Add missing HTML/url encoding (5245-chunk10) (#5256)

* Add missing HTML/url encoding (5245-chunk10)
Was reports that some missing HTML encoding could lead to XSS/javascript injection.

Reviewable chunk of #5245 , which grew too large.

web/templates/pages/edit_db.php

@@ -3,12 +3,12 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/db/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 		<div class="toolbar-buttons">
 			<button type="submit" class="button" form="main-form">
-				<i class="fas fa-floppy-disk icon-purple"></i><?= _("Save") ?>
+				<i class="fas fa-floppy-disk icon-purple"></i><?= tohtml( _("Save")) ?>
 			</button>
 		</div>
 	</div>
@@ -17,35 +17,35 @@
 
 <div class="container">
 
-	<form id="main-form" name="v_edit_db" method="post" class="<?= $v_status ?>">
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+	<form id="main-form" name="v_edit_db" method="post" class="<?= tohtml($v_status) ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<input type="hidden" name="save" value="save">
 
 		<div class="form-container">
-			<h1 class="u-mb20"><?= _("Edit Database") ?></h1>
+			<h1 class="u-mb20"><?= tohtml( _("Edit Database")) ?></h1>
 			<?php show_alert_message($_SESSION); ?>
 			<div class="u-mb10">
-				<label for="v_database" class="form-label"><?= _("Database") ?></label>
-				<input type="text" class="form-control js-db-hint-database-name" name="v_database" id="v_database" value="<?= htmlentities(trim($v_database, "'")) ?>" disabled>
+				<label for="v_database" class="form-label"><?= tohtml( _("Database")) ?></label>
+				<input type="text" class="form-control js-db-hint-database-name" name="v_database" id="v_database" value="<?= tohtml(trim($v_database, "'")) ?>" disabled>
 				<small class="hint"></small>
 			</div>
 			<div class="u-mb10">
 				<label for="v_dbuser" class="form-label u-side-by-side">
-					<?= _("Username") ?>
-					<em><small>(<?= sprintf(_("Maximum %s characters length, including prefix"), 32) ?>)</small></em>
+					<?= tohtml( _("Username")) ?>
+					<em><small>(<?= tohtml(sprintf(_("Maximum %s characters length, including prefix"), 32)) ?>)</small></em>
 				</label>
-				<input type="text" class="form-control js-db-hint-username" name="v_dbuser" id="v_dbuser" value="<?= htmlentities(trim($v_dbuser, "'")) ?>">
+				<input type="text" class="form-control js-db-hint-username" name="v_dbuser" id="v_dbuser" value="<?= tohtml(trim($v_dbuser, "'")) ?>">
 				<small class="hint"></small>
 			</div>
 			<div class="u-mb10">
 				<label for="v_password" class="form-label">
-					<?= _("Password") ?>
-					<button type="button" title="<?= _("Generate") ?>" class="u-unstyled-button u-ml5 js-generate-password">
+					<?= tohtml( _("Password")) ?>
+					<button type="button" title="<?= tohtml( _("Generate")) ?>" class="u-unstyled-button u-ml5 js-generate-password">
 						<i class="fas fa-arrows-rotate icon-green"></i>
 					</button>
 				</label>
 				<div class="u-pos-relative u-mb10">
-					<input type="text" class="form-control js-password-input" name="v_password" id="v_password" value="<?= htmlentities(trim($v_password, "'")) ?>">
+					<input type="text" class="form-control js-password-input" name="v_password" id="v_password" value="<?= tohtml(trim($v_password, "'")) ?>">
 					<div class="password-meter">
 						<meter max="4" class="password-meter-input js-password-meter"></meter>
 					</div>
@@ -53,16 +53,16 @@
 			</div>
 			<?php require $_SERVER["HESTIA"] . "/web/templates/includes/password-requirements.php"; ?>
 			<div class="u-mb10">
-				<label for="v_type" class="form-label"><?= _("Type") ?></label>
-				<input type="text" class="form-control" name="v_type" id="v_type" value="<?= htmlentities(trim($v_type, "'")) ?>" disabled>
+				<label for="v_type" class="form-label"><?= tohtml( _("Type")) ?></label>
+				<input type="text" class="form-control" name="v_type" id="v_type" value="<?= tohtml(trim($v_type, "'")) ?>" disabled>
 			</div>
 			<div class="u-mb10">
-				<label for="v_host" class="form-label"><?= _("Host") ?></label>
-				<input type="text" class="form-control" name="v_host" id="v_host" value="<?= htmlentities(trim($v_host, "'")) ?>" disabled>
+				<label for="v_host" class="form-label"><?= tohtml( _("Host")) ?></label>
+				<input type="text" class="form-control" name="v_host" id="v_host" value="<?= tohtml(trim($v_host, "'")) ?>" disabled>
 			</div>
 			<div class="u-mb10">
-				<label for="v_charset" class="form-label"><?= _("Charset") ?></label>
-				<input type="text" class="form-control" name="v_charset" id="v_charset" value="<?= htmlentities(trim($v_charset, "'")) ?>" disabled>
+				<label for="v_charset" class="form-label"><?= tohtml( _("Charset")) ?></label>
+				<input type="text" class="form-control" name="v_charset" id="v_charset" value="<?= tohtml(trim($v_charset, "'")) ?>" disabled>
 			</div>
 		</div>
 

