Add missing HTML/url encoding (5245-chunk4) (#5249)

Was reports that some missing HTML encoding could lead to XSS/javascript injection.

Reviewable chunk of #5245 , which grew too large.

web/templates/pages/list_packages.php

@@ -3,36 +3,36 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/user/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 			<a href="/add/package/" class="button button-secondary js-button-create">
-				<i class="fas fa-circle-plus icon-green"></i><?= _("Add Package") ?>
+				<i class="fas fa-circle-plus icon-green"></i><?= tohtml( _("Add Package")) ?>
 			</a>
 		</div>
 		<div class="toolbar-right">
 			<div class="toolbar-sorting">
-				<button class="toolbar-sorting-toggle js-toggle-sorting-menu" type="button" title="<?= _("Sort items") ?>">
-					<?= _("Sort by") ?>:
+				<button class="toolbar-sorting-toggle js-toggle-sorting-menu" type="button" title="<?= tohtml( _("Sort items")) ?>">
+					<?= tohtml( _("Sort by")) ?>:
 					<span class="u-text-bold">
 						<?php if ($_SESSION['userSortOrder'] === 'name') { $label = _('Name'); } else { $label = _('Date'); } ?>
-						<?= $label ?> <i class="fas fa-arrow-down-a-z"></i>
+						<?= tohtml($label) ?> <i class="fas fa-arrow-down-a-z"></i>
 					</span>
 				</button>
 				<ul class="toolbar-sorting-menu js-sorting-menu u-hidden">
 					<li data-entity="sort-date" data-sort-as-int="1">
-						<span class="name <?php if ($_SESSION['userSortOrder'] === 'date') { echo 'active'; } ?>"><?= _("Date") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name <?php if ($_SESSION['userSortOrder'] === 'date') { echo 'active'; } ?>"><?= tohtml( _("Date")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 					<li data-entity="sort-name">
-						<span class="name <?php if ($_SESSION['userSortOrder'] === 'name') { echo 'active'; } ?>"><?= _("Name") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name <?php if ($_SESSION['userSortOrder'] === 'name') { echo 'active'; } ?>"><?= tohtml( _("Name")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 				</ul>
 				<form x-data x-bind="BulkEdit" action="/bulk/package/" method="post">
-					<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+					<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 					<select class="form-select" name="action">
-						<option value=""><?= _("Apply to selected") ?></option>
-						<option value="delete"><?= _("Delete") ?></option>
+						<option value=""><?= tohtml( _("Apply to selected")) ?></option>
+						<option value="delete"><?= tohtml( _("Delete")) ?></option>
 					</select>
-					<button type="submit" class="toolbar-input-submit" title="<?= _("Apply to selected") ?>">
+					<button type="submit" class="toolbar-input-submit" title="<?= tohtml( _("Apply to selected")) ?>">
 						<i class="fas fa-arrow-right"></i>
 					</button>
 				</form>
@@ -44,62 +44,62 @@
 
 <div class="container">
 
-	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= _("Packages") ?></h1>
+	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= tohtml( _("Packages")) ?></h1>
 
