exit;
@@ -48,43 +48,39 @@ if (isset($_SESSION['user'])) {
     if (empty($_GET['loginas'])) {
         // Default view to Users list for administrator accounts
         if (($_SESSION['userContext'] === 'admin') && (!isset($_SESSION['look']))) {
-            header("Location: /list/user/");
+            header('Location: /list/user/');
             exit;
         }
         
         // Obtain account properties
-        if (($_SESSION['userContext'] === 'admin') && (isset($_SESSION['look']))) {
-            $v_user = escapeshellarg($_SESSION['look']);
-        } else {
-            $v_user = escapeshellarg($_SESSION['user']);
-        }
+        $v_user = escapeshellarg($_SESSION[(($_SESSION['userContext'] === 'admin') && (isset($_SESSION['look']))) ? 'look' : 'user']);
 
-        exec (HESTIA_CMD . "v-list-user ".$v_user." json", $output, $return_var);
+        exec (HESTIA_CMD . 'v-list-user ' . $v_user . ' json', $output, $return_var);
         $data = json_decode(implode('', $output), true);
         unset($output); 
         
         // Determine package features and land user at the first available page
-        if ($data[$user]['WEB_DOMAINS'] !== "0") {
-            header("Location: /list/web/");
-        } else if ($data[$user]['DNS_DOMAINS'] !== "0") {
-            header("Location: /list/dns/");
-        } else if ($data[$user]['MAIL_DOMAINS'] !== "0") {
-            header("Location: /list/mail/");
-        } else if ($data[$user]['DATABASES'] !== "0") {
-            header("Location: /list/db/");
-        } else if ($data[$user]['CRON_JOBS'] !== "0") {
-            header("Location: /list/cron/");
-        } else if ($data[$user]['BACKUPS'] !== "0") {
-            header("Location: /list/backup/");
+        if ($data[$user]['WEB_DOMAINS'] !== '0') {
+            header('Location: /list/web/');
+        } elseif ($data[$user]['DNS_DOMAINS'] !== '0') {
+            header('Location: /list/dns/');
+        } elseif ($data[$user]['MAIL_DOMAINS'] !== '0') {
+            header('Location: /list/mail/');
+        } elseif ($data[$user]['DATABASES'] !== '0') {
+            header('Location: /list/db/');
+        } elseif ($data[$user]['CRON_JOBS'] !== '0') {
+            header('Location: /list/cron/');
+        } elseif ($data[$user]['BACKUPS'] !== '0') {
+            header('Location: /list/backup/');
         } else {
-            header("Location: /error/");
+            header('Location: /error/');
         }
         exit;
     }
 
     // Do not allow non-administrators to access account impersonation
     if (($_SESSION['userContext'] !== 'admin') && (!empty($_GET['loginas']))) {
-        header("Location: /login/");
+        header('Location: /login/');
         exit;
     }
 
@@ -107,22 +103,22 @@ function authenticate_user($user, $password, $twofa = ''){
 
      // Get user's salt
     $output = '';
-    exec (HESTIA_CMD."v-get-user-salt ".$v_user." ".$v_ip." json" , $output, $return_var);
+    exec (HESTIA_CMD . 'v-get-user-salt ' . $v_user . ' ' . $v_ip . ' json' , $output, $return_var);
     $pam = json_decode(implode('', $output), true);
     if ( $return_var > 0 ) {
         sleep(2);
-        $error = "<a class=\"error\">"._('Invalid username or password')."</a>";
+        $error = '<a class="error">' . _('Invalid username or password') . '</a>';
         return $error;
         } else {
             $salt = $pam[$user]['SALT'];
             $method = $pam[$user]['METHOD'];
 
             if ($method == 'md5' ) {
-                $hash = crypt($password, '$1$'.$salt.'$');
+                $hash = crypt($password, '$1$' . $salt . '$');
             }
             if ($method == 'sha-512' ) {
-                $hash = crypt($password, '$6$rounds=5000$'.$salt.'$');
-                $hash = str_replace('$rounds=5000','',$hash);
+                $hash = crypt($password, '$6$rounds=5000$' . $salt . '$');
+                $hash = str_replace('$rounds=5000', '', $hash);
             }
             if ($method == 'des' ) {
                 $hash = crypt($password, $salt);
@@ -130,12 +126,12 @@ function authenticate_user($user, $password, $twofa = ''){
 
             // Send hash via tmp file
             $v_hash = exec('mktemp -p /tmp');
-            $fp = fopen($v_hash, "w");
+            $fp = fopen($v_hash, 'w');
             fwrite($fp, $hash."\n");
             fclose($fp);
 
             // Check user hash
-            exec(HESTIA_CMD ."v-check-user-hash ".$v_user." ".$v_hash." ".$v_ip,  $output, $return_var);
+            exec(HESTIA_CMD . 'v-check-user-hash ' . $v_user . ' ' . $v_hash . ' ' . $v_ip, $output, $return_var);
             unset($output);
 
