Improve HTML encoding (5245-chunk) (#5246)

* Improve HTML encoding (5245-chunk)

Reviewable chunk of https://github.com/hestiacp/hestiacp/pull/5245.
5245 grew too large to comfortably review.

* Update web/templates/pages/edit_web.php

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update web/templates/pages/edit_web.php

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Use JS-safe encoding for certificate toggle labels

Replace HTML-escaped Alpine x-text string literals with JSON-encoded strings in edit_web.php to avoid JS-context escaping issues in translations.

* fix

* fix

* fix

* fix

* fix

* fix

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

web/inc/helpers.php

@@ -25,6 +25,27 @@ const E_UPDATE = 19;
 const E_RESTART = 20;
 const E_API_DISABLED = 21;
 
+if (!function_exists("tohtml")) {
+	function tohtml(string|int|float|bool|null $str): string {
+		if ($str === null || $str === "") {
+			return "";
+		}
+		if (is_int($str) || is_float($str)) {
+			return (string) $str;
+		}
+		if (is_bool($str)) {
+			return $str ? "1" : "0";
+		}
+
+		return htmlentities(
+			$str,
+			ENT_QUOTES | ENT_SUBSTITUTE | ENT_DISALLOWED | ENT_HTML5,
+			"UTF-8",
+			true,
+		);
+	}
+}
+
 /**
  * Looks for a code equivalent to "exit_code" to use in http_code.
  *

web/templates/pages/edit_web.php

@@ -3,20 +3,20 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/web/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 		<div class="toolbar-buttons">
-			<a href="/delete/web/cache/?domain=<?= htmlentities($v_domain);?>&token=<?= $_SESSION['token'];?>" class="button button-secondary js-clear-cache-button <?php if (!($v_nginx_cache == 'yes' || (($v_proxy_template == 'caching' || is_int(strpos($v_proxy_template, 'caching-'))) && $_SESSION['PROXY_SYSTEM'] == 'nginx'))) { echo "u-hidden"; } ?>">
-				<i class="fas fa-trash icon-red"></i><?= _("Purge NGINX Cache") ?>
+			<a href="/delete/web/cache/?<?= tohtml(http_build_query(["domain" => $v_domain, "token" => $_SESSION['token']])) ?>" class="button button-secondary js-clear-cache-button <?php if (!($v_nginx_cache == 'yes' || (($v_proxy_template == 'caching' || is_int(strpos($v_proxy_template, 'caching-'))) && $_SESSION['PROXY_SYSTEM'] == 'nginx'))) { echo "u-hidden"; } ?>">
+				<i class="fas fa-trash icon-red"></i><?= tohtml( _("Purge NGINX Cache")) ?>
 			</a>
 			<?php if ($_SESSION["PLUGIN_APP_INSTALLER"] !== "false") { ?>
-				<a href="/add/webapp/?domain=<?= htmlentities($v_domain) ?>" class="button button-secondary">
-					<i class="fas fa-magic icon-blue"></i><?= _("Quick Install App") ?>
+				<a href="/add/webapp/?<?= tohtml(http_build_query(["domain" => $v_domain])) ?>" class="button button-secondary">
+					<i class="fas fa-magic icon-blue"></i><?= tohtml( _("Quick Install App")) ?>
 				</a>
 			<?php } ?>
 			<button type="submit" class="button" form="main-form">
-				<i class="fas fa-floppy-disk icon-purple"></i><?= _("Save") ?>
+				<i class="fas fa-floppy-disk icon-purple"></i><?= tohtml( _("Save")) ?>
 			</button>
 		</div>
 	</div>
@@ -24,47 +24,50 @@
 <!-- End toolbar -->
 
 <div class="container">
+	<?php
+		$web_x_data = [
+			"statsAuthEnabled" => !empty($v_stats_user),
+			"redirectEnabled" => !empty($v_redirect),
+			"sslEnabled" => $v_ssl == "yes",
+			"letsEncryptEnabled" => $v_letsencrypt == "yes" || $v_letsencrypt == "on",
+			"showCertificates" => !($v_letsencrypt == "yes" || $v_letsencrypt == "on"),
+			"showAdvanced" => false,
+			"nginxCacheEnabled" => $v_nginx_cache == "yes",
+			"proxySupportEnabled" => !empty($v_proxy),
+			"customDocumentRootEnabled" => !empty($v_custom_doc_root),
+		];
+	?>
 
 	<form
-		x-data="{
-			statsAuthEnabled: <?= !empty($v_stats_user) ? "true" : "false" ?>,
-			redirectEnabled: <?= !empty($v_redirect) ? "true" : "false" ?>,
-			sslEnabled: <?= $v_ssl == "yes" ? "true" : "false" ?>,
-			letsEncryptEnabled: <?= $v_letsencrypt == "yes" || $v_letsencrypt == "on" ? "true" : "false" ?>,
-			showCertificates: <?= $v_letsencrypt == "yes" || $v_letsencrypt == "on" ? "false" : "true" ?>,
-			showAdvanced: false,
-			nginxCacheEnabled: <?= $v_nginx_cache == "yes" ? "true" : "false" ?>,
-			proxySupportEnabled: <?= !empty($v_proxy) ? "true" : "false" ?>,
-			customDocumentRootEnabled: <?= !empty($v_custom_doc_root) ? "true" : "false" ?>
-		}"
+		x-data="<?= tohtml(json_encode($web_x_data, JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_THROW_ON_ERROR)) ?>"
 		id="main-form"
 		name="v_edit_web"
 		method="post"
-		class="<?= $v_status ?> js-enable-inputs-on-submit"
+		class="<?= tohtml($v_status) ?> js-enable-inputs-on-submit"
 	>
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<input type="hidden" name="save" value="save">
 