 	<div class="units-table js-units-container">
 		<div class="units-table-header">
 			<div class="units-table-cell">
-				<input type="checkbox" class="js-toggle-all-checkbox" title="<?= _("Select all") ?>">
+				<input type="checkbox" class="js-toggle-all-checkbox" title="<?= tohtml( _("Select all")) ?>">
 			</div>
-			<div class="units-table-cell"><?= _("Package") ?></div>
+			<div class="units-table-cell"><?= tohtml( _("Package")) ?></div>
 			<div class="units-table-cell"></div>
 			<div class="units-table-cell u-text-center">
-				<i class="fas fa-terminal" title="<?= _("Shell") ?>"></i>
-				<span class="u-hidden-visually"><?= _("Shell") ?></span>
+				<i class="fas fa-terminal" title="<?= tohtml( _("Shell")) ?>"></i>
+				<span class="u-hidden-visually"><?= tohtml( _("Shell")) ?></span>
 			</div>
 			<div class="units-table-cell u-text-center">
-				<i class="fas fa-hard-drive" title="<?= _("Quota") ?>"></i>
-				<span class="u-hidden-visually"><?= _("Quota") ?></span>
+				<i class="fas fa-hard-drive" title="<?= tohtml( _("Quota")) ?>"></i>
+				<span class="u-hidden-visually"><?= tohtml( _("Quota")) ?></span>
 			</div>
 			<div class="units-table-cell u-text-center">
-				<i class="fas fa-right-left" title="<?= _("Bandwidth") ?>"></i>
-				<span class="u-hidden-visually"><?= _("Bandwidth") ?></span>
+				<i class="fas fa-right-left" title="<?= tohtml( _("Bandwidth")) ?>"></i>
+				<span class="u-hidden-visually"><?= tohtml( _("Bandwidth")) ?></span>
 			</div>
 			<div class="units-table-cell compact u-text-center">
-				<i class="fas fa-earth-americas" title="<?= _("Web Domains") ?>"></i>
-				<span class="u-hidden-visually"><?= _("Web Domains") ?></span>
+				<i class="fas fa-earth-americas" title="<?= tohtml( _("Web Domains")) ?>"></i>
+				<span class="u-hidden-visually"><?= tohtml( _("Web Domains")) ?></span>
 			</div>
 			<div class="units-table-cell compact u-text-center">
-				<i class="fas fa-link" title="<?= _("Web Aliases") ?>"></i>
-				<span class="u-hidden-visually"><?= _("Web Aliases") ?></span>
+				<i class="fas fa-link" title="<?= tohtml( _("Web Aliases")) ?>"></i>
+				<span class="u-hidden-visually"><?= tohtml( _("Web Aliases")) ?></span>
 			</div>
 			<div class="units-table-cell compact u-text-center">
-				<i class="fas fa-book-atlas" title="<?= _("DNS Zones") ?>"></i>
-				<span class="u-hidden-visually"><?= _("DNS Zones") ?></span>
+				<i class="fas fa-book-atlas" title="<?= tohtml( _("DNS Zones")) ?>"></i>
+				<span class="u-hidden-visually"><?= tohtml( _("DNS Zones")) ?></span>
 			</div>
 			<div class="units-table-cell compact u-text-center">
-				<i class="fas fa-globe" title="<?= _("DNS Records") ?>"></i>
-				<span class="u-hidden-visually"><?= _("DNS Records") ?></span>
+				<i class="fas fa-globe" title="<?= tohtml( _("DNS Records")) ?>"></i>
+				<span class="u-hidden-visually"><?= tohtml( _("DNS Records")) ?></span>
 			</div>
 			<div class="units-table-cell compact u-text-center">
-				<i class="fas fa-envelopes-bulk" title="<?= _("Mail Domains") ?>"></i>
-				<span class="u-hidden-visually"><?= _("Mail Domains") ?></span>
+				<i class="fas fa-envelopes-bulk" title="<?= tohtml( _("Mail Domains")) ?>"></i>
+				<span class="u-hidden-visually"><?= tohtml( _("Mail Domains")) ?></span>
 			</div>
 			<div class="units-table-cell compact u-text-center">
-				<i class="fas fa-inbox" title="<?= _("Mail Accounts") ?>"></i>
-				<span class="u-hidden-visually"><?= _("Mail Accounts") ?></span>
+				<i class="fas fa-inbox" title="<?= tohtml( _("Mail Accounts")) ?>"></i>
+				<span class="u-hidden-visually"><?= tohtml( _("Mail Accounts")) ?></span>
 			</div>
 			<div class="units-table-cell compact u-text-center">
-				<i class="fas fa-database" title="<?= _("Databases") ?>"></i>
-				<span class="u-hidden-visually"><?= _("Databases") ?></span>
+				<i class="fas fa-database" title="<?= tohtml( _("Databases")) ?>"></i>
+				<span class="u-hidden-visually"><?= tohtml( _("Databases")) ?></span>
 			</div>
 			<div class="units-table-cell compact u-text-center">
-				<i class="fas fa-clock" title="<?= _("Cron Jobs") ?>"></i>
-				<span class="u-hidden-visually"><?= _("Cron Jobs") ?></span>
+				<i class="fas fa-clock" title="<?= tohtml( _("Cron Jobs")) ?>"></i>
+				<span class="u-hidden-visually"><?= tohtml( _("Cron Jobs")) ?></span>
 			</div>
 			<div class="units-table-cell compact u-text-center">
-				<i class="fas fa-file-zipper" title="<?= _("Backups") ?>"></i>
-				<span class="u-hidden-visually"><?= _("Backups") ?></span>
+				<i class="fas fa-file-zipper" title="<?= tohtml( _("Backups")) ?>"></i>
+				<span class="u-hidden-visually"><?= tohtml( _("Backups")) ?></span>
 			</div>
 		</div>
 