web/templates/pages/list_mail.php

@@ -1,62 +1,71 @@
+<?php
+	$search_query = $_GET['q'] ?? '';
+	if (!is_scalar($search_query)) {
+		http_response_code(400);
+		echo tohtml(sprintf(_("Bad Request: parameter q must be scalar, got %s."), gettype($search_query)));
+		return;
+	}
+	$search_query = (string) $search_query;
+?>
 <!-- Begin toolbar -->
 <div class="toolbar">
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<?php if ($read_only !== "true") { ?>
 				<a href="/add/mail/" class="button button-secondary js-button-create">
-					<i class="fas fa-circle-plus icon-green"></i><?= _("Add Mail Domain") ?>
+					<i class="fas fa-circle-plus icon-green"></i><?= tohtml( _("Add Mail Domain")) ?>
 				</a>
 			<?php } ?>
 		</div>
 		<div class="toolbar-right">
 			<div class="toolbar-sorting">
-				<button class="toolbar-sorting-toggle js-toggle-sorting-menu" type="button" title="<?= _("Sort items") ?>">
-					<?= _("Sort by") ?>:
+				<button class="toolbar-sorting-toggle js-toggle-sorting-menu" type="button" title="<?= tohtml( _("Sort items")) ?>">
+					<?= tohtml( _("Sort by")) ?>:
 					<span class="u-text-bold">
 						<?php if ($_SESSION['userSortOrder'] === 'name') { $label = _('Name'); } else { $label = _('Date'); } ?>
-						<?= $label ?> <i class="fas fa-arrow-down-a-z"></i>
+						<?= tohtml($label) ?> <i class="fas fa-arrow-down-a-z"></i>
 					</span>
 				</button>
 				<ul class="toolbar-sorting-menu js-sorting-menu u-hidden">
 					<li data-entity="sort-accounts" data-sort-as-int="1">
-						<span class="name"><?= _("Accounts") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name"><?= tohtml( _("Accounts")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 					<li data-entity="sort-date" data-sort-as-int="1">
-						<span class="name <?php if ($_SESSION['userSortOrder'] === 'date') { echo 'active'; } ?>"><?= _("Date") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name <?php if ($_SESSION['userSortOrder'] === 'date') { echo 'active'; } ?>"><?= tohtml( _("Date")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 					<li data-entity="sort-disk" data-sort-as-int="1">
-						<span class="name"><?= _("Disk") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name"><?= tohtml( _("Disk")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 					<li data-entity="sort-name">
-						<span class="name <?php if ($_SESSION['userSortOrder'] === 'name') { echo 'active'; } ?>"><?= _("Name") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name <?php if ($_SESSION['userSortOrder'] === 'name') { echo 'active'; } ?>"><?= tohtml( _("Name")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 				</ul>
 				<?php if ($read_only !== "true") { ?>
 					<form x-data x-bind="BulkEdit" action="/bulk/mail/" method="post">
-						<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+						<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 						<select class="form-select" name="action">
-							<option value=""><?= _("Apply to selected") ?></option>
+							<option value=""><?= tohtml( _("Apply to selected")) ?></option>
 							<?php if ($_SESSION["userContext"] === "admin") { ?>
-								<option value="rebuild"><?= _("Rebuild All") ?></option>
+								<option value="rebuild"><?= tohtml( _("Rebuild All")) ?></option>
 							<?php } ?>
-							<option value="suspend"><?= _("Suspend") ?></option>
-							<option value="unsuspend"><?= _("Unsuspend") ?></option>
-							<option value="delete"><?= _("Delete") ?></option>
+							<option value="suspend"><?= tohtml( _("Suspend")) ?></option>
+							<option value="unsuspend"><?= tohtml( _("Unsuspend")) ?></option>
+							<option value="delete"><?= tohtml( _("Delete")) ?></option>
 						</select>
-						<button type="submit" class="toolbar-input-submit" title="<?= _("Apply to selected") ?>">
+						<button type="submit" class="toolbar-input-submit" title="<?= tohtml( _("Apply to selected")) ?>">
 							<i class="fas fa-arrow-right"></i>
 						</button>
 					</form>
 				<?php } ?>
 			</div>
-			<div class="toolbar-search">
-				<form action="/search/" method="get">
-					<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
-					<input type="search" class="form-control js-search-input" name="q" value="<? echo isset($_POST['q']) ? htmlspecialchars($_POST['q']) : '' ?>" title="<?= _("Search") ?>">
-					<button type="submit" class="toolbar-input-submit" title="<?= _("Search") ?>">
-						<i class="fas fa-magnifying-glass"></i>
-					</button>
-				</form>
+				<div class="toolbar-search">
+					<form action="/search/" method="get">
+						<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
+						<input type="search" class="form-control js-search-input" name="q" value="<?= tohtml($search_query) ?>" title="<?= tohtml( _("Search")) ?>">
+						<button type="submit" class="toolbar-input-submit" title="<?= tohtml( _("Search")) ?>">
+							<i class="fas fa-magnifying-glass"></i>
+						</button>
+					</form>
 			</div>
 		</div>
 	</div>
@@ -65,21 +74,21 @@
 