             // Remove tmp file
@@ -143,59 +139,59 @@ function authenticate_user($user, $password, $twofa = ''){
             // Check API answer
             if ( $return_var > 0 ) {
                 sleep(2);
-                $error = "<a class=\"error\">"._('Invalid username or password')."</a>";
+                $error = '<a class="error">' . _('Invalid username or password') . '</a>';
                 $v_session_id = escapeshellarg($_POST['token']);
-                exec(HESTIA_CMD."v-log-user-login ".$v_user." ".$v_ip." failed ".$v_session_id." ".$v_user_agent, $output, $return_var);
+                exec(HESTIA_CMD . 'v-log-user-login ' . $v_user . ' ' . $v_ip . ' failed ' . $v_session_id . ' ' . $v_user_agent, $output, $return_var);
                 return $error;
             } else {
 
                 // Get user specific parameters
-                exec (HESTIA_CMD . "v-list-user ".$v_user." json", $output, $return_var);
+                exec (HESTIA_CMD . 'v-list-user ' . $v_user . ' json', $output, $return_var);
                 $data = json_decode(implode('', $output), true);
                 unset($output); 
                 if ($data[$user]['LOGIN_DISABLED'] === 'yes') {
                     sleep(2);
-                    $error = "<a class=\"error\">"._('Invalid username or password')."</a>";
+                    $error = '<a class="error">' . _('Invalid username or password') . '</a>';
                     $v_session_id = escapeshellarg($_POST['token']);
-                    exec(HESTIA_CMD."v-log-user-login ".$v_user." ".$v_ip." failed ".$v_session_id." ".$v_user_agent, $output, $return_var);
+                    exec(HESTIA_CMD . 'v-log-user-login ' . $v_user . ' ' . $v_ip . ' failed ' . $v_session_id . ' ' . $v_user_agent, $output, $return_var);
                     return $error;
                 }
 
                 if ($data[$user]['LOGIN_USE_IPLIST'] === 'yes') {
-                    $v_login_user_allowed_ips = explode(',',$data[$user]['LOGIN_ALLOW_IPS']);
-                    if (!in_array($ip,$v_login_user_allowed_ips)) {
+                    $v_login_user_allowed_ips = explode(',', $data[$user]['LOGIN_ALLOW_IPS']);
+                    if (!in_array($ip, $v_login_user_allowed_ips)) {
                         sleep(2);
-                        $error = "<a class=\"error\">"._('Invalid username or password')."</a>";
+                        $error = '<a class="error">' . _('Invalid username or password') . '</a>';
                         $v_session_id = escapeshellarg($_POST['token']);
-                        exec(HESTIA_CMD."v-log-user-login ".$v_user." ".$v_ip." failed ".$v_session_id." ".$v_user_agent, $output, $return_var);
+                        exec(HESTIA_CMD . 'v-log-user-login ' . $v_user . ' ' . $v_ip . ' failed ' . $v_session_id . ' ' . $v_user_agent, $output, $return_var);
                         return $error;
                     }
                 }
 
                 if ($data[$user]['TWOFA'] != '') {
-                        if(empty($twofa)){
+                        exec(HESTIA_CMD . "v-check-user-2fa " . $v_user . " " . $v_twofa, $output, $return_var);
+                            $error = "<a class=\"error\">" . _('Invalid or missing 2FA token') . "</a>";
+                    if(empty($twofa)){
+                        $_SESSION['login']['username'] = $user;
+                        $_SESSION['login']['password'] = $password;
+                        return false;
+                    }else{
+                        $v_twofa = escapeshellarg($twofa);
+                        exec(HESTIA_CMD .'v-check-user-2fa '.$v_user.' '.$v_twofa, $output, $return_var);
+                        unset($output);
+                        if ( $return_var > 0 ) {
+                            sleep(2);
+                            $error = '<a class="error">' ._ ('Invalid or missing 2FA token') . '</a>';
                             $_SESSION['login']['username'] = $user;
                             $_SESSION['login']['password'] = $password;
-                            return false;
-                        }else{
-                            $v_twofa = escapeshellarg($twofa);
-                            exec(HESTIA_CMD ."v-check-user-2fa ".$v_user." ".$v_twofa, $output, $return_var);
-                            unset($output);
-                            if ( $return_var > 0 ) {
-                                sleep(2);
-                                $error = "<a class=\"error\">"._('Invalid or missing 2FA token')."</a>";
-                                $_SESSION['login']['username'] = $user;
-                                $_SESSION['login']['password'] = $password;
-                                $v_session_id = escapeshellarg($_POST['token']);
-                                exec(HESTIA_CMD."v-log-user-login ".$v_user." ".$v_ip." failed ".$v_session_id." ".$v_user_agent, $output, $return_var);
-                                return $error;
-                                unset($_POST['twofa']);
-                            }
+                            $v_session_id = escapeshellarg($_POST['token']);
+                            exec(HESTIA_CMD.'v-log-user-login ' . $v_user . ' ' . $v_ip . ' failed ' . $v_session_id . ' ' . $v_user_agent, $output, $return_var);
+                            unset($_POST['twofa']);
+                            return $error;
                         }
+                    }
                 }
                 
-
-                
                 // Define session user
                 $_SESSION['user'] = key($data);
                 $v_user = $_SESSION['user'];
@@ -215,47 +211,40 @@ function authenticate_user($user, $password, $twofa = ''){
                     unset($_SESSION['userTheme']);
                 }
 
