Add missing HTML/url encoding (5245-chunk5) (#5250)

Was reports that some missing HTML encoding could lead to XSS/javascript injection.

Reviewable chunk of #5245 , which grew too large.

web/templates/pages/debug_panel.php

@@ -4,13 +4,13 @@ if( !defined("HESTIA_DIR_BIN") ){
 }
 ?>
 <div x-data="{ open: false }" class="debug-panel">
-	<button
-		type="button"
-		class="debug-panel-toggle"
-		x-on:click="open = !open"
-		x-text="open ? '<?= _("Close debug panel") ?>' : '<?= _("Open debug panel") ?>'">
-		<?= _("Open debug panel") ?>
-	</button>
+		<button
+			type="button"
+			class="debug-panel-toggle"
+			x-on:click="open = !open"
+			x-text="open ? <?= tohtml(json_encode(_("Close debug panel"), JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT | JSON_THROW_ON_ERROR)) ?> : <?= tohtml(json_encode(_("Open debug panel"), JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT | JSON_THROW_ON_ERROR)) ?>">
+			<?= tohtml( _("Open debug panel")) ?>
+		</button>
 	<div x-cloak x-show="open" class="debug-panel-content">
 		<?php
 			echo "<h3 class=\"u-mb10\">Server Variables</h3>";

web/templates/pages/edit_cron.php

@@ -3,12 +3,12 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/cron/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 		<div class="toolbar-buttons">
 			<button type="submit" class="button" form="main-form">
-				<i class="fas fa-floppy-disk icon-purple"></i><?= _("Save") ?>
+				<i class="fas fa-floppy-disk icon-purple"></i><?= tohtml( _("Save")) ?>
 			</button>
 		</div>
 	</div>
@@ -17,56 +17,56 @@
 
 <div class="container">
 
-	<form id="main-form" name="v_edit_cron" method="post" class="<?= $v_status ?>">
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+	<form id="main-form" name="v_edit_cron" method="post" class="<?= tohtml($v_status) ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<input type="hidden" name="save" value="save">
 