 		<div class="form-container">
-			<h1 class="u-mb20"><?= _("Edit Web Domain") ?></h1>
+			<h1 class="u-mb20"><?= tohtml( _("Edit Web Domain")) ?></h1>
 			<?php show_alert_message($_SESSION); ?>
 			<div class="u-mb10">
-				<label for="v_domain" class="form-label"><?= _("Domain") ?></label>
-				<input type="text" class="form-control" name="v_domain" id="v_domain" value="<?= htmlentities(trim($v_domain, "'")) ?>" disabled required>
-				<input type="hidden" name="v_domain" value="<?= htmlentities(trim($v_domain, "'")) ?>">
+				<label for="v_domain" class="form-label"><?= tohtml( _("Domain")) ?></label>
+				<input type="text" class="form-control" name="v_domain" id="v_domain" value="<?= tohtml(trim($v_domain, "'")) ?>" disabled required>
+				<input type="hidden" name="v_domain" value="<?= tohtml(trim($v_domain, "'")) ?>">
 			</div>
 			<div class="u-mb10">
-				<label for="v_aliases" class="form-label"><?= _("Aliases") ?></label>
-				<textarea class="form-control" name="v_aliases" id="v_aliases"><?= htmlentities(trim($v_aliases, "'")) ?></textarea>
+				<label for="v_aliases" class="form-label"><?= tohtml( _("Aliases")) ?></label>
+				<textarea class="form-control" name="v_aliases" id="v_aliases"><?= tohtml(trim($v_aliases, "'")) ?></textarea>
 			</div>
 			<?php if ($v_letsencrypt == "yes" || $v_letsencrypt == "on") { ?>
 				<div class="alert alert-info u-mb10" role="alert">
 					<i class="fas fa-exclamation"></i>
-					<p><?= _("If the aliases changes, Let's Encrypt will obtain a new SSL certificate.") ?></p>
+					<p><?= tohtml( _("If the aliases changes, Let's Encrypt will obtain a new SSL certificate.")) ?></p>
 				</div>
 			<?php } ?>
 			<div class="u-mb20">
-				<label for="v_ip" class="form-label"><?= _("IP Address") ?></label>
+				<label for="v_ip" class="form-label"><?= tohtml( _("IP Address")) ?></label>
 				<select class="form-select" name="v_ip" id="v_ip">
 					<?php
 						foreach ($ips as $ip => $value) {
@@ -76,7 +79,7 @@
 				</select>
 			</div>
 			<div class="u-mb10">
-				<label for="v_stats" class="form-label"><?= _("Web Statistics") ?></label>
+				<label for="v_stats" class="form-label"><?= tohtml( _("Web Statistics")) ?></label>
 				<select class="form-select js-stats-select" name="v_stats" id="v_stats">
 					<?php
 						foreach ($stats as $key => $value) {
@@ -95,25 +98,25 @@
 				<div class="form-check">
 					<input x-model="statsAuthEnabled" class="form-check-input" type="checkbox" name="v_stats_auth" id="v_stats_auth">
 					<label for="v_stats_auth">
-						<?= _("Statistics Authorization") ?>
+						<?= tohtml( _("Statistics Authorization")) ?>
 					</label>
 				</div>
 			</div>
 			<div class="u-pl30 js-stats-auth">
 				<div x-cloak x-show="statsAuthEnabled" name="v-add-web-domain-stats-user">
 					<div class="u-mb10">
-						<label for="v_stats_user" class="form-label"><?= _("Username") ?></label>
-						<input type="text" class="form-control" name="v_stats_user" id="v_stats_user" value="<?= htmlentities(trim($v_stats_user, "'")) ?>">
+						<label for="v_stats_user" class="form-label"><?= tohtml( _("Username")) ?></label>
+						<input type="text" class="form-control" name="v_stats_user" id="v_stats_user" value="<?= tohtml(trim($v_stats_user, "'")) ?>">
 					</div>
 					<div class="u-mb20">
 						<label for="v_password" class="form-label">
-							<?= _("Password") ?>
-							<button type="button" title="<?= _("Generate") ?>" class="u-unstyled-button u-ml5 js-generate-password">
+							<?= tohtml( _("Password")) ?>
+							<button type="button" title="<?= tohtml( _("Generate")) ?>" class="u-unstyled-button u-ml5 js-generate-password">
 								<i class="fas fa-arrows-rotate icon-green"></i>
 							</button>
 						</label>
 						<div class="u-pos-relative">
-							<input type="text" class="form-control js-password-input" name="v_stats_password" id="v_password" value="<?= trim($v_stats_password, "'") ?>">
+							<input type="text" class="form-control js-password-input" name="v_stats_password" id="v_password" value="<?= tohtml(trim($v_stats_password, "'")) ?>">
 						</div>
 					</div>
 				</div>
@@ -121,40 +124,39 @@
 			<div class="form-check u-mb10">
 				<input x-model="redirectEnabled" class="form-check-input" type="checkbox" name="v-redirect-checkbox" id="v-redirect-checkbox">
 				<label for="v-redirect-checkbox">
-					<?= _("Enable domain redirection") ?>
+					<?= tohtml( _("Enable domain redirection")) ?>
 				</label>
 			</div>
 			<div x-cloak x-show="redirectEnabled" id="v_redirect" class="u-pl30 u-mb10">
 				<div class="form-check">
-					<input class="form-check-input js-redirect-custom-value" type="radio" name="v-redirect" id="v-redirect-radio-1" value="<?='www.'.htmlentities($v_domain);?>" <?php if ($v_redirect == "www.".$v_domain) echo 'checked'; ?>>
+					<input class="form-check-input js-redirect-custom-value" type="radio" name="v-redirect" id="v-redirect-radio-1" value="<?= tohtml('www.'.$v_domain) ?>" <?php if ($v_redirect == "www.".$v_domain) echo 'checked'; ?>>
 					<label for="v-redirect-radio-1">
-						<?= sprintf(_("Redirect visitors to %s"), "www." . htmlentities($v_domain)) ?>
+						<?= tohtml(sprintf(_("Redirect visitors to %s"), "www." . $v_domain)) ?>
 					</label>
 				</div>
 				<div class="form-check">
-					<input class="form-check-input js-redirect-custom-value" type="radio" name="v-redirect" id="v-redirect-radio-2" value="<?= htmlentities($v_domain);?>" <?php if ( $v_redirect == $v_domain) echo 'checked'; ?>>
+					<input class="form-check-input js-redirect-custom-value" type="radio" name="v-redirect" id="v-redirect-radio-2" value="<?= tohtml($v_domain) ?>" <?php if ( $v_redirect == $v_domain) echo 'checked'; ?>>
 					<label for="v-redirect-radio-2">
-						<?= sprintf(_("Redirect visitors to %s"), htmlentities($v_domain)) ?>
+						<?= tohtml(sprintf(_("Redirect visitors to %s"), $v_domain)) ?>
 					</label>
 				</div>
 				<div class="form-check">
 					<input class="form-check-input js-redirect-custom-value" type="radio" name="v-redirect" id="v-redirect-radio-3" value="custom" <?php if ( !empty($v_redirect_custom)) echo 'checked'; ?>>
 					<label for="v-redirect-radio-3">
-						<?= _("Redirect visitors to a custom domain or web address") ?>
+						<?= tohtml( _("Redirect visitors to a custom domain or web address")) ?>
 					</label>
 				</div>
 				<div class="u-pl30 js-custom-redirect-fields <?php if (empty($v_redirect_custom)) { echo 'u-hidden'; } ?>">
 					<div class="u-mt15 u-mb10">
-						<label for="v-redirect-custom" class="form-label"><?= _("Target domain or URL") ?></label>
-						<input type="text" class="form-control" name="v-redirect-custom" id="v-redirect-custom" value="<?= $v_redirect_custom ?>">
+						<label for="v-redirect-custom" class="form-label"><?= tohtml( _("Target domain or URL")) ?></label>
+						<input type="text" class="form-control" name="v-redirect-custom" id="v-redirect-custom" value="<?= tohtml($v_redirect_custom) ?>">
 					</div>
 					<div class="u-mb20">
-						<label for="v-redirect-code" class="form-label"><?= _("Status code") ?>:</label>
+						<label for="v-redirect-code" class="form-label"><?= tohtml( _("Status code")) ?>:</label>
 						<select class="form-select" name="v-redirect-code" id="v-redirect-code">
 							<?php foreach ($redirect_code_options as $status_code): ?>
-							<option value="<?= $status_code ?>"
-								<?= trim($v_redirect_code) === $status_code || (empty($v_redirect_code) && $status_code === trim($v_redirect_code)) ? ' selected="selected" ' : "" ?>>