-                if (!empty($data[$user]['PREF_UI_SORT'])) {
-                    $_SESSION['userSortOrder'] = $data[$user]['PREF_UI_SORT'];
-                } else {
-                    $_SESSION['userSortOrder'] = 'name';
-                }
+                $_SESSION['userSortOrder'] = (!empty($data[$user]['PREF_UI_SORT'])) ? $data[$user]['PREF_UI_SORT'] : 'name';
 
                 // Define language
                 $output = '';
-                exec (HESTIA_CMD."v-list-sys-languages json", $output, $return_var);
+                exec (HESTIA_CMD . 'v-list-sys-languages json', $output, $return_var);
                 $languages = json_decode(implode('', $output), true);
-                if (in_array($data[$v_user]['LANGUAGE'], $languages)){
-                    $_SESSION['language'] = $data[$user]['LANGUAGE'];
-                } else {
-                    $_SESSION['language'] = 'en';
-                }
+                $_SESSION['language'] = (in_array($data[$v_user]['LANGUAGE'], $languages)) ? $data[$user]['LANGUAGE'] : 'en';
+                
                 // Regenerate session id to prevent session fixation
-                session_regenerate_id();
+                session_regenerate_id(true);
 
                 // Redirect request to control panel interface
                 if (!empty($_SESSION['request_uri'])) {
-                    header("Location: ".$_SESSION['request_uri']);
+                    header('Location: ' . $_SESSION['request_uri']);
                     unset($_SESSION['request_uri']);
                     exit;
                 } else {
                     if ($_SESSION['userContext'] === 'admin') {
-                        header("Location: /list/user/");
+                        header('Location: /list/user/');
                     } else {
-                        if($data[$user]['WEB_DOMAINS'] != "0") {
-                            header("Location: /list/web/");
-                        } else if ($data[$user]['DNS_DOMAINS'] != "0") {
-                            header("Location: /list/dns/");
-                        } else if ($data[$user]['MAIL_DOMAINS'] != "0") {
-                            header("Location: /list/mail/");
-                        } else if ($data[$user]['DATABASES'] != "0") {
-                            header("Location: /list/db/");
-                        } else if ($data[$user]['CRON_JOBS'] != "0") {
-                            header("Location: /list/cron/");
-                        } else if ($data[$user]['BACKUPS'] != "0") {
-                            header("Location: /list/backup/");
+                        if($data[$user]['WEB_DOMAINS'] != '0') {
+                            header('Location: /list/web/');
+                        } elseif ($data[$user]['DNS_DOMAINS'] != '0') {
+                            header('Location: /list/dns/');
+                        } elseif ($data[$user]['MAIL_DOMAINS'] != '0') {
+                            header('Location: /list/mail/');
+                        } elseif ($data[$user]['DATABASES'] != '0') {
+                            header('Location: /list/db/');
+                        } elseif ($data[$user]['CRON_JOBS'] != '0') {
+                            header('Location: /list/cron/');
+                        } elseif ($data[$user]['BACKUPS'] != '0') {
+                            header('Location: /list/backup/');
                         } else {
-                            header("Location: /error/");
+                            header('Location: /error/');
                         }
                     }
                     exit;
@@ -266,19 +255,25 @@ function authenticate_user($user, $password, $twofa = ''){
         unset($_POST);
         unset($_GET);
         unset($_SESSION);
+        // Delete old session and  start a new one
+        session_write_close();
+        session_unset();
         session_destroy();
         session_start();
         return false;
     }
 }
-if (!empty($_SESSION['login']['username']) && !empty($_SESSION['login']['password']) && !empty($_POST['twofa'])){
+if (preg_match('/^[[:alnum:]][-|\.|_[:alnum:]]{0,28}[[:alnum:]]$/',$_POST['user'])) {
+    $_SESSION['login']['username'] = $_POST['user'];
+}else{
+    $user = ''; 
+}
+if (!empty($_SESSION['login']['username']) && !empty($_SESSION['login']['password']) && !empty($_POST['twofa'])) {
     $error = authenticate_user($_SESSION['login']['username'], $_SESSION['login']['password'], $_POST['twofa']);
     unset($_POST);
-} else if (!empty($_POST['user']) && !empty($_POST['password'])) {
-    $error = authenticate_user($_POST['user'], $_POST['password']);
+} elseif (!empty($_SESSION['login']['username']) && !empty($_POST['password'])) {
+    $error = authenticate_user($_SESSION['login']['username'], $_POST['password']);
     unset($_POST);
-}else{
-    unset($_SESSION['login']);
 }
 // Check system configuration
 load_hestia_config();
@@ -286,40 +281,27 @@ load_hestia_config();
 // Detect language
 if (empty($_SESSION['language'])) {
     $output = '';
-    exec (HESTIA_CMD."v-list-sys-config json", $output, $return_var);
+    exec (HESTIA_CMD . 'v-list-sys-config json', $output, $return_var);
     $config = json_decode(implode('', $output), true);
     $lang = $config['config']['LANGUAGE'];
 
     $output = '';
-    exec (HESTIA_CMD."v-list-sys-languages json", $output, $return_var);
+    exec (HESTIA_CMD . 'v-list-sys-languages json', $output, $return_var);
     $languages = json_decode(implode('', $output), true);
-    if(in_array($lang, $languages)){
-        $_SESSION['language'] = $lang;
-    }
-    else {
-        $_SESSION['language'] = 'en';
-    }
+    $_SESSION['language'] = (in_array($lang, $languages)) ? $lang : 'en';
 }
 