 <div class="container">
 
-	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= _("Mail Domains") ?></h1>
+	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= tohtml( _("Mail Domains")) ?></h1>
 
 	<div class="units-table js-units-container">
 		<div class="units-table-header">
 			<div class="units-table-cell">
-				<input type="checkbox" class="js-toggle-all-checkbox" title="<?= _("Select all") ?>" <?= $display_mode ?>>
+				<input type="checkbox" class="js-toggle-all-checkbox" title="<?= tohtml( _("Select all")) ?>" <?= tohtml($display_mode) ?>>
 			</div>
-			<div class="units-table-cell"><?= _("Name") ?></div>
+			<div class="units-table-cell"><?= tohtml( _("Name")) ?></div>
 			<div class="units-table-cell"></div>
-			<div class="units-table-cell u-text-center"><?= _("Accounts") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Disk") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Anti-Virus") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Spam Filter") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("DKIM") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("SSL") ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Accounts")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Disk")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Anti-Virus")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Spam Filter")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("DKIM")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("SSL")) ?></div>
 		</div>
 
 		<!-- Begin mail domain list item loop -->
@@ -165,20 +174,20 @@
 				}
 			?>
 			<div class="units-table-row <?php if ($status == 'suspended') echo 'disabled'; ?> js-unit"
-				data-sort-date="<?= strtotime($data[$key]['DATE'].' '.$data[$key]['TIME']) ?>"
-				data-sort-name="<?= $key ?>"
-				data-sort-disk="<?= $data[$key]["U_DISK"] ?>"
-				data-sort-accounts="<?= $data[$key]["ACCOUNTS"] ?>">
+				data-sort-date="<?= tohtml(strtotime($data[$key]['DATE'].' '.$data[$key]['TIME'])) ?>"
+				data-sort-name="<?= tohtml($key) ?>"
+				data-sort-disk="<?= tohtml($data[$key]["U_DISK"]) ?>"
+				data-sort-accounts="<?= tohtml($data[$key]["ACCOUNTS"]) ?>">
 				<div class="units-table-cell">
 					<div>
-						<input id="check<?= $i ?>" class="js-unit-checkbox" type="checkbox" title="<?= _("Select") ?>" name="domain[]" value="<?= $key ?>" <?= $display_mode ?>>
-						<label for="check<?= $i ?>" class="u-hide-desktop"><?= _("Select") ?></label>
+						<input id="check<?= tohtml($i) ?>" class="js-unit-checkbox" type="checkbox" title="<?= tohtml( _("Select")) ?>" name="domain[]" value="<?= tohtml($key) ?>" <?= tohtml($display_mode) ?>>
+						<label for="check<?= tohtml($i) ?>" class="u-hide-desktop"><?= tohtml( _("Select")) ?></label>
 					</div>
 				</div>
 				<div class="units-table-cell units-table-heading-cell u-text-bold">
-					<span class="u-hide-desktop"><?= _("Name") ?>:</span>
-					<a href="?domain=<?= $key ?>&token=<?= $_SESSION["token"] ?>" title="<?= _("Mail Accounts") ?>: <?= $key ?>">
-						<?= $key ?>
+					<span class="u-hide-desktop"><?= tohtml( _("Name")) ?>:</span>
+					<a href="?<?= tohtml(http_build_query(["domain" => $key, "token" => $_SESSION["token"]])) ?>" title="<?= tohtml( _("Mail Accounts")) ?>: <?= tohtml($key) ?>">
+						<?= tohtml($key) ?>