-								<?= $status_code ?>
+								<option value="<?= tohtml($status_code) ?>" <?php if ((int) $v_redirect_code === (int) $status_code) echo 'selected="selected"'; ?>>
+								<?= tohtml($status_code) ?>
 							</option>
 							<?php endforeach; ?>
 						</select>
@@ -164,26 +166,26 @@
 			<div class="form-check u-mb10">
 				<input x-model="sslEnabled" class="form-check-input" type="checkbox" name="v_ssl" id="v_ssl">
 				<label for="v_ssl">
-					<?= _("Enable SSL for this domain") ?>
+					<?= tohtml( _("Enable SSL for this domain")) ?>
 				</label>
 			</div>
 			<div x-cloak x-show="sslEnabled" class="u-pl30">
 				<div class="form-check u-mb10">
 					<input x-model="letsEncryptEnabled" class="form-check-input js-toggle-lets-encrypt" type="checkbox" name="v_letsencrypt" id="v_letsencrypt">
 					<label for="v_letsencrypt">
-						<?= _("Use Let's Encrypt to obtain SSL certificate") ?>
+						<?= tohtml( _("Use Let's Encrypt to obtain SSL certificate")) ?>
 					</label>
 				</div>
 				<div class="form-check u-mb10">
 					<input class="form-check-input" type="checkbox" name="v_ssl_forcessl" id="v_ssl_forcessl" <?php if ($v_ssl_forcessl == 'yes') echo 'checked' ?>>
 					<label for="v_ssl_forcessl">
-						<?= _("Enable automatic HTTPS redirection") ?>
+						<?= tohtml( _("Enable automatic HTTPS redirection")) ?>
 					</label>
 				</div>
 				<div class="form-check u-mb20">
 					<input class="form-check-input" type="checkbox" name="v_ssl_hsts" id="ssl_hsts" <?php if ($v_ssl_hsts == 'yes') echo 'checked' ?>>
 					<label for="ssl_hsts">
-						<?= _("Enable HTTP Strict Transport Security (HSTS)") ?>
+						<?= tohtml( _("Enable HTTP Strict Transport Security (HSTS)")) ?>
 						<a href="https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security" target="_blank">
 							<i class="fas fa-question-circle"></i>
 						</a>
@@ -192,62 +194,62 @@
 				<div x-cloak x-show="showCertificates" class="js-ssl-details">
 					<div class="u-mb10">
 						<label for="ssl_crt" class="form-label">
-							<?= _("SSL Certificate") ?>
-							<span id="generate-csr"> / <a class="form-link" target="_blank" href="/generate/ssl/?domain=<?= htmlentities($v_domain) ?>"><?= _("Generate Self-Signed SSL Certificate") ?></a></span>
+							<?= tohtml( _("SSL Certificate")) ?>
+							<span id="generate-csr"> / <a class="form-link" target="_blank" href="/generate/ssl/?<?= tohtml(http_build_query(["domain" => $v_domain])) ?>"><?= tohtml( _("Generate Self-Signed SSL Certificate")) ?></a></span>
 						</label>
-						<textarea class="form-control u-min-height100 u-console" name="v_ssl_crt" id="ssl_crt"><?= htmlentities(trim($v_ssl_crt, "'")) ?></textarea>
+						<textarea class="form-control u-min-height100 u-console" name="v_ssl_crt" id="ssl_crt"><?= tohtml(trim($v_ssl_crt, "'")) ?></textarea>
 					</div>
 					<div class="u-mb10">
-						<label for="v_ssl_key" class="form-label"><?= _("SSL Private Key") ?></label>
-						<textarea class="form-control u-min-height100 u-console" name="v_ssl_key" id="v_ssl_key"><?= htmlentities(trim($v_ssl_key, "'")) ?></textarea>
+						<label for="v_ssl_key" class="form-label"><?= tohtml( _("SSL Private Key")) ?></label>
+						<textarea class="form-control u-min-height100 u-console" name="v_ssl_key" id="v_ssl_key"><?= tohtml(trim($v_ssl_key, "'")) ?></textarea>
 					</div>
 					<div class="u-mb20">
 						<label for="v_ssl_ca" class="form-label">
-							<?= _("SSL Certificate Authority / Intermediate") ?> <span class="optional">(<?= _("Optional") ?>)</span>
+							<?= tohtml( _("SSL Certificate Authority / Intermediate")) ?> <span class="optional">(<?= tohtml( _("Optional")) ?>)</span>
 						</label>
-						<textarea class="form-control u-min-height100 u-console" name="v_ssl_ca" id="v_ssl_ca"><?= htmlentities(trim($v_ssl_ca, "'")) ?></textarea>
+						<textarea class="form-control u-min-height100 u-console" name="v_ssl_ca" id="v_ssl_ca"><?= tohtml(trim($v_ssl_ca, "'")) ?></textarea>
 					</div>
 				</div>
 				<?php if ($v_ssl != "no") { ?>
 					<ul class="values-list">
 						<li class="values-list-item">
-							<span class="values-list-label"><?= _("Issued To") ?></span>
-							<span class="values-list-value"><?= $v_ssl_subject ?></span>
+							<span class="values-list-label"><?= tohtml( _("Issued To")) ?></span>
+							<span class="values-list-value"><?= tohtml($v_ssl_subject) ?></span>
 						</li>
 						<?php if ($v_ssl_aliases) {
 							$v_ssl_aliases = str_replace(",", ", ", $v_ssl_aliases); ?>
 							<li class="values-list-item">
-								<span class="values-list-label"><?= _("Alternate") ?></span>
-								<span class="values-list-value"><?= $v_ssl_aliases ?></span>
+								<span class="values-list-label"><?= tohtml( _("Alternate")) ?></span>
+								<span class="values-list-value"><?= tohtml($v_ssl_aliases) ?></span>
 							</li>
 						<?php } ?>
 						<li class="values-list-item">
-							<span class="values-list-label"><?= _("Not Before") ?></span>
-							<span class="values-list-value"><?= $v_ssl_not_before ?></span>
+							<span class="values-list-label"><?= tohtml( _("Not Before")) ?></span>
+							<span class="values-list-value"><?= tohtml($v_ssl_not_before) ?></span>
 						</li>
 						<li class="values-list-item">
-							<span class="values-list-label"><?= _("Not After") ?></span>
-							<span class="values-list-value"><?= $v_ssl_not_after ?></span>
+							<span class="values-list-label"><?= tohtml( _("Not After")) ?></span>
+							<span class="values-list-value"><?= tohtml($v_ssl_not_after) ?></span>
 						</li>
 						<li class="values-list-item">
-							<span class="values-list-label"><?= _("Signature") ?></span>
-							<span class="values-list-value"><?= $v_ssl_signature ?></span>
+							<span class="values-list-label"><?= tohtml( _("Signature")) ?></span>
+							<span class="values-list-value"><?= tohtml($v_ssl_signature) ?></span>
 						</li>
 						<li class="values-list-item">
-							<span class="values-list-label"><?= _("Key Size") ?></span>
-							<span class="values-list-value"><?= $v_ssl_pub_key ?></span>
+							<span class="values-list-label"><?= tohtml( _("Key Size")) ?></span>
+							<span class="values-list-value"><?= tohtml($v_ssl_pub_key) ?></span>
 						</li>
 						<li class="values-list-item">
-							<span class="values-list-label"><?= _("Issued By") ?></span>
-							<span class="values-list-value"><?= $v_ssl_issuer ?></span>
+							<span class="values-list-label"><?= tohtml( _("Issued By")) ?></span>
+							<span class="values-list-value"><?= tohtml($v_ssl_issuer) ?></span>
 						</li>
 						<p x-cloak x-show="letsEncryptEnabled" id="letsinfo">
 							<button
 								type="button"
 								class="form-link"
 								x-on:click="showCertificates = !showCertificates"
-								x-text="showCertificates ? '<?= _("Hide Certificate") ?>' : '<?= _("Show Certificate") ?>'">
-								<?= _("Show Certificate") ?>
+								x-text="showCertificates ? <?= json_encode(_("Hide Certificate"), JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT | JSON_THROW_ON_ERROR) ?> : <?= json_encode(_("Show Certificate"), JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT | JSON_THROW_ON_ERROR) ?>">
+								<?= tohtml( _("Show Certificate")) ?>
 							</button>
 						</p>
 					</ul>
@@ -255,14 +257,14 @@
 			</div>
 			<div class="u-mt15 u-mb20">
 				<button x-on:click="showAdvanced = !showAdvanced" type="button" class="button button-secondary">