 		<div class="form-container form-container-wide">
 			<div class="u-side-by-side-tablet u-mb20">
-				<h1><?= _("Edit Cron Job") ?></h1>
+				<h1><?= tohtml( _("Edit Cron Job")) ?></h1>
 				<p>
-					<?= _("System time") ?>:
-					<time datetime="<?= date("c", $current_timestamp) ?>" class="u-text-bold">
-						<?= date("d M Y, H:i", $current_timestamp) ?>
+					<?= tohtml( _("System time")) ?>:
+					<time datetime="<?= tohtml(date("c", $current_timestamp)) ?>" class="u-text-bold">
+						<?= tohtml(date("d M Y, H:i", $current_timestamp)) ?>
 					</time>
 				</p>
 			</div>
 			<?php show_alert_message($_SESSION); ?>
 			<div class="u-mb20">
-				<label for="v_cmd" class="form-label"><?= _("Command") ?></label>
-				<input type="text" class="form-control" name="v_cmd" id="v_cmd" value="<?= htmlentities(trim($v_cmd, "'")) ?>">
+				<label for="v_cmd" class="form-label"><?= tohtml( _("Command")) ?></label>
+				<input type="text" class="form-control" name="v_cmd" id="v_cmd" value="<?= tohtml(trim($v_cmd, "'")) ?>">
 			</div>
 			<div class="sidebar-left-grid">
 				<div class="sidebar-left-grid-sidebar">
 					<div class="u-mb10">
-						<label for="v_min" class="form-label"><?= _("Minute") ?></label>
-						<input type="text" class="form-control" name="v_min" id="v_min" value="<?= htmlentities(trim($v_min, "'")) ?>">
+						<label for="v_min" class="form-label"><?= tohtml( _("Minute")) ?></label>
+						<input type="text" class="form-control" name="v_min" id="v_min" value="<?= tohtml(trim($v_min, "'")) ?>">
 					</div>
 					<div class="u-mb10">
-						<label for="v_hour" class="form-label"><?= _("Hour") ?></label>
-						<input type="text" class="form-control" name="v_hour" id="v_hour" value="<?= htmlentities(trim($v_hour, "'")) ?>">
+						<label for="v_hour" class="form-label"><?= tohtml( _("Hour")) ?></label>
+						<input type="text" class="form-control" name="v_hour" id="v_hour" value="<?= tohtml(trim($v_hour, "'")) ?>">
 					</div>
 					<div class="u-mb10">
-						<label for="v_day" class="form-label"><?= _("Day") ?></label>
-						<input type="text" class="form-control" name="v_day" id="v_day" value="<?= htmlentities(trim($v_day, "'")) ?>">
+						<label for="v_day" class="form-label"><?= tohtml( _("Day")) ?></label>
+						<input type="text" class="form-control" name="v_day" id="v_day" value="<?= tohtml(trim($v_day, "'")) ?>">
 					</div>
 					<div class="u-mb10">
-						<label for="v_month" class="form-label"><?= _("Month") ?></label>
-						<input type="text" class="form-control" name="v_month" id="v_month" value="<?= htmlentities(trim($v_month, "'")) ?>">
+						<label for="v_month" class="form-label"><?= tohtml( _("Month")) ?></label>
+						<input type="text" class="form-control" name="v_month" id="v_month" value="<?= tohtml(trim($v_month, "'")) ?>">
 					</div>
 					<div class="u-mb10">
-						<label for="v_wday" class="form-label"><?= _("Day of Week") ?></label>
-						<input type="text" class="form-control" name="v_wday" id="v_wday" value="<?= htmlentities(trim($v_wday, "'")) ?>">
+						<label for="v_wday" class="form-label"><?= tohtml( _("Day of Week")) ?></label>
+						<input type="text" class="form-control" name="v_wday" id="v_wday" value="<?= tohtml(trim($v_wday, "'")) ?>">
 					</div>
 				</div>
 				<div class="sidebar-left-grid-content">
 					<div class="tabs cron-tabs js-tabs">
 						<div class="tabs-items" role="tablist">
-							<button type="button" class="tabs-item" id="tab-one" role="tab" tabindex="0" aria-selected="true"><?= _("Minutes") ?></button>
-							<button type="button" class="tabs-item" id="tab-two" role="tab" tabindex="-1"><?= _("Hourly") ?></button>
-							<button type="button" class="tabs-item" id="tab-three" role="tab" tabindex="-1"><?= _("Daily") ?></button>
-							<button type="button" class="tabs-item" id="tab-four" role="tab" tabindex="-1"><?= _("Weekly") ?></button>
-							<button type="button" class="tabs-item" id="tab-five" role="tab" tabindex="-1"><?= _("Monthly") ?></button>
+							<button type="button" class="tabs-item" id="tab-one" role="tab" tabindex="0" aria-selected="true"><?= tohtml( _("Minutes")) ?></button>
+							<button type="button" class="tabs-item" id="tab-two" role="tab" tabindex="-1"><?= tohtml( _("Hourly")) ?></button>
+							<button type="button" class="tabs-item" id="tab-three" role="tab" tabindex="-1"><?= tohtml( _("Daily")) ?></button>
+							<button type="button" class="tabs-item" id="tab-four" role="tab" tabindex="-1"><?= tohtml( _("Weekly")) ?></button>
+							<button type="button" class="tabs-item" id="tab-five" role="tab" tabindex="-1"><?= tohtml( _("Monthly")) ?></button>