 					</a>
 				</div>
 				<div class="units-table-cell">
@@ -187,33 +196,33 @@
 							<li class="units-table-row-action shortcut-l" data-key-action="href">
 								<a
 									class="units-table-row-action-link"
-									href="?domain=<?= $key ?>&token=<?= $_SESSION["token"] ?>"
-									title="<?= _("Mail Accounts") ?>"
+									href="?<?= tohtml(http_build_query(["domain" => $key, "token" => $_SESSION["token"]])) ?>"
+									title="<?= tohtml( _("Mail Accounts")) ?>"
 								>
 									<i class="fas fa-users icon-blue"></i>
-									<span class="u-hide-desktop"><?= _("Mail Accounts") ?></span>
+									<span class="u-hide-desktop"><?= tohtml( _("Mail Accounts")) ?></span>
 								</a>
 							</li>
 							<li class="units-table-row-action shortcut-l" data-key-action="href">
 								<a
 									class="units-table-row-action-link"
-									href="?domain=<?= $key ?>&dns=1&token=<?= $_SESSION["token"] ?>"
-									title="<?= _("DNS Records") ?>"
+									href="?<?= tohtml(http_build_query(["domain" => $key, "dns" => '1', "token" => $_SESSION["token"]])) ?>"
+									title="<?= tohtml( _("DNS Records")) ?>"
 								>
 									<i class="fas fa-book-atlas icon-blue"></i>
-									<span class="u-hide-desktop"><?= _("DNS Records") ?></span>
+									<span class="u-hide-desktop"><?= tohtml( _("DNS Records")) ?></span>
 								</a>
 							</li>
 							<?php if ($data[$key]["SUSPENDED"] == "no") { ?>
-								<li class="units-table-row-action" data-key-action="href">
-									<a
-										class="units-table-row-action-link"
-										href="http://<?= $webmail ?>.<?= $key ?>/"
-										target="_blank"
-										title="<?= _("Open Webmail") ?>"
-									>
+									<li class="units-table-row-action" data-key-action="href">
+										<a
+											class="units-table-row-action-link"
+											href="https://<?= tohtml($webmail) ?>.<?= tohtml($key) ?>/"
+											target="_blank"
+											title="<?= tohtml( _("Open Webmail")) ?>"
+										>
 										<i class="fas fa-paper-plane icon-lightblue"></i>
-										<span class="u-hide-desktop"><?= _("Open Webmail") ?></span>
+										<span class="u-hide-desktop"><?= tohtml( _("Open Webmail")) ?></span>
 									</a>
 								</li>
 							<?php } ?>
@@ -222,24 +231,24 @@
 								<li class="units-table-row-action shortcut-n" data-key-action="href">
 									<a
 										class="units-table-row-action-link"
-										href="/add/mail/?domain=<?= $key ?>&token=<?= $_SESSION["token"] ?>"
-										title="<?= _("Add Mail Account") ?>"
+										href="/add/mail/?<?= tohtml(http_build_query(["domain" => $key, "token" => $_SESSION["token"]])) ?>"
+										title="<?= tohtml( _("Add Mail Account")) ?>"
 									>
 										<i class="fas fa-circle-plus icon-green"></i>
-										<span class="u-hide-desktop"><?= _("Add Mail Account") ?></span>
+										<span class="u-hide-desktop"><?= tohtml( _("Add Mail Account")) ?></span>
 									</a>
 								</li>
 								<?php if ($_SESSION["WEBMAIL_SYSTEM"]) { ?>
 									<?php if (!empty($data[$key]["WEBMAIL"])) { ?>
-										<li class="units-table-row-action" data-key-action="href">
-											<a
-												class="units-table-row-action-link"
-												href="http://<?= $webmail ?>.<?= $key ?>/"
-												target="_blank"