-					<?= _("Advanced Options") ?>
+					<?= tohtml( _("Advanced Options")) ?>
 				</button>
 			</div>
 			<div x-cloak x-show="showAdvanced">
 				<?php if ($_SESSION["userContext"] === "admin" || ($_SESSION["userContext"] === "user" && $_SESSION["POLICY_USER_EDIT_WEB_TEMPLATES"] === "yes")) { ?>
 					<div class="u-mb10">
 						<label for="v_template" class="form-label">
-							<?= _("Web Template") . "<span class='optional'>" . strtoupper($_SESSION["WEB_SYSTEM"]) . "</span>" ?>
+							<?= tohtml( _("Web Template")) ?> <span class="optional"><?= tohtml(strtoupper($_SESSION["WEB_SYSTEM"])) ?></span>
 						</label>
 						<select class="form-select" name="v_template" id="v_template">
 							<?php
@@ -281,7 +283,7 @@
 						<div class="form-check u-mb10">
 							<input x-model="nginxCacheEnabled" class="form-check-input" type="checkbox" name="v_nginx_cache_check" id="v_nginx_cache_check">
 							<label for="v_nginx_cache_check">
-								<?= _("Enable FastCGI cache") ?>
+								<?= tohtml( _("Enable FastCGI cache")) ?>
 								<a href="https://hestiacp.com/docs/server-administration/web-templates.html#nginx-fastcgi-cache" target="_blank" class="u-ml5">
 									<i class="fas fa-circle-question"></i>
 								</a>
@@ -290,29 +292,29 @@
 						<div x-cloak x-show="nginxCacheEnabled" id="v_nginx_duration" class="u-pl30">
 							<div class="u-mb10">
 								<label for="v_nginx_cache_duration" class="form-label">
-									<?= _("Cache Duration") ?> <span class="optional">(<?= _("For example") ?>: 30s, 10m or 1d)</span>
+									<?= tohtml( _("Cache Duration")) ?> <span class="optional">(<?= tohtml( _("For example")) ?>: 30s, 10m or 1d)</span>
 								</label>
-								<input type="text" class="form-control" name="v_nginx_cache_duration" id="v_nginx_cache_duration" value="<?= htmlentities(trim($v_nginx_cache_duration, "'")) ?>">
+								<input type="text" class="form-control" name="v_nginx_cache_duration" id="v_nginx_cache_duration" value="<?= tohtml(trim($v_nginx_cache_duration, "'")) ?>">
 							</div>
 						</div>
 					<?php } ?>
 					<?php if (!empty($_SESSION["WEB_BACKEND"])) { ?>
 						<div class="u-mb10">
-							<label for="v_backend_template" class="form-label">
-								<?= _("Backend Template") . " <span class='optional'>" . strtoupper($_SESSION["WEB_BACKEND"]) . "</span>" ?>
-							</label>
+								<label for="v_backend_template" class="form-label">
+									<?= tohtml( _("Backend Template")) ?> <span class="optional"><?= tohtml(strtoupper($_SESSION["WEB_BACKEND"])) ?></span>
+								</label>
 							<select class="form-select" name="v_backend_template" id="v_backend_template">
 								<?php
 									foreach ($backend_templates as $key => $value) {
-										echo "\t\t\t\t<option value=\"".$value."\"";
+										echo "\t\t\t\t<option value=\"".tohtml($value)."\"";
 										$svalue = "'".$value."'";
-										if ((!empty($v_backend_template)) && ( $value == $v_backend_template ) || ($svalue == $v_backend_template)){
+										if ((!empty($v_backend_template)) && (($value == $v_backend_template) || ($svalue == $v_backend_template))) {
 											echo ' selected' ;
 										}
 										if ((empty($v_backend_template)) && ($value == 'default')){
 											echo ' selected' ;
 										}
-										echo ">".htmlentities($value)."</option>\n";
+										echo ">".tohtml($value)."</option>\n";
 									}
 								?>
 							</select>
@@ -322,33 +324,33 @@
 						<div style="display: none;">
 							<div class="form-check u-mb10">
 								<input x-model="proxySupportEnabled" class="form-check-input" type="checkbox" name="v_proxy" id="v_proxy">
-								<label for="v_proxy">
-									<?= _("Proxy Support") . "<span class='optional'>" . strtoupper($_SESSION["PROXY_SYSTEM"]) . "</span>" ?>
-								</label>
+									<label for="v_proxy">
+										<?= tohtml( _("Proxy Support")) ?> <span class="optional"><?= tohtml(strtoupper($_SESSION["PROXY_SYSTEM"])) ?></span>
+									</label>
 							</div>
 						</div>
 						<div x-cloak x-show="proxySupportEnabled" id="proxytable">
 							<div class="u-mb10">
-								<label for="v_proxy_template" class="form-label"><?= _("Proxy Template") ?></label>
+								<label for="v_proxy_template" class="form-label"><?= tohtml( _("Proxy Template")) ?></label>
 								<select class="form-select js-proxy-template-select" name="v_proxy_template" id="v_proxy_template">
 									<?php
 										foreach ($proxy_templates as $key => $value) {
-											echo "\t\t\t\t<option value=\"".htmlentities($value)."\"";
+											echo "\t\t\t\t<option value=\"".tohtml($value)."\"";
 											$svalue = "'".$value."'";
-											if ((!empty($v_proxy_template)) && ( $value == $v_proxy_template ) || ($svalue == $v_proxy_template)){
+											if ((!empty($v_proxy_template)) && (($value == $v_proxy_template) || ($svalue == $v_proxy_template))) {
 												echo ' selected' ;
 											}
 											if ((empty($v_proxy_template)) && ($value == 'default')){
 												echo ' selected' ;
 											}
-											echo ">".htmlentities($value)."</option>\n";
+											echo ">".tohtml($value)."</option>\n";
 										}
 									?>
 								</select>
 							</div>
 							<div class="u-mb10">
-								<label for="v_proxy_ext" class="form-label"><?= _("Proxy Extensions") ?></label>
-								<textarea class="form-control u-min-height100" name="v_proxy_ext" id="v_proxy_ext"><?php if (!empty($v_proxy_ext)) { echo htmlentities(trim($v_proxy_ext, "'"));} else { echo 'jpg, jpeg, gif, png, ico, svg, css, zip, tgz, gz, rar, bz2, exe, pdf, doc, xls, ppt, txt, odt, ods, odp, odf, tar, bmp, rtf, js, mp3, avi, mpeg, flv, html, htm'; } ?></textarea>
+								<label for="v_proxy_ext" class="form-label"><?= tohtml( _("Proxy Extensions")) ?></label>
+								<textarea class="form-control u-min-height100" name="v_proxy_ext" id="v_proxy_ext"><?php if (!empty($v_proxy_ext)) { echo tohtml(trim($v_proxy_ext, "'"));} else { echo 'jpg, jpeg, gif, png, ico, svg, css, zip, tgz, gz, rar, bz2, exe, pdf, doc, xls, ppt, txt, odt, ods, odp, odf, tar, bmp, rtf, js, mp3, avi, mpeg, flv, html, htm'; } ?></textarea>
 							</div>
 						</div>
 					<?php } ?>
@@ -356,27 +358,27 @@
 				<div class="form-check u-mb10">
 					<input x-model="customDocumentRootEnabled" class="form-check-input" type="checkbox" name="v_custom_doc_root_check" id="v_custom_doc_root_check">
 					<label for="v_custom_doc_root_check">
-						<?= _("Custom document root") ?>
+						<?= tohtml( _("Custom document root")) ?>
 					</label>
 				</div>
 				<div x-cloak x-show="customDocumentRootEnabled" id="v_custom_doc_root" class="u-pl30">
 					<div class="u-mb10">
-						<label for="v-custom-doc-domain" class="form-label"><?= _("Point to") ?></label>
-						<input type="hidden" class="js-custom-docroot-prepath" name="v-custom-doc-root_prepath" value="<?= $v_custom_doc_root_prepath ?>">
+						<label for="v-custom-doc-domain" class="form-label"><?= tohtml( _("Point to")) ?></label>
+						<input type="hidden" class="js-custom-docroot-prepath" name="v-custom-doc-root_prepath" value="<?= tohtml($v_custom_doc_root_prepath) ?>">
 						<select class="form-select js-custom-docroot-domain" name="v-custom-doc-domain" id="v-custom-doc-domain">
 							<?php foreach ($user_domains as $domain): ?>
-							<option value="<?= htmlentities($domain) ?>"
-								<?= $v_custom_doc_domain === $domain || (empty($v_custom_doc_domain) && $domain === $v_domain) ? ' selected="selected" ' : "" ?>>