 						</div>
 						<div class="tabs-panel" role="tabpanel" aria-labelledby="tab-one" tabindex="0">
 							<fieldset>
@@ -75,19 +75,19 @@
 								<input type="hidden" name="h_month" value="*" form="">
 								<input type="hidden" name="h_wday" value="*" form="">
 								<div class="u-mt10 u-mb20">
-									<label for="h_min_1" class="form-label first"><?= _("Run Command") ?>:</label>
+									<label for="h_min_1" class="form-label first"><?= tohtml( _("Run Command")) ?>:</label>
 									<select class="form-select" name="h_min" id="h_min_1" form="">
-										<option value="*" selected="selected"><?= _("Every minute") ?></option>
-										<option value="*/2"><?= sprintf(_("Every %s minutes"), 2) ?></option>
-										<option value="*/5"><?= sprintf(_("Every %s minutes"), 5) ?></option>
-										<option value="*/10"><?= sprintf(_("Every %s minutes"), 10) ?></option>
-										<option value="*/15"><?= sprintf(_("Every %s minutes"), 15) ?></option>
-										<option value="*/30"><?= sprintf(_("Every %s minutes"), 30) ?></option>
+										<option value="*" selected="selected"><?= tohtml( _("Every minute")) ?></option>
+										<option value="*/2"><?= tohtml(sprintf(_("Every %s minutes"), 2)) ?></option>
+										<option value="*/5"><?= tohtml(sprintf(_("Every %s minutes"), 5)) ?></option>
+										<option value="*/10"><?= tohtml(sprintf(_("Every %s minutes"), 10)) ?></option>
+										<option value="*/15"><?= tohtml(sprintf(_("Every %s minutes"), 15)) ?></option>
+										<option value="*/30"><?= tohtml(sprintf(_("Every %s minutes"), 30)) ?></option>
 									</select>
 								</div>
 								<div class="u-pt10">
 									<button type="button" class="button button-secondary js-generate-cron">
-										<?= _("Generate") ?>
+										<?= tohtml( _("Generate")) ?>
 									</button>
 								</div>
 							</fieldset>
@@ -98,16 +98,16 @@
 								<input type="hidden" name="h_month" value="*" form="">
 								<input type="hidden" name="h_wday" value="*" form="">
 								<div class="u-mt10 u-mb10">
-									<label for="h_hour_2" class="form-label first"><?= _("Run Command") ?>:</label>
+									<label for="h_hour_2" class="form-label first"><?= tohtml( _("Run Command")) ?>:</label>
 									<select class="form-select" name="h_hour" id="h_hour_2" form="">
-										<option value="*" selected="selected"><?= _("Every hour") ?></option>
-										<option value="*/2"><?= sprintf(_("Every %s hours"), 2) ?></option>
-										<option value="*/6"><?= sprintf(_("Every %s hours"), 6) ?></option>
-										<option value="*/12"><?= sprintf(_("Every %s hours"), 12) ?></option>
+										<option value="*" selected="selected"><?= tohtml( _("Every hour")) ?></option>
+										<option value="*/2"><?= tohtml(sprintf(_("Every %s hours"), 2)) ?></option>
+										<option value="*/6"><?= tohtml(sprintf(_("Every %s hours"), 6)) ?></option>
+										<option value="*/12"><?= tohtml(sprintf(_("Every %s hours"), 12)) ?></option>
 									</select>
 								</div>
 								<div class="u-mb20">
-									<label for="h_min_2" class="form-label first"><?= _("Minute") ?>:</label>
+									<label for="h_min_2" class="form-label first"><?= tohtml( _("Minute")) ?>:</label>
 									<select class="form-select" name="h_min" id="h_min_2" style="width:70px;" form="">
 										<option value="0" selected="selected">00</option>
 										<option value="15">15</option>
@@ -117,7 +117,7 @@
 								</div>
 								<div class="u-pt10">
 									<button type="button" class="button button-secondary js-generate-cron">
-										<?= _("Generate") ?>
+										<?= tohtml( _("Generate")) ?>
 									</button>
 								</div>
 							</fieldset>
@@ -127,19 +127,19 @@
 								<input type="hidden" name="h_month" value="*" form="">
 								<input type="hidden" name="h_wday" value="*" form="">
 								<div class="u-mt10 u-mb10">
-									<label for="h_day_3" class="form-label first"><?= _("Run Command") ?>:</label>
+									<label for="h_day_3" class="form-label first"><?= tohtml( _("Run Command")) ?>:</label>
 									<select class="form-select" name="h_day" id="h_day_3" form="">
-										<option value="*" selected="selected"><?= _("Every day") ?></option>
-										<option value="1-31/2"><?= _("Every odd day") ?></option>
-										<option value="*/2"><?= _("Every even day") ?></option>
-										<option value="*/3"><?= sprintf(_("Every %s days"), 2) ?></option>
-										<option value="*/5"><?= sprintf(_("Every %s days"), 5) ?></option>
-										<option value="*/10"><?= sprintf(_("Every %s days"), 10) ?></option>