-												title="<?= _("Open Webmail") ?>"
-											>
+											<li class="units-table-row-action" data-key-action="href">
+												<a
+													class="units-table-row-action-link"
+													href="https://<?= tohtml($webmail) ?>.<?= tohtml($key) ?>/"
+													target="_blank"
+													title="<?= tohtml( _("Open Webmail")) ?>"
+												>
 												<i class="fas fa-paper-plane icon-lightblue"></i>
-												<span class="u-hide-desktop"><?= _("Open Webmail") ?></span>
+												<span class="u-hide-desktop"><?= tohtml( _("Open Webmail")) ?></span>
 											</a>
 										</li>
 									<?php } ?>
@@ -247,86 +256,86 @@
 								<li class="units-table-row-action shortcut-enter" data-key-action="href">
 									<a
 										class="units-table-row-action-link"
-										href="/edit/mail/?domain=<?= $key ?>&token=<?= $_SESSION["token"] ?>"
-										title="<?= _("Edit Mail Domain") ?>"
+										href="/edit/mail/?<?= tohtml(http_build_query(["domain" => $key, "token" => $_SESSION["token"]])) ?>"
+										title="<?= tohtml( _("Edit Mail Domain")) ?>"
 									>
 										<i class="fas fa-pencil icon-orange"></i>
-										<span class="u-hide-desktop"><?= _("Edit Mail Domain") ?></span>
+										<span class="u-hide-desktop"><?= tohtml( _("Edit Mail Domain")) ?></span>
 									</a>
 								</li>
 							<?php } ?>
 							<li class="units-table-row-action shortcut-l" data-key-action="href">
 								<a
 									class="units-table-row-action-link"
-									href="?domain=<?= $key ?>&dns=1&token=<?= $_SESSION["token"] ?>"
-									title="<?= _("DNS Records") ?>"
+									href="?<?= tohtml(http_build_query(["domain" => $key, "dns" => '1', "token" => $_SESSION["token"]])) ?>"
+									title="<?= tohtml( _("DNS Records")) ?>"
 								>
 									<i class="fas fa-book-atlas icon-blue"></i>
-									<span class="u-hide-desktop"><?= _("DNS Records") ?></span>
+									<span class="u-hide-desktop"><?= tohtml( _("DNS Records")) ?></span>
 								</a>
 							</li>
 							<li class="units-table-row-action shortcut-s" data-key-action="js">
 								<a
 									class="units-table-row-action-link data-controls js-confirm-action"
-									href="/<?= $spnd_action ?>/mail/?domain=<?= $key ?>&token=<?= $_SESSION["token"] ?>"
-									title="<?= $spnd_action_title ?>"
-									data-confirm-title="<?= $spnd_action_title ?>"
-									data-confirm-message="<?= sprintf($spnd_confirmation, $key) ?>"
+									href="/<?= tohtml($spnd_action) ?>/mail/?<?= tohtml(http_build_query(["domain" => $key, "token" => $_SESSION["token"]])) ?>"
+									title="<?= tohtml($spnd_action_title) ?>"
+									data-confirm-title="<?= tohtml($spnd_action_title) ?>"
+									data-confirm-message="<?= tohtml(sprintf($spnd_confirmation, $key)) ?>"
 								>
-									<i class="fas <?= $spnd_icon ?> <?= $spnd_icon_class ?>"></i>
-									<span class="u-hide-desktop"><?= $spnd_action_title ?></span>
+									<i class="fas <?= tohtml($spnd_icon) ?> <?= tohtml($spnd_icon_class) ?>"></i>
+									<span class="u-hide-desktop"><?= tohtml($spnd_action_title) ?></span>
 								</a>
 							</li>
 							<li class="units-table-row-action shortcut-delete" data-key-action="js">
 								<a
 									class="units-table-row-action-link data-controls js-confirm-action"