 // Generate CSRF token
 $_SESSION['token'] = md5(uniqid(mt_rand(), true));
 
 require_once('../templates/header.html');
-if(!empty($_SESSION['login'])){
+if (!empty($_SESSION['login']['password'])) {
     require_once('../templates/pages/login/login_2.html');
-}else if (empty($_POST['user'])) {
-    if($_SESSION['LOGIN_STYLE'] == 'old'){
-        require_once('../templates/pages/login/login_a.html');
-    }else{
-        require_once('../templates/pages/login/login.html');
-    }
-}else if (empty($_POST['password'])) {
+} elseif (empty($_SESSION['login']['username'])) {
+    require_once('../templates/pages/login/login' . (($_SESSION['LOGIN_STYLE'] != 'old') ? '' : '_a') . '.html');
+} elseif (empty($_POST['password'])) {
+    
     require_once('../templates/pages/login/login_1.html');
-}else{
-    if($_SESSION['LOGIN_STYLE'] == 'old'){
-        require_once('../templates/pages/login/login_a.html');
-    }else{
-        require_once('../templates/pages/login/login.html');
-    }
+} else {
+    require_once('../templates/pages/login/login' . (($_SESSION['LOGIN_STYLE'] != 'old') ? '' : '_a') . '.html');
 }
-?>

web/logout/index.php

@@ -11,17 +11,18 @@ if (!empty($_SESSION['look'])) {
     # Remove current path for filemanager
     unset($_SESSION['_sf2_attributes']);
     unset($_SESSION['_sf2_meta']);
-    header("Location: /");
+    header('Location: /');
 } else {
-    if($_SESSION['token'] && $_SESSION['user']){
+    if ($_SESSION['token'] && $_SESSION['user']){
         unset($_SESSION['userTheme']);
         $v_user = escapeshellarg($_SESSION['user']);
         $v_session_id = escapeshellarg($_SESSION['token']);
-        exec(HESTIA_CMD."v-log-user-logout ".$v_user." ".$v_session_id, $output, $return_var);
+        exec(HESTIA_CMD . 'v-log-user-logout ' . $v_user . ' ' . $v_session_id, $output, $return_var);
     }
     
+    unset($_SESSION);
+    session_unset();
     session_destroy();
-    header("Location: /login/");
+    header('Location: /login/');
 }
 exit;
-?>

web/templates/footer.html

@@ -1,48 +1,51 @@
   </div>
-  <?php if (($_SESSION['userContext'] === 'admin') && ($_SESSION['POLICY_SYSTEM_HIDE_SERVICES'] !== 'yes')) {?>
-    <?php if ($_SESSION['UPDATE_AVAILABLE'] === 'yes') { ?>
+<?php
+  if (($_SESSION['userContext'] === 'admin') && ($_SESSION['POLICY_SYSTEM_HIDE_SERVICES'] !== 'yes')) {
+    if ($_SESSION['UPDATE_AVAILABLE'] === 'yes') {
+?>
       <div class="footer-banner updates" id="banner">
         <div>
           <b>New updates are available!</b> To upgrade your server now, run <span style="font-family:'Courier New', Courier, monospace">apt update && apt upgrade</span> from a shell session.
         </div>
         <div style="margin-top: 4px;"></div><a href="javascript:elementHideShow('banner');">Hide</a></div>
       </div>
-    <?php } ?>
-  <?php } ?>
+<?php
+    } 
+  }
+?>
   <div title="<?=_('Confirmation');?>" class="confirmation-text-redirect hidden">
-    <p class="confirmation"><?=_('LEAVE_PAGE_CONFIRMATION');?></p>
+    <p class="confirmation"><?=_('LEAVE_PAGE_CONFIRMATION')?></p>
   </div>
 
   <div class="shortcuts animated fadeIn" style="display:none">
     <div class="header">
-      <div class="title"><?=_('Shortcuts');?></div>
+      <div class="title"><?=_('Shortcuts')?></div>
       <div class="close text-center">
         <i class="fas fa-times"></i>
       </div>
-
     </div>
     <ul>
-      <li><span class="key">a</span><?=_('Add New object');?></li>
-      <li><span class="key">Ctrl + Enter</span><?=_('Save Form');?></li>
-      <li><span class="key">Ctrl + Backspace</span><?=_('Cancel saving form');?></li>
+      <li><span class="key">a</span><?=_('Add New object')?></li>
+      <li><span class="key">Ctrl + Enter</span><?=_('Save Form')?></li>
+      <li><span class="key">Ctrl + Backspace</span><?=_('Cancel saving form')?></li>
 
-      <li class="step-top"><span class="key">1</span><?=_('Go to WEB list');?></li>
-      <li><span class="key">2</span><?=_('Go to DNS list');?></li>
-      <li><span class="key">3</span><?=_('Go to MAIL list');?></li>
-      <li><span class="key">4</span><?=_('Go to DB list');?></li>
-      <li><span class="key">5</span><?=_('Go to CRON list');?></li>
-      <li><span class="key">6</span><?=_('Go to BACKUP list');?></li>
+      <li class="step-top"><span class="key">1</span><?=_('Go to WEB list')?></li>
+      <li><span class="key">2</span><?=_('Go to DNS list')?></li>
+      <li><span class="key">3</span><?=_('Go to MAIL list')?></li>
+      <li><span class="key">4</span><?=_('Go to DB list')?></li>
+      <li><span class="key">5</span><?=_('Go to CRON list')?></li>
+      <li><span class="key">6</span><?=_('Go to BACKUP list')?></li>
     </ul>
     <ul>
-      <li><span class="key">f</span><?=_('Focus on search');?></li>
-      <li class="step-top"><span class="key">h</span><?=_('Display/Close shortcuts');?></li>
+      <li><span class="key">f</span><?=_('Focus on search')?></li>
+      <li class="step-top"><span class="key">h</span><?=_('Display/Close shortcuts')?></li>
 