-								<?= htmlentities($domain) ?>
+							<option value="<?= tohtml($domain) ?>"
+								<?php if ($v_custom_doc_domain === $domain || (empty($v_custom_doc_domain) && $domain === $v_domain)) echo 'selected="selected"'; ?>>
+								<?= tohtml($domain) ?>
 							</option>
 							<?php endforeach; ?>
 						</select>
 					</div>
 					<div class="u-mb10">
 						<label for="v-custom-doc-folder" class="form-label">
-							<?php print _("Directory"); ?> <span class="optional">(<?= _("Optional") ?>)</span>
+							<?= tohtml( _("Directory")) ?> <span class="optional">(<?= tohtml( _("Optional")) ?>)</span>
 						</label>
-						<input type="text" class="form-control js-custom-docroot-dir" name="v-custom-doc-folder" id="v-custom-doc-folder" value="<?= htmlentities(trim($v_custom_doc_folder, "'")) ?>">
+						<input type="text" class="form-control js-custom-docroot-dir" name="v-custom-doc-folder" id="v-custom-doc-folder" value="<?= tohtml(trim($v_custom_doc_folder, "'")) ?>">
 						<small class="js-custom-docroot-hint"></small>
 					</div>
 				</div>
@@ -384,7 +386,7 @@
 					<div class="form-check u-mb10">
 						<input class="form-check-input js-toggle-ftp-accounts" type="checkbox" name="v_ftp" id="v_ftp" <?php if (!empty($v_ftp_user)) echo 'checked' ?>>
 						<label for="v_ftp">
-							<?= _("Additional FTP account(s)") ?>
+							<?= tohtml( _("Additional FTP account(s)")) ?>
 						</label>
 					</div>
 					<div class="js-active-ftp-accounts">
@@ -398,40 +400,40 @@
 						?>
 						<div class="js-ftp-account js-ftp-account-nrm" name="v_add_domain_ftp" style="<?php if (empty($v_ftp_user)) { echo 'display: none;'; } ?>">
 							<div class="u-mb10">
-								<?= _("FTP") ?> #<span class="js-ftp-user-number"><?= $i + 1; ?></span>
-								<button type="button" class="form-link form-link-danger u-ml5 js-delete-ftp-account"><?= _("Delete") ?></button>
-								<input type="hidden" class="js-ftp-user-deleted" name="v_ftp_user[<?= $i ?>][delete]" value="0">
-								<input type="hidden" class="js-ftp-user-is-new" name="v_ftp_user[<?= $i ?>][is_new]" value="<?= htmlentities($ftp_user['is_new']) ?>">
+								<?= tohtml( _("FTP")) ?> #<span class="js-ftp-user-number"><?= tohtml($i + 1) ?></span>
+								<button type="button" class="form-link form-link-danger u-ml5 js-delete-ftp-account"><?= tohtml( _("Delete")) ?></button>
+								<input type="hidden" class="js-ftp-user-deleted" name="v_ftp_user[<?= tohtml($i) ?>][delete]" value="0">
+								<input type="hidden" class="js-ftp-user-is-new" name="v_ftp_user[<?= tohtml($i) ?>][is_new]" value="<?= tohtml($ftp_user['is_new']) ?>">
 							</div>
 							<div class="u-pl30 u-mb10">
-								<label for="v_ftp_user[<?= $i ?>][v_ftp_user]" class="form-label">
-									<?= _("Username") ?><br>
-									<span style="color:#777;"><?= sprintf(_('Prefix %s will be added to username automatically'),$user_plain."_");?></span>
+								<label for="v_ftp_user[<?= tohtml($i) ?>][v_ftp_user]" class="form-label">
+									<?= tohtml( _("Username")) ?><br>
+									<span style="color:#777;"><?= tohtml(sprintf(_('Prefix %s will be added to username automatically'),$user_plain."_")) ?></span>
 								</label>
-								<input type="text" class="form-control js-ftp-user" <?= $ftp_user['is_new'] != 1 ? 'disabled="disabled"' : '' ?>
-								name="v_ftp_user[<?= $i ?>][v_ftp_user]" id="v_ftp_user[<?= $i ?>][v_ftp_user]" value="<?= htmlentities(trim($v_ftp_user, "'")) ?>">
+								<input type="text" class="form-control js-ftp-user"<?= $ftp_user['is_new'] != 1 ? ' disabled="disabled"' : '' ?>
+								name="v_ftp_user[<?= tohtml($i) ?>][v_ftp_user]" id="v_ftp_user[<?= tohtml($i) ?>][v_ftp_user]" value="<?= tohtml(trim($v_ftp_user, "'")) ?>">
 								<small class="hint js-ftp-user-hint"></small>
 							</div>
 							<div class="u-pl30 u-mb10">
-								<label for="v_ftp_user[<?= $i ?>][v_ftp_password]" class="form-label">
-									<?= _("Password") ?>
-									<button type="button" title="<?= _("Generate") ?>" class="u-unstyled-button u-ml5 js-ftp-password-generate">
+								<label for="v_ftp_user[<?= tohtml($i) ?>][v_ftp_password]" class="form-label">
+									<?= tohtml( _("Password")) ?>
+									<button type="button" title="<?= tohtml( _("Generate")) ?>" class="u-unstyled-button u-ml5 js-ftp-password-generate">
 										<i class="fas fa-arrows-rotate icon-green"></i>
 									</button>
 								</label>
-								<input type="text" class="form-control js-ftp-user-psw" name="v_ftp_user[<?= $i ?>][v_ftp_password]" id="v_ftp_user[<?= $i ?>][v_ftp_password]" value="<?= htmlentities(trim($v_ftp_password, "'")) ?>">
+								<input type="text" class="form-control js-ftp-user-psw" name="v_ftp_user[<?= tohtml($i) ?>][v_ftp_password]" id="v_ftp_user[<?= tohtml($i) ?>][v_ftp_password]" value="<?= tohtml(trim($v_ftp_password, "'")) ?>">
 							</div>
 							<div class="u-pl30 u-mb10">
-								<label for="v_ftp_user[<?= $i ?>][v_ftp_path]" class="form-label"><?= _("Path") ?></label>
-								<input type="hidden" name="v_ftp_pre_path" value="<?=!empty($v_ftp_pre_path) ? htmlentities(trim($v_ftp_pre_path, "'")) : '/'; ?>">
-								<input type="hidden" name="v_ftp_user[<?= $i ?>][v_ftp_path_prev]" value="<?php if (!empty($v_ftp_path)) echo ($v_ftp_path[0] != '/' ? '/' : '').htmlentities(trim($v_ftp_path, "'")) ?>">
-								<input type="text" class="form-control js-ftp-path" name="v_ftp_user[<?= $i ?>][v_ftp_path]" id="v_ftp_user[<?= $i ?>][v_ftp_path]" value="<?php if (!empty($v_ftp_path)) echo ($v_ftp_path[0] != '/' ? '/' : '').htmlentities(trim($v_ftp_path, "'")) ?>">
-								<span class="hint-prefix"><?= htmlentities(trim($v_ftp_pre_path, "'")) ?></span><span class="hint js-ftp-path-hint"></span>
+								<label for="v_ftp_user[<?= tohtml($i) ?>][v_ftp_path]" class="form-label"><?= tohtml( _("Path")) ?></label>
+								<input type="hidden" name="v_ftp_pre_path" value="<?= tohtml(!empty($v_ftp_pre_path) ? trim($v_ftp_pre_path, "'") : '/') ?>">
+								<input type="hidden" name="v_ftp_user[<?= tohtml($i) ?>][v_ftp_path_prev]" value="<?php if (!empty($v_ftp_path)) echo tohtml(($v_ftp_path[0] != '/' ? '/' : '') . trim($v_ftp_path, "'")); ?>">
+								<input type="text" class="form-control js-ftp-path" name="v_ftp_user[<?= tohtml($i) ?>][v_ftp_path]" id="v_ftp_user[<?= tohtml($i) ?>][v_ftp_path]" value="<?php if (!empty($v_ftp_path)) echo tohtml(($v_ftp_path[0] != '/' ? '/' : '') . trim($v_ftp_path, "'")); ?>">
+								<span class="hint-prefix"><?= tohtml(trim($v_ftp_pre_path, "'")) ?></span><span class="hint js-ftp-path-hint"></span>
 							</div>
 							<?php if ($ftp_user['is_new'] == 1): ?>
 								<div class="u-pl30 u-mb10">
-									<label for="v_ftp_user[<?= $i ?>][v_ftp_email]" class="form-label"><?= _("Send FTP credentials to email") ?></label>
-									<input type="email" class="form-control js-email-alert-on-psw" name="v_ftp_user[<?= $i ?>][v_ftp_email]" id="v_ftp_user[<?= $i ?>][v_ftp_email]" value="<?= htmlentities(trim($v_ftp_email, "'")) ?>">
+									<label for="v_ftp_user[<?= tohtml($i) ?>][v_ftp_email]" class="form-label"><?= tohtml( _("Send FTP credentials to email")) ?></label>
+									<input type="email" class="form-control js-email-alert-on-psw" name="v_ftp_user[<?= tohtml($i) ?>][v_ftp_email]" id="v_ftp_user[<?= tohtml($i) ?>][v_ftp_email]" value="<?= tohtml(trim($v_ftp_email, "'")) ?>">
 								</div>
 							<?php endif; ?>
 						</div>
@@ -439,7 +441,7 @@
 					</div>
 