-									href="/delete/mail/?domain=<?= $key ?>&token=<?= $_SESSION["token"] ?>"
-									title="<?= _("Delete") ?>"
-									data-confirm-title="<?= _("Delete") ?>"
-									data-confirm-message="<?= sprintf(_("Are you sure you want to delete domain %s?"), $key) ?>"
+									href="/delete/mail/?<?= tohtml(http_build_query(["domain" => $key, "token" => $_SESSION["token"]])) ?>"
+									title="<?= tohtml( _("Delete")) ?>"
+									data-confirm-title="<?= tohtml( _("Delete")) ?>"
+									data-confirm-message="<?= tohtml(sprintf(_("Are you sure you want to delete domain %s?"), $key)) ?>"
 								>
 									<i class="fas fa-trash icon-red"></i>
-									<span class="u-hide-desktop"><?= _("Delete") ?></span>
+									<span class="u-hide-desktop"><?= tohtml( _("Delete")) ?></span>
 								</a>
 							</li>
 						<?php } ?>
 					</ul>
 				</div>
-				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Accounts") ?>:</span>
-					<?php
-						if ($data[$key]['ACCOUNTS']) {
-							$mail_accounts = htmlentities($data[$key]['ACCOUNTS']);
-						} else {
-							$mail_accounts = '0';
-						}
-					?>
-					<?= $mail_accounts ?>
+					<div class="units-table-cell u-text-center-desktop">
+						<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Accounts")) ?>:</span>
+						<?php
+							if ($data[$key]['ACCOUNTS']) {
+								$mail_accounts = $data[$key]['ACCOUNTS'];
+							} else {
+								$mail_accounts = '0';
+							}
+						?>
+					<?= tohtml($mail_accounts) ?>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Disk") ?>:</span>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Disk")) ?>:</span>
 					<span class="u-text-bold">
-						<?= humanize_usage_size($data[$key]["U_DISK"]) ?>
+						<?= tohtml(humanize_usage_size($data[$key]["U_DISK"])) ?>
 					</span>
 					<span class="u-text-small">
-						<?= humanize_usage_measure($data[$key]["U_DISK"]) ?>
+						<?= tohtml(humanize_usage_measure($data[$key]["U_DISK"])) ?>
 					</span>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Anti-Virus") ?>:</span>
-					<i class="fas <?= $antivirus_icon ?>" title="<?= $antivirus_title ?>"></i>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Anti-Virus")) ?>:</span>
+					<i class="fas <?= tohtml($antivirus_icon) ?>" title="<?= tohtml($antivirus_title) ?>"></i>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Spam Filter") ?>:</span>
-					<i class="fas <?= $antispam_icon ?>" title="<?= $antispam_title ?>"></i>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Spam Filter")) ?>:</span>
+					<i class="fas <?= tohtml($antispam_icon) ?>" title="<?= tohtml($antispam_title) ?>"></i>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("DKIM") ?>:</span>
-					<i class="fas <?= $dkim_icon ?>" title="<?= $dkim_title ?>"></i>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("DKIM")) ?>:</span>
+					<i class="fas <?= tohtml($dkim_icon) ?>" title="<?= tohtml($dkim_title) ?>"></i>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("SSL") ?>:</span>
-					<i class="fas <?= $ssl_icon ?>" title="<?= $ssl_title ?>"></i>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("SSL")) ?>:</span>
+					<i class="fas <?= tohtml($ssl_icon) ?>" title="<?= tohtml($ssl_title) ?>"></i>
 				</div>
 			</div>
 		<?php } ?>