@@ -109,23 +109,23 @@
 				++$i;
 			?>
 			<div class="units-table-row js-unit"
-				data-sort-date="<?= strtotime($data[$key]["DATE"] . " " . $data[$key]["TIME"]) ?>"
-				data-sort-name="<?= $key ?>"
-				data-sort-bandwidth="<?= $data[$key]["BANDWIDTH"] ?>"
-				data-sort-disk="<?= $data[$key]["DISK_QUOTA"] ?>">
+				data-sort-date="<?= tohtml(strtotime($data[$key]["DATE"] . " " . $data[$key]["TIME"])) ?>"
+				data-sort-name="<?= tohtml($key) ?>"
+				data-sort-bandwidth="<?= tohtml($data[$key]["BANDWIDTH"]) ?>"
+				data-sort-disk="<?= tohtml($data[$key]["DISK_QUOTA"]) ?>">
 				<div class="units-table-cell">
 					<div>
-						<input id="check<?= $i ?>" class="js-unit-checkbox" type="checkbox" title="<?= _("Select") ?>" name="package[]" value="<?= $key ?>">
-						<label for="check<?= $i ?>" class="u-hide-desktop"><?= _("Select") ?></label>
+						<input id="check<?= tohtml($i) ?>" class="js-unit-checkbox" type="checkbox" title="<?= tohtml( _("Select")) ?>" name="package[]" value="<?= tohtml($key) ?>">
+						<label for="check<?= tohtml($i) ?>" class="u-hide-desktop"><?= tohtml( _("Select")) ?></label>
 					</div>
 				</div>
 				<div class="units-table-cell units-table-heading-cell u-text-bold">
-					<span class="u-hide-desktop"><?= _("Package") ?>:</span>
+					<span class="u-hide-desktop"><?= tohtml( _("Package")) ?>:</span>
 					<?php if ($key == "system") { ?>
-						<?= $key ?>
+						<?= tohtml($key) ?>
 					<?php } else { ?>
-						<a href="/edit/package/?package=<?= $key ?>&token=<?= $_SESSION["token"] ?>" title="<?= _("Edit Package") ?>: <?= $key ?>">
-							<?= $key ?>
+						<a href="/edit/package/?<?= tohtml(http_build_query(["package" => $key, "token" => $_SESSION["token"]])) ?>" title="<?= tohtml( _("Edit Package")) ?>: <?= tohtml($key) ?>">
+							<?= tohtml($key) ?>
 						</a>
 					<?php } ?>
 				</div>
@@ -135,169 +135,169 @@
 							<li class="units-table-row-action shortcut-enter" data-key-action="href">
 								<a
 									class="units-table-row-action-link"
-									href="/edit/package/?package=<?= $key ?>&token=<?= $_SESSION["token"] ?>"
-									title="<?= _("Edit Package") ?>"
+									href="/edit/package/?<?= tohtml(http_build_query(["package" => $key, "token" => $_SESSION["token"]])) ?>"
+									title="<?= tohtml( _("Edit Package")) ?>"
 								>
 									<i class="fas fa-pencil icon-orange"></i>
-									<span class="u-hide-desktop"><?= _("Edit Package") ?></span>
+									<span class="u-hide-desktop"><?= tohtml( _("Edit Package")) ?></span>
 								</a>
 							</li>
 						<?php } ?>
 						<li class="units-table-row-action" data-key-action="href">
 							<a
 								class="units-table-row-action-link"
-								href="/copy/package/?package=<?= $key ?>&token=<?= $_SESSION["token"] ?>"
-								title="<?= _("Duplicate") ?>"
+								href="/copy/package/?<?= tohtml(http_build_query(["package" => $key, "token" => $_SESSION["token"]])) ?>"