 					<button type="button" class="form-link u-mt20 js-add-ftp-account" style="<?php if (empty($v_ftp_user)) echo 'display: none;' ?>">
-						<?= _("Add FTP account") ?>
+						<?= tohtml( _("Add FTP account")) ?>
 					</button>
 				<?php } ?>
 			</div>
@@ -452,36 +454,36 @@
 <div class="u-hidden js-ftp-account-template">
 	<div class="js-ftp-account js-ftp-account-nrm" name="v_add_domain_ftp">
 		<div class="u-mb10">
-			<?= _("FTP") ?> #<span class="js-ftp-user-number"></span>
-			<button type="button" class="form-link form-link-danger u-ml5 js-delete-ftp-account"><?= _("Delete") ?></button>
+			<?= tohtml( _("FTP")) ?> #<span class="js-ftp-user-number"></span>
+			<button type="button" class="form-link form-link-danger u-ml5 js-delete-ftp-account"><?= tohtml( _("Delete")) ?></button>
 			<input type="hidden" class="js-ftp-user-deleted" name="v_ftp_user[%INDEX%][delete]" value="0">
 			<input type="hidden" class="js-ftp-user-is-new" name="v_ftp_user[%INDEX%][is_new]" value="1">
 		</div>
 		<div class="u-pl30 u-mb10">
 			<label for="v_ftp_user[%INDEX%][v_ftp_user]" class="form-label">
-				<?= _("Username") ?><br>
-				<span style="color:#777;"><?= sprintf(_("Prefix %s will be added to username automatically"), $user_plain . "_") ?></span>
+				<?= tohtml( _("Username")) ?><br>
+				<span style="color:#777;"><?= tohtml(sprintf(_("Prefix %s will be added to username automatically"), $user_plain . "_")) ?></span>
 			</label>
 			<input type="text" class="form-control js-ftp-user" name="v_ftp_user[%INDEX%][v_ftp_user]" id="v_ftp_user[%INDEX%][v_ftp_user]" value="">
 			<small class="hint js-ftp-user-hint"></small>
 		</div>
 		<div class="u-pl30 u-mb10">
 			<label for="v_ftp_user[%INDEX%][v_ftp_password]" class="form-label">
-				<?= _("Password") ?>
-				<button type="button" title="<?= _("Generate") ?>" class="u-unstyled-button u-ml5 js-ftp-password-generate">
+				<?= tohtml( _("Password")) ?>
+				<button type="button" title="<?= tohtml( _("Generate")) ?>" class="u-unstyled-button u-ml5 js-ftp-password-generate">
 					<i class="fas fa-arrows-rotate icon-green"></i>
 				</button>
 			</label>
 			<input type="text" class="form-control js-ftp-user-psw" name="v_ftp_user[%INDEX%][v_ftp_password]" id="v_ftp_user[%INDEX%][v_ftp_password]">
 		</div>
 		<div class="u-pl30 u-mb10">
-			<label for="v_ftp_user[%INDEX%][v_ftp_path]" class="form-label"><?= _("Path") ?></label>
+			<label for="v_ftp_user[%INDEX%][v_ftp_path]" class="form-label"><?= tohtml( _("Path")) ?></label>
 			<input type="hidden" name="v_ftp_pre_path" value="">
 			<input type="text" class="form-control js-ftp-path" name="v_ftp_user[%INDEX%][v_ftp_path]" id="v_ftp_user[%INDEX%][v_ftp_path]" value="">
-			<span class="hint-prefix"><?= htmlentities(trim($v_ftp_pre_path_new_user, "'")) ?></span><span class="hint js-ftp-path-hint"></span>
+			<span class="hint-prefix"><?= tohtml(trim($v_ftp_pre_path_new_user, "'")) ?></span><span class="hint js-ftp-path-hint"></span>
 		</div>
 		<div class="u-pl30 u-mb10">
-			<label for="v_ftp_user[%INDEX%][v_ftp_email]" class="form-label"><?= _("Send FTP credentials to email") ?></label>
+			<label for="v_ftp_user[%INDEX%][v_ftp_email]" class="form-label"><?= tohtml( _("Send FTP credentials to email")) ?></label>
 			<input type="email" class="form-control js-email-alert-on-psw" name="v_ftp_user[%INDEX%][v_ftp_email]" id="v_ftp_user[%INDEX%][v_ftp_email]" value="">
 		</div>
 	</div>