-      <li class="step-top"><span class="key bigger">&larr;</span><?=_('Move backward through top menu');?></li>
-      <li><span class="key bigger">&rarr;</span><?=_('Move forward through top menu');?></li>
-      <li><span class="key">Enter</span><?=_('Enter focused element');?></li>
+      <li class="step-top"><span class="key bigger">&larr;</span><?=_('Move backward through top menu')?></li>
+      <li><span class="key bigger">&rarr;</span><?=_('Move forward through top menu')?></li>
+      <li><span class="key">Enter</span><?=_('Enter focused element')?></li>
 
-      <li class="step-top"><span class="key bigger">&uarr;</span><?=_('Move up through elements list');?></li>
-      <li><span class="key bigger">&darr;</span><?=_('Move down through elements list');?></li>
+      <li class="step-top"><span class="key bigger">&uarr;</span><?=_('Move up through elements list')?></li>
+      <li><span class="key bigger">&darr;</span><?=_('Move down through elements list')?></li>
     </ul>
   </div>
 </body>

web/templates/header.html

@@ -1,14 +1,18 @@
 <!doctype html>
-<html lang="<?=$_SESSION['LANGUAGE'];?>">
+<html lang="<?=$_SESSION['LANGUAGE']?>">
 
 <head>
-  <?php require ''.$_SERVER['HESTIA'].'/web/templates/includes/title.html'; ?>
-  <?php require ''.$_SERVER['HESTIA'].'/web/templates/includes/css.html'; ?>
-  <?php require ''.$_SERVER['HESTIA'].'/web/templates/includes/top_js.html'; ?>
+<?php
+  require $_SERVER['HESTIA'] . '/web/templates/includes/title.html';
+  require $_SERVER['HESTIA'] . '/web/templates/includes/css.html';
+  require $_SERVER['HESTIA'] . '/web/templates/includes/top_js.html';
+?>
   <script>
+<?php    
     //
     //  GLOBAL SETTINGS
     //
+?>
     var GLOBAL = {};
     GLOBAL.FTP_USER_PREFIX = '';
     GLOBAL.DB_USER_PREFIX = '';
@@ -18,6 +22,7 @@
 </head>
 
 <body class="body-<?=strtolower($TAB)?> lang-<?=$_SESSION['language']?>">
-  <?php if (($_SESSION['DEBUG_MODE']) == "true" ) {?>
-    <?php require ''.$_SERVER['HESTIA'].'/web/templates/pages/debug_panel.html'; ?>
-  <?php } ?>
+<?php
+  if (($_SESSION['DEBUG_MODE']) == "true" ) {
+    require $_SERVER['HESTIA'] . '/web/templates/pages/debug_panel.html';
+  }

web/templates/includes/css.html

@@ -1,19 +1,27 @@
 <link rel="icon" href="/images/favicon.ico" type="image/x-icon">
-<link type="text/css" rel="stylesheet" href="/css/themes/default.min.css?<?=JS_LATEST_UPDATE?>" rel="preload" />
-<?php 
-	if (!empty($_SESSION['userTheme'])) {
-		$selected_theme = $_SESSION['userTheme']; 
-	} else {
-		$selected_theme = $_SESSION['THEME'];
-	} 
+<link rel="stylesheet" href="/css/themes/default.min.css?<?=JS_LATEST_UPDATE?>" rel="preload" />
+<?php
+    $selected_theme = (!empty($_SESSION['userTheme'])) ? $_SESSION['userTheme'] : $_SESSION['THEME'];
+// Load custom theme
+    if ($selected_theme !== 'default') {
+// Load HestiaCP-shipped themes (minified, updated/overwritten with updates) - ($HESTIA/web/css/themes/*.min.css)
+        if (file_exists($_SERVER['HESTIA'] . '/web/css/themes/' . $selected_theme . '.min.css')) {
 ?>
-<!-- Load custom theme -->
-<?php if ($selectedTheme !== 'default') {?>
-  <!-- Load HestiaCP-shipped themes (minified, updated/overwritten with updates) - ($HESTIA/web/css/themes/*.min.css) -->
-  <link type="text/css" rel="stylesheet" href="/css/themes/<?=$selected_theme; ?>.min.css?<?=rand(); ?>" rel="preload" />
-  <!-- Load custom theme files ($HESTIA/web/css/themes/custom/*.css) -->
-  <link type="text/css" rel="stylesheet" href="/css/themes/custom/<?=$selected_theme; ?>.css?<?=rand(); ?>" rel="preload" />
-<?php } ?>
-<link type="text/css" href="/css/dependencies/animate.min.css?<?=JS_LATEST_UPDATE?>" rel="stylesheet" rel="preload" />
-<link type="text/css" href="/css/dependencies/jquery-custom-dialogs.css?<?=JS_LATEST_UPDATE?>" rel="stylesheet" rel="preload" />
-<link type="text/css" href="/css/dependencies/fontawesome.min.css?<?=JS_LATEST_UPDATE?>" rel="stylesheet" rel="preload" />
+<link rel="stylesheet" href="/css/themes/<?=$selected_theme?>.min.css?<?=JS_LATEST_UPDATE?>" rel="preload" />
+<?php
+        }
+// Load custom theme files ($HESTIA/web/css/themes/custom/*.css)
+        elseif (file_exists($_SERVER['HESTIA'] . '/web/css/themes/custom/' . $selected_theme . '.min.css')) {
+?>
+<link rel="stylesheet" href="/css/themes/custom/<?=$selected_theme?>.min.css?<?=JS_LATEST_UPDATE?>" rel="preload" />
+<?php
+        }else{
+        ?>
+<link rel="stylesheet" href="/css/themes/custom/<?=$selected_theme?>.css?<?=JS_LATEST_UPDATE?>>" rel="preload" />
+        <?php    
+        }
+    }
+?>
+<link href="/css/dependencies/animate.min.css?<?=JS_LATEST_UPDATE?>" rel="stylesheet" rel="preload" />
+<link href="/css/dependencies/jquery-custom-dialogs.css?<?=JS_LATEST_UPDATE?>" rel="stylesheet" rel="preload" />
+<link href="/css/dependencies/fontawesome.min.css?<?=JS_LATEST_UPDATE?>" rel="stylesheet" rel="preload" />