-										<option value="*/15"><?= sprintf(_("Every %s days"), 15) ?></option>
+										<option value="*" selected="selected"><?= tohtml( _("Every day")) ?></option>
+										<option value="1-31/2"><?= tohtml( _("Every odd day")) ?></option>
+										<option value="*/2"><?= tohtml( _("Every even day")) ?></option>
+										<option value="*/3"><?= tohtml(sprintf(_("Every %s days"), 2)) ?></option>
+										<option value="*/5"><?= tohtml(sprintf(_("Every %s days"), 5)) ?></option>
+										<option value="*/10"><?= tohtml(sprintf(_("Every %s days"), 10)) ?></option>
+										<option value="*/15"><?= tohtml(sprintf(_("Every %s days"), 15)) ?></option>
 									</select>
 								</div>
 								<div class="u-mb20">
-									<label for="h_hour_3" class="form-label first"><?= _("Hour") ?>:</label>
+									<label for="h_hour_3" class="form-label first"><?= tohtml( _("Hour")) ?>:</label>
 									<select class="form-select" name="h_hour" id="h_hour_3" style="width:70px;" form="">
 										<option value="0">00</option>
 										<option value="1">01</option>
@@ -166,7 +166,7 @@
 										<option value="22">22</option>
 										<option value="23">23</option>
 									</select>
-									<label for="h_min_3" class="form-label"><?= _("Minute") ?>:</label>
+									<label for="h_min_3" class="form-label"><?= tohtml( _("Minute")) ?>:</label>
 									<select class="form-select" name="h_min" id="h_min_3" style="width:70px;" form="">
 										<option value="0" selected="selected">00</option>
 										<option value="1">01</option>
@@ -186,7 +186,7 @@
 								</div>
 								<div class="u-pt10">
 									<button type="button" class="button button-secondary js-generate-cron">
-										<?= _("Generate") ?>
+										<?= tohtml( _("Generate")) ?>
 									</button>
 								</div>
 							</fieldset>
@@ -196,22 +196,22 @@
 								<input type="hidden" name="h_month" value="*" form="">
 								<input type="hidden" name="h_day" value="*" form="">
 								<div class="u-mt10 u-mb10">
-									<label for="h_wday_4" class="form-label first"><?= _("Run Command") ?>:</label>
+									<label for="h_wday_4" class="form-label first"><?= tohtml( _("Run Command")) ?>:</label>
 									<select class="form-select" name="h_wday" id="h_wday_4" form="">
-										<option value="*" selected="selected"><?= _("Every day") ?></option>
-										<option value="1,2,3,4,5"><?= _("Weekdays (5 days)") ?></option>
-										<option value="0,6"><?= _("Weekend (2 days)") ?></option>
-										<option value="1"><?= _("Monday") ?></option>
-										<option value="2"><?= _("Tuesday") ?></option>
-										<option value="3"><?= _("Wednesday") ?></option>
-										<option value="4"><?= _("Thursday") ?></option>
-										<option value="5"><?= _("Friday") ?></option>
-										<option value="6"><?= _("Saturday") ?></option>
-										<option value="0"><?= _("Sunday") ?></option>
+										<option value="*" selected="selected"><?= tohtml( _("Every day")) ?></option>
+										<option value="1,2,3,4,5"><?= tohtml( _("Weekdays (5 days)")) ?></option>
+										<option value="0,6"><?= tohtml( _("Weekend (2 days)")) ?></option>
+										<option value="1"><?= tohtml( _("Monday")) ?></option>
+										<option value="2"><?= tohtml( _("Tuesday")) ?></option>
+										<option value="3"><?= tohtml( _("Wednesday")) ?></option>
+										<option value="4"><?= tohtml( _("Thursday")) ?></option>
+										<option value="5"><?= tohtml( _("Friday")) ?></option>
+										<option value="6"><?= tohtml( _("Saturday")) ?></option>
+										<option value="0"><?= tohtml( _("Sunday")) ?></option>
 									</select>
 								</div>
 								<div class="u-mb20">
-									<label for="h_hour_4" class="form-label first"><?= _("Hour") ?>:</label>
+									<label for="h_hour_4" class="form-label first"><?= tohtml( _("Hour")) ?>:</label>
 									<select class="form-select" name="h_hour" id="h_hour_4" style="width:70px;" form="">
 										<option value="0">00</option>
 										<option value="1">01</option>
@@ -238,7 +238,7 @@
 										<option value="22">22</option>
 										<option value="23">23</option>
 									</select>
-									<label for="h_min_4" class="form-label"><?= _("Minute") ?>:</label>
+									<label for="h_min_4" class="form-label"><?= tohtml( _("Minute")) ?>:</label>
 									<select class="form-select" name="h_min" id="h_min_4" style="width:70px;" form="">
 										<option value="0" selected="selected">00</option>
 										<option value="1">01</option>
@@ -258,7 +258,7 @@
 								</div>
 								<div class="u-pt10">