web/templates/pages/list_dns_rec.php

@@ -1,53 +1,43 @@
-<?php
-	if (!function_exists("tohtml")){
-		function tohtml(string $str): string{
-			if ($str === '') {
-				return '';
-			}
-			return htmlentities($str, ENT_QUOTES|ENT_SUBSTITUTE|ENT_DISALLOWED|ENT_HTML5, 'UTF-8', true);
-		}
-	}
-?>
 <!-- Begin toolbar -->
 <div class="toolbar">
 	<div class="toolbar-inner">
 			<div class="toolbar-buttons">
 				<a class="button button-secondary button-back js-button-back" href="/list/dns/">
-					<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+					<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 				</a>
 				<?php if ($read_only !== "true") { ?>
 					<a href="/add/dns/?<?= tohtml(http_build_query(array("domain" => $_GET["domain"]))) ?>" class="button button-secondary js-button-create">
-						<i class="fas fa-circle-plus icon-green"></i><?= _("Add Record") ?>
+						<i class="fas fa-circle-plus icon-green"></i><?= tohtml( _("Add Record")) ?>
 					</a>
 					<a href="/edit/dns/?<?= tohtml(http_build_query(array("domain" => $_GET["domain"]))) ?>" class="button button-secondary js-button-create">
-						<i class="fas fa-pencil icon-blue"></i><?= _("Edit DNS Domain") ?>
+						<i class="fas fa-pencil icon-blue"></i><?= tohtml( _("Edit DNS Domain")) ?>
 					</a>
 				<?php } ?>
 		</div>
 		<div class="toolbar-right">
 			<div class="toolbar-sorting">
-				<button class="toolbar-sorting-toggle js-toggle-sorting-menu" type="button" title="<?= _("Sort items") ?>">
-					<?= _("Sort by") ?>:
+				<button class="toolbar-sorting-toggle js-toggle-sorting-menu" type="button" title="<?= tohtml( _("Sort items")) ?>">
+					<?= tohtml( _("Sort by")) ?>:
 					<span class="u-text-bold">
 						<?php if ($_SESSION['userSortOrder'] === 'name') { $label = _('Record'); } else { $label = _('Date'); } ?>
-						<?= $label ?> <i class="fas fa-arrow-down-a-z"></i>
+						<?= tohtml($label) ?> <i class="fas fa-arrow-down-a-z"></i>
 					</span>
 				</button>
 				<ul class="toolbar-sorting-menu js-sorting-menu u-hidden">
 					<li data-entity="sort-date" data-sort-as-int="1">
-						<span class="name <?php if ($_SESSION['userSortOrder'] === 'date') { echo 'active'; } ?>"><?= _("Date") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name <?php if ($_SESSION['userSortOrder'] === 'date') { echo 'active'; } ?>"><?= tohtml( _("Date")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 					<li data-entity="sort-value">
-						<span class="name"><?= _("IP or Value") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name"><?= tohtml( _("IP or Value")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 					<li data-entity="sort-record">
-						<span class="name"><?= _("Record") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name"><?= tohtml( _("Record")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 					<li data-entity="sort-ttl" data-sort-as-int="1">
-						<span class="name"><?= _("TTL") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name"><?= tohtml( _("TTL")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 					<li data-entity="sort-type">
-						<span class="name"><?= _("Type") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name"><?= tohtml( _("Type")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 				</ul>
 				<?php if ($read_only !== "true") { ?>
@@ -55,12 +45,12 @@
 						<input type="hidden" name="domain" value="<?= tohtml($_GET["domain"]) ?>">
 						<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 						<select class="form-select" name="action">
-							<option value=""><?= _("Apply to selected") ?></option>
-							<option value="suspend"><?= _("Suspend") ?></option>
-							<option value="unsuspend"><?= _("Unsuspend") ?></option>
-							<option value="delete"><?= _("Delete") ?></option>
+							<option value=""><?= tohtml( _("Apply to selected")) ?></option>
+							<option value="suspend"><?= tohtml( _("Suspend")) ?></option>
+							<option value="unsuspend"><?= tohtml( _("Unsuspend")) ?></option>
+							<option value="delete"><?= tohtml( _("Delete")) ?></option>
 						</select>
-						<button type="submit" class="toolbar-input-submit" title="<?= _("Apply to selected") ?>">
+						<button type="submit" class="toolbar-input-submit" title="<?= tohtml( _("Apply to selected")) ?>">
 							<i class="fas fa-arrow-right"></i>
 						</button>
 					</form>
@@ -69,8 +59,8 @@
 			<div class="toolbar-search">
 				<form action="/search/" method="get">
 					<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
-					<input type="search" class="form-control js-search-input" name="q" value="<?= tohtml($_POST['q'] ?? '') ?>" title="<?= _("Search") ?>">
-					<button type="submit" class="toolbar-input-submit" title="<?= _("Search") ?>">
+					<input type="search" class="form-control js-search-input" name="q" value="<?= tohtml($_POST['q'] ?? '') ?>" title="<?= tohtml( _("Search")) ?>">
+					<button type="submit" class="toolbar-input-submit" title="<?= tohtml( _("Search")) ?>">
 						<i class="fas fa-magnifying-glass"></i>
 					</button>
 				</form>
@@ -82,19 +72,19 @@
 
 <div class="container">
 
-	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= _("DNS Records") ?></h1>
+	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= tohtml( _("DNS Records")) ?></h1>
 