web/templates/includes/end_js.html

@@ -1,13 +1,13 @@
-<script type="text/javascript" src="/js/jquery/jquery-1.7.2.min.js?<?=JS_LATEST_UPDATE?>"></script>
-<script type="text/javascript" src="/js/jquery/jquery.cookie.js?<?=JS_LATEST_UPDATE?>"></script>
-<script type="text/javascript" src="/js/jquery/jquery-ui-1.8.20.custom.min.js?<?=JS_LATEST_UPDATE?>"></script>
-<script type="text/javascript" src="/js/jquery/jquery.finder.js?<?=JS_LATEST_UPDATE?>"></script>
-<script type="text/javascript" src="/js/hotkeys.js?<?=JS_LATEST_UPDATE?>"></script>
-<script type="text/javascript" src="/js/events.js?<?=JS_LATEST_UPDATE?>"></script>
-<script type="text/javascript" src="/js/app.js?<?=JS_LATEST_UPDATE?>"></script>
-<script type="text/javascript" src="/js/init.js?<?=JS_LATEST_UPDATE?>"></script>
-<script type="text/javascript" src="/js/i18n.js.php?<?=JS_LATEST_UPDATE?>"></script>
-<script type="text/javascript" src="/js/templates.js?<?=JS_LATEST_UPDATE?>"></script>
+<script src="/js/jquery/jquery-1.7.2.min.js?<?=JS_LATEST_UPDATE?>"></script>
+<script src="/js/jquery/jquery.cookie.js?<?=JS_LATEST_UPDATE?>"></script>
+<script src="/js/jquery/jquery-ui-1.8.20.custom.min.js?<?=JS_LATEST_UPDATE?>"></script>
+<script src="/js/jquery/jquery.finder.js?<?=JS_LATEST_UPDATE?>"></script>
+<script src="/js/hotkeys.js?<?=JS_LATEST_UPDATE?>"></script>
+<script src="/js/events.js?<?=JS_LATEST_UPDATE?>"></script>
+<script src="/js/app.js?<?=JS_LATEST_UPDATE?>"></script>
+<script src="/js/init.js?<?=JS_LATEST_UPDATE?>"></script>
+<script src="/js/i18n.js.php?<?=JS_LATEST_UPDATE?>"></script>
+<script src="/js/templates.js?<?=JS_LATEST_UPDATE?>"></script>
 <script>
 	$(function() {
 		hover_menu();
@@ -44,4 +44,4 @@
 <?php
 	unset($_SESSION['error_msg']);
 	endif;
-?>
+?>

web/templates/includes/top_js.html

@@ -1 +1 @@
-<script type="text/javascript" src="/inc/jquery/jquery-3.5.1.min.js"></script> 
+<script src="/inc/jquery/jquery-3.6.0.min.js"></script> 