 									<button type="button" class="button button-secondary js-generate-cron">
-										<?= _("Generate") ?>
+										<?= tohtml( _("Generate")) ?>
 									</button>
 								</div>
 							</fieldset>
@@ -267,29 +267,29 @@
 							<fieldset>
 								<input type="hidden" name="h_wday" value="*" form="">
 								<div class="u-mt10 u-mb10">
-									<label for="h_month_5" class="form-label first"><?= _("Run Command") ?>:</label>
+									<label for="h_month_5" class="form-label first"><?= tohtml( _("Run Command")) ?>:</label>
 									<select class="form-select" name="h_month" id="h_month_5" form="">
-										<option value="*" selected="selected"><?= _("Every month") ?></option>
-										<option value="1-11/2"><?= _("Every odd month") ?></option>
-										<option value="*/2"><?= _("Every even month") ?></option>
-										<option value="*/3"><?= sprintf(_("Every %s months"), 3) ?></option>
-										<option value="*/6"><?= sprintf(_("Every %s months"), 6) ?></option>
-										<option value="1"><?= _("Jan") ?></option>
-										<option value="2"><?= _("Feb") ?></option>
-										<option value="3"><?= _("Mar") ?></option>
-										<option value="4"><?= _("Apr") ?></option>
-										<option value="5"><?= _("May") ?></option>
-										<option value="6"><?= _("Jun") ?></option>
-										<option value="7"><?= _("Jul") ?></option>
-										<option value="8"><?= _("Aug") ?></option>
-										<option value="9"><?= _("Sep") ?></option>
-										<option value="10"><?= _("Oct") ?></option>
-										<option value="11"><?= _("Nov") ?></option>
-										<option value="12"><?= _("Dec") ?></option>
+										<option value="*" selected="selected"><?= tohtml( _("Every month")) ?></option>
+										<option value="1-11/2"><?= tohtml( _("Every odd month")) ?></option>
+										<option value="*/2"><?= tohtml( _("Every even month")) ?></option>
+										<option value="*/3"><?= tohtml(sprintf(_("Every %s months"), 3)) ?></option>
+										<option value="*/6"><?= tohtml(sprintf(_("Every %s months"), 6)) ?></option>
+										<option value="1"><?= tohtml( _("Jan")) ?></option>
+										<option value="2"><?= tohtml( _("Feb")) ?></option>
+										<option value="3"><?= tohtml( _("Mar")) ?></option>
+										<option value="4"><?= tohtml( _("Apr")) ?></option>
+										<option value="5"><?= tohtml( _("May")) ?></option>
+										<option value="6"><?= tohtml( _("Jun")) ?></option>
+										<option value="7"><?= tohtml( _("Jul")) ?></option>
+										<option value="8"><?= tohtml( _("Aug")) ?></option>
+										<option value="9"><?= tohtml( _("Sep")) ?></option>
+										<option value="10"><?= tohtml( _("Oct")) ?></option>
+										<option value="11"><?= tohtml( _("Nov")) ?></option>
+										<option value="12"><?= tohtml( _("Dec")) ?></option>
 									</select>
 								</div>
 								<div class="u-mb20">
-									<label for="h_day_5" class="form-label first"><?= _("Day") ?>:</label>
+									<label for="h_day_5" class="form-label first"><?= tohtml( _("Day")) ?>:</label>
 									<select class="form-select" name="h_day" id="h_day_5" style="width:70px;" form="">
 										<option value="1" selected="selected">01</option>
 										<option value="2">02</option>
@@ -323,7 +323,7 @@
 										<option value="30">30</option>
 										<option value="31">31</option>
 									</select>
-									<label for="h_hour_5" class="form-label"><?= _("Hour") ?>:</label>
+									<label for="h_hour_5" class="form-label"><?= tohtml( _("Hour")) ?>:</label>
 									<select class="form-select" name="h_hour" id="h_hour_5" style="width:70px;" form="">
 										<option value="0">00</option>
 										<option value="1">01</option>
@@ -350,7 +350,7 @@
 										<option value="22">22</option>
 										<option value="23">23</option>
 									</select>
-									<label for="h_min_5" class="form-label"><?= _("Minute") ?>:</label>
+									<label for="h_min_5" class="form-label"><?= tohtml( _("Minute")) ?>:</label>
 									<select class="form-select" name="h_min" id="h_min_5" style="width:70px;" form="">
 										<option value="0" selected="selected">00</option>
 										<option value="1">01</option>
@@ -370,7 +370,7 @@
 								</div>
 								<div class="u-pt10">
 									<button type="button" class="button button-secondary js-generate-cron">
-										<?= _("Generate") ?>
+										<?= tohtml( _("Generate")) ?>
 									</button>
 								</div>
 							</fieldset>

web/templates/pages/list_terminal.php

@@ -3,7 +3,7 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/user/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 	</div>