 	<div class="units-table js-units-container">
 		<div class="units-table-header">
 			<div class="units-table-cell">
-				<input type="checkbox" class="js-toggle-all-checkbox" title="<?= _("Select all") ?>" <?= $display_mode ?>>
+				<input type="checkbox" class="js-toggle-all-checkbox" title="<?= tohtml( _("Select all")) ?>"<?= $display_mode === "disabled" ? " disabled" : "" ?>>
 			</div>
-			<div class="units-table-cell"><?= _("Record") ?></div>
+			<div class="units-table-cell"><?= tohtml( _("Record")) ?></div>
 			<div class="units-table-cell"></div>
-			<div class="units-table-cell u-text-center"><?= _("Type") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Priority") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("TTL") ?></div>
-			<div class="units-table-cell"><?= _("IP or Value") ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Type")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Priority")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("TTL")) ?></div>
+			<div class="units-table-cell"><?= tohtml( _("IP or Value")) ?></div>
 		</div>
 
 		<!-- Begin DNS record list item loop -->
@@ -108,24 +98,24 @@
 					}
 			?>
 				<div class="units-table-row <?php if ($status == 'suspended') echo 'disabled'; ?> js-unit"
-					data-sort-date="<?= tohtml((string)strtotime($data[$key]['DATE'].' '.$data[$key]['TIME'])) ?>"
+					data-sort-date="<?= tohtml(strtotime($data[$key]['DATE'].' '.$data[$key]['TIME'])) ?>"
 					data-sort-record="<?= tohtml($data[$key]['RECORD']) ?>"
 					data-sort-type="<?= tohtml($data[$key]['TYPE']) ?>"
 					data-sort-ttl="<?= tohtml($data[$key]['TTL']) ?>"
 					data-sort-value="<?= tohtml($data[$key]['VALUE']) ?>">
 					<div class="units-table-cell">
 						<div>
-							<input id="check<?= tohtml($data[$key]["ID"]) ?>" class="js-unit-checkbox" type="checkbox" title="<?= _("Select") ?>" name="record[]" value="<?= tohtml($data[$key]["ID"]) ?>" <?= $display_mode ?>>
-							<label for="check<?= tohtml($data[$key]["ID"]) ?>" class="u-hide-desktop"><?= _("Select") ?></label>
+							<input id="check<?= tohtml($data[$key]["ID"]) ?>" class="js-unit-checkbox" type="checkbox" title="<?= tohtml( _("Select")) ?>" name="record[]" value="<?= tohtml($data[$key]["ID"]) ?>"<?= $display_mode === "disabled" ? " disabled" : "" ?>>
+							<label for="check<?= tohtml($data[$key]["ID"]) ?>" class="u-hide-desktop"><?= tohtml( _("Select")) ?></label>
 						</div>
 					</div>
 					<div class="units-table-cell units-table-heading-cell u-text-bold">
-						<span class="u-hide-desktop"><?= _("Record") ?>:</span>
+						<span class="u-hide-desktop"><?= tohtml( _("Record")) ?>:</span>
 							<?php if (($read_only === 'true') || ($data[$key]['SUSPENDED'] == 'yes')) { ?>
-								<?= tohtml(substr($data[$key]['RECORD'], 0, 12)); if (strlen($data[$key]['RECORD']) > 12 ) echo '...'; ?>
+								<?= tohtml(substr($data[$key]['RECORD'], 0, 12)) ?><?php if (strlen($data[$key]['RECORD']) > 12 ) echo '...'; ?>
 							<?php } else { ?>
 								<a href="/edit/dns/?<?= tohtml(http_build_query(array("domain" => $_GET['domain'], "record_id" => $data[$key]['ID'], "token" => $_SESSION['token']))) ?>" title="<?= tohtml(_("Edit DNS Record") . ': '.$data[$key]['RECORD']) ?>">
-									<?= tohtml(substr($data[$key]['RECORD'], 0, 12)); if (strlen($data[$key]['RECORD']) > 12 ) echo '...'; ?>
+									<?= tohtml(substr($data[$key]['RECORD'], 0, 12)) ?><?php if (strlen($data[$key]['RECORD']) > 12 ) echo '...'; ?>
 								</a>
 							<?php } ?>
 						</div>
@@ -138,10 +128,10 @@
 											<a
 												class="units-table-row-action-link"
 												href="/edit/dns/?<?= tohtml(http_build_query(array("domain" => $_GET["domain"], "record_id" => $data[$key]["ID"], "token" => $_SESSION["token"]))) ?>"
-												title="<?= _("Edit DNS Record") ?>"
+												title="<?= tohtml( _("Edit DNS Record")) ?>"
 											>
 												<i class="fas fa-pencil icon-orange"></i>
-												<span class="u-hide-desktop"><?= _("Edit DNS Record") ?></span>
+												<span class="u-hide-desktop"><?= tohtml( _("Edit DNS Record")) ?></span>
 											</a>
 									</li>
 								<?php } ?>
@@ -149,12 +139,12 @@
 									<a
 										class="units-table-row-action-link data-controls js-confirm-action"
 										href="/delete/dns/?<?= tohtml(http_build_query(array("domain" => $_GET["domain"], "record_id" => $data[$key]["ID"], "token" => $_SESSION["token"]))) ?>"
-										title="<?= _("Delete") ?>"
-										data-confirm-title="<?= _("Delete") ?>"
+										title="<?= tohtml( _("Delete")) ?>"
+										data-confirm-title="<?= tohtml( _("Delete")) ?>"
 										data-confirm-message="<?= tohtml(sprintf(_("Are you sure you want to delete record %s?"), $key)) ?>"
 									>
 										<i class="fas fa-trash icon-red"></i>
-										<span class="u-hide-desktop"><?= _("Delete") ?></span>
+										<span class="u-hide-desktop"><?= tohtml( _("Delete")) ?></span>
 									</a>
 								</li>
 							<?php } ?>
@@ -162,19 +152,19 @@
 					<?php } ?>
 					</div>
 					<div class="units-table-cell u-text-bold u-text-center-desktop">
-						<span class="u-hide-desktop"><?= _("Type") ?>:</span>
+						<span class="u-hide-desktop"><?= tohtml( _("Type")) ?>:</span>
 						<?= tohtml($data[$key]["TYPE"]) ?>
 					</div>
 					<div class="units-table-cell u-text-center-desktop">
-						<span class="u-hide-desktop u-text-bold"><?= _("Priority") ?>:</span>
+						<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Priority")) ?>:</span>
 						<?= tohtml($data[$key]["PRIORITY"]) ?>
 					</div>
 					<div class="units-table-cell u-text-center-desktop">
-						<span class="u-hide-desktop u-text-bold"><?= _("TTL") ?>:</span>
+						<span class="u-hide-desktop u-text-bold"><?= tohtml( _("TTL")) ?>:</span>
 						<?php if ($data[$key]['TTL'] == ''){ echo tohtml(_('Default')); } else { echo tohtml($data[$key]['TTL']);} ?>
 					</div>
 					<div class="units-table-cell">
-						<span class="u-hide-desktop u-text-bold"><?= _("IP or Value") ?>:</span>
+						<span class="u-hide-desktop u-text-bold"><?= tohtml( _("IP or Value")) ?>:</span>
 						<span class="u-text-break">
 							<?= tohtml($data[$key]["VALUE"]) ?>
 						</span>