web/templates/pages/list_log.html

@@ -4,19 +4,19 @@
 		<div class="l-unit-toolbar__buttonstrip">
 			<?php if (($_SESSION['userContext'] === 'admin') && ($_SESSION['look'] === 'admin')) {?>
 				<a href="/list/user/" id="btn-back" class="ui-button cancel" dir="ltr"><i class="fas fa-arrow-left status-icon blue"></i><?=_('Back');?></a>
-			<?php } else if (($_SESSION['userContext'] === 'admin') && ($_GET['user'] === 'system')) { ?>
+			<?php } else if (($_SESSION['userContext'] === 'admin') && (htmlentities($_GET['user']) === 'system')) { ?>
 				<a href="/list/server/" id="btn-back" class="ui-button cancel" dir="ltr"><i class="fas fa-arrow-left status-icon blue"></i><?=_('Back');?></a>
 			<?php } else { ?>
-				<?php if (($_SESSION['userContext'] === 'admin') && (isset($_GET['user'])) && ($_GET['user'] !== 'admin')) { ?>
-					<a href="/edit/user/?user=<?=$_GET['user']; ?>&token=<?=$_SESSION['token']?>" id="btn-back" class="ui-button cancel" dir="ltr"><i class="fas fa-arrow-left status-icon blue"></i><?=_('Back');?></a>
+				<?php if (($_SESSION['userContext'] === 'admin') && (isset(htmlentities($_GET['user']))) && (htmlentities($_GET['user']) !== 'admin')) { ?>
+					<a href="/edit/user/?user=<?=htmlentities($_GET['user']); ?>&token=<?=$_SESSION['token']?>" id="btn-back" class="ui-button cancel" dir="ltr"><i class="fas fa-arrow-left status-icon blue"></i><?=_('Back');?></a>
 				<?php } else { ?>
 					<a href="/edit/user/?user=<?=$user;?>&token=<?=$_SESSION['token']?>" id="btn-back" class="ui-button cancel" dir="ltr"><i class="fas fa-arrow-left status-icon blue"></i><?=_('Back');?></a>
 				<?php } ?>
 			<?php } ?>
-			<?php if (($_SESSION['userContext'] === 'admin') && ($_GET['user'] !== 'admin')) { ?>
-				<?php if (($_SESSION['userContext'] === 'admin') && (isset($_GET['user'])) && ($_GET['user'] !== 'admin')) { ?>
-					<?php if ($_GET['user'] !== 'system') {?>
-						<a href="/list/log/auth/?user=<?=$_GET['user']; ?>&token=<?=$_SESSION['token']?>" id="btn-back" class="ui-button cancel" dir="ltr" title="<?=_('Login history');?>"><i class="fas fa-binoculars status-icon green"></i><?=_('Login history');?></a>
+			<?php if (($_SESSION['userContext'] === 'admin') && (htmlentities($_GET['user']) !== 'admin')) { ?>
+				<?php if (($_SESSION['userContext'] === 'admin') && (isset(htmlentities($_GET['user']))) && (htmlentities($_GET['user']) !== 'admin')) { ?>
+					<?php if (htmlentities($_GET['user']) !== 'system') {?>
+						<a href="/list/log/auth/?user=<?=htmlentities($_GET['user']); ?>&token=<?=$_SESSION['token']?>" id="btn-back" class="ui-button cancel" dir="ltr" title="<?=_('Login history');?>"><i class="fas fa-binoculars status-icon green"></i><?=_('Login history');?></a>
 					<?php } ?>
 				<?php } else { ?>
 					<a href="/list/log/auth/" id="btn-back" class="ui-button cancel" dir="ltr" title="<?=_('Login history');?>"><i class="fas fa-binoculars status-icon green"></i><?=_('Login history');?></a>
@@ -35,8 +35,8 @@
 					<div class="actions-panel display-inline-block" key-action="js">
 						<a class="data-controls do_delete ui-button danger cancel">
 							<i class="do_delete fas fa-times-circle status-icon red"></i><?=_('Delete');?>
-							<?php if (($_SESSION['userContext'] === 'admin') && (isset($_GET['user']))) {?>
-								<input type="hidden" name="delete_url" value="/delete/log/?user=<?=$_GET['user'];?>&token=<?=$_SESSION['token']?>" />
+							<?php if (($_SESSION['userContext'] === 'admin') && (isset(htmlentities($_GET['user'])))) {?>
+								<input type="hidden" name="delete_url" value="/delete/log/?user=<?=htmlentities($_GET['user']);?>&token=<?=$_SESSION['token']?>" />
 							<?php } else { ?>
 								<input type="hidden" name="delete_url" value="/delete/log/?token=<?=$_SESSION['token']?>" />
 							<?php } ?>

web/templates/pages/list_log_auth.html

@@ -2,8 +2,8 @@
 <div class="l-center">
 	<div class="l-sort clearfix noselect">
 		<div class="l-unit-toolbar__buttonstrip">
-			<?php if (($_SESSION['userContext'] === 'admin') && (isset($_GET['user'])) && ($_GET['user'] !== 'admin')) { ?>
-				<a href="/list/log/?user=<?=$_GET['user']; ?>&token=<?=$_SESSION['token']?>" id="btn-back" class="ui-button cancel" dir="ltr"><i class="fas fa-arrow-left status-icon blue"></i><?=_('Back');?></a>
+			<?php if (($_SESSION['userContext'] === 'admin') && (isset(htmlentities($_GET['user']))) && (htmlentities($_GET['user']) !== 'admin')) { ?>
+				<a href="/list/log/?user=<?=htmlentities($_GET['user']); ?>&token=<?=$_SESSION['token']?>" id="btn-back" class="ui-button cancel" dir="ltr"><i class="fas fa-arrow-left status-icon blue"></i><?=_('Back');?></a>
 			<?php } else { ?>
 				<a href="/list/log/" id="btn-back" class="ui-button cancel" dir="ltr"><i class="fas fa-arrow-left status-icon blue"></i><?=_('Back');?></a>
 			<?php } ?>
@@ -17,8 +17,8 @@
 					<div class="actions-panel display-inline-block" key-action="js">
 						<a class="data-controls do_delete ui-button danger cancel">
 							<i class="do_delete fas fa-times-circle status-icon red"></i><?=_('Delete');?>
-							<?php if (($_SESSION['userContext'] === 'admin') && (isset($_GET['user']))) {?>
-								<input type="hidden" name="delete_url" value="/delete/log/auth/?user=<?=$_GET['user'];?>&token=<?=$_SESSION['token']?>" />
+							<?php if (($_SESSION['userContext'] === 'admin') && (isset(htmlentities($_GET['user'])))) {?>
+								<input type="hidden" name="delete_url" value="/delete/log/auth/?user=<?=htmlentities($_GET['user']);?>&token=<?=$_SESSION['token']?>" />
 							<?php } else { ?>
 								<input type="hidden" name="delete_url" value="/delete/log/auth/?token=<?=$_SESSION['token']?>" />
 							<?php } ?>

web/templates/pages/list_rrd.html

@@ -9,10 +9,10 @@
 			<table>
 				<tr>
 					<td>
-						<a class="vst<?php if ((empty($_GET['period'])) || ($_GET['period'] == 'daily')) echo " selected" ?>" href="?period=daily"><?=_('Daily');?></a>
-						<a class="vst<?php if ((!empty($_GET['period'])) && ($_GET['period'] == 'weekly')) echo " selected" ?>" href="?period=weekly"><?=_('Weekly');?></a>
-						<a class="vst<?php if ((!empty($_GET['period'])) && ($_GET['period'] == 'monthly')) echo " selected" ?>" href="?period=monthly"><?=_('Monthly');?></a>
-						<a class="vst<?php if ((!empty($_GET['period'])) && ($_GET['period'] == 'yearly')) echo " selected" ?>" href="?period=yearly"><?=_('Yearly');?></a>
+						<a class="vst<?php if ((empty($period)) || ($period == 'daily')) echo " selected" ?>" href="?period=daily"><?=_('Daily');?></a>
+						<a class="vst<?php if ((!empty($period)) && ($period == 'weekly')) echo " selected" ?>" href="?period=weekly"><?=_('Weekly');?></a>
+						<a class="vst<?php if ((!empty($period)) && ($period == 'monthly')) echo " selected" ?>" href="?period=monthly"><?=_('Monthly');?></a>
+						<a class="vst<?php if ((!empty($period)) && ($period == 'yearly')) echo " selected" ?>" href="?period=yearly"><?=_('Yearly');?></a>
 					</td>
 
 					<td>
@@ -42,11 +42,6 @@
 <div class="l-center units animated fadeIn">
 	<!-- Begin graph list item loop -->
 	<?php
-		if (empty($_GET['period'])) {
-			$period='daily';
-		} else {
-			$period=$_GET['period'];
-		}
 		foreach ($data as $key => $value) {
 		?>
 		<div class="l-unit l-unit__stats">

web/templates/pages/list_search.html

@@ -18,7 +18,7 @@
 					<td class="l-sort-toolbar__search-box">
 						<form action="/search/" method="get">
 							<input type="hidden" name="token" value="<?=$_SESSION['token']?>" />
-							<input type="text" name="q" class="search-input" value="<? echo isset($_POST['q']) ? htmlspecialchars($_POST['q']) : '' ?>" title="<?=_('Search');?>" />
+							<input type="text" name="q" class="search-input" value="<? echo isset($_GET['q']) ? htmlspecialchars($_GET['q']) : '' ?>" title="<?=_('Search');?>" />
 							<button type="submit" class="l-sort-toolbar__filter-apply" onclick="return doSearch('/search/')" value="" title="<?=_('Search');?>"><i class="fas fa-search"></i></button>
 						</form>
 					</td>
@@ -143,7 +143,7 @@
 				</div>
 				<div class="clearfix l-unit__stat-col--left text-center"><?=translate_date($value['DATE'])?></div>
 				<div class="clearfix l-unit__stat-col--left text-center"><b>
-						<a href="/search/?q=<?=$_GET['q'] ?>&u=<?=$value['USER']; ?>"><?=$value['USER']; ?></a></b></div>
+						<a href="/search/?q=<?=htmlspecialchars($q); ?>&u=<?=$value['USER']; ?>"><?=$value['USER']; ?></a></b></div>
 				<div class="clearfix l-unit__stat-col--left text-center"><?=_($object)?></b></div>
 			</div>
 		</div>

web/templates/pages/login/login_1.html

@@ -10,12 +10,11 @@
 						<td style="padding: 40px 60px 0 0;" class="animated fadeIn">
 							<form method="post" action="/login/" id="form_login">
 								<input type="hidden" name="token" value="<?=$_SESSION['token']; ?>">
-								<input type="hidden" name="user" value="<?=$_POST['user']; ?>">
-								<input type="hidden" name="murmur" value="<?=$_SESSION['token']; ?>" id="murmur">
+                                <input type="hidden" name="murmur" value="" id="murmur">
 								<table class="login-box">
 									<tr>
 										<td style="padding: 12px 0 0 2px;" class="login-welcome">
-											<?=_('Welcome');?> <?=$_POST['user']; ?>!
+											<?=_('Welcome');?> <?=htmlspecialchars($_SESSION['login']['username']); ?>!
 										</td>
 									</tr>
 									<tr>