+								title="<?= tohtml( _("Duplicate")) ?>"
 							>
 								<i class="fas fa-clone icon-teal"></i>
-								<span class="u-hide-desktop"><?= _("Duplicate") ?></span>
+								<span class="u-hide-desktop"><?= tohtml( _("Duplicate")) ?></span>
 							</a>
 						</li>
 						<?php if ($key != "system") { ?>
 							<li class="units-table-row-action shortcut-delete" data-key-action="js">
 								<a
 									class="units-table-row-action-link data-controls js-confirm-action"
-									href="/delete/package/?package=<?= $key ?>&token=<?= $_SESSION["token"] ?>"
-									title="<?= _("Delete") ?>"
-									data-confirm-title="<?= _("Delete") ?>"
-									data-confirm-message="<?= sprintf(_("Are you sure you want to delete package %s?"), $key) ?>"
+									href="/delete/package/?<?= tohtml(http_build_query(["package" => $key, "token" => $_SESSION["token"]])) ?>"
+									title="<?= tohtml( _("Delete")) ?>"
+									data-confirm-title="<?= tohtml( _("Delete")) ?>"
+									data-confirm-message="<?= tohtml(sprintf(_("Are you sure you want to delete package %s?"), $key)) ?>"
 								>
 									<i class="fas fa-trash icon-red"></i>
-									<span class="u-hide-desktop"><?= _("Delete") ?></span>
+									<span class="u-hide-desktop"><?= tohtml( _("Delete")) ?></span>
 								</a>
 							</li>
 						<?php } ?>
 					</ul>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Shell") ?>:</span>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Shell")) ?>:</span>
 					<?php if ($data[$key]["SHELL"] == "nologin") { ?>
-						<i class="fas fa-circle-minus icon-large" title="<?= _("SSH Access") ?>: <?= $data[$key]["SHELL"] ?>"> </i>
+						<i class="fas fa-circle-minus icon-large" title="<?= tohtml( _("SSH Access")) ?>: <?= tohtml($data[$key]["SHELL"]) ?>"> </i>
 					<?php } else { ?>
 						<i class="fas fa-circle-check icon-green icon-large"></i>
 					<?php } ?>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Quota") ?>:</span>
-					<span title="<?= _("Quota") ?>: <?= humanize_usage_size($data[$key]["DISK_QUOTA"]) ?> <?= humanize_usage_measure($data[$key]["DISK_QUOTA"]) ?>">
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Quota")) ?>:</span>
+					<span title="<?= tohtml( _("Quota")) ?>: <?= tohtml(humanize_usage_size($data[$key]["DISK_QUOTA"])) ?> <?= tohtml(humanize_usage_measure($data[$key]["DISK_QUOTA"])) ?>">
 						<?php if (preg_match("/[a-z]/i", $data[$key]["DISK_QUOTA"])): ?>
 							<span class="u-text-bold">
 								&infin;
 							</span>
 						<?php else: ?>
 							<span class="u-text-bold">
-								<?= humanize_usage_size($data[$key]["DISK_QUOTA"]) ?>
+								<?= tohtml(humanize_usage_size($data[$key]["DISK_QUOTA"])) ?>
 							</span>
 							<span class="u-text-small">
-								<?= humanize_usage_measure($data[$key]["DISK_QUOTA"]) ?>
+								<?= tohtml(humanize_usage_measure($data[$key]["DISK_QUOTA"])) ?>
 							</span>
 						<?php endif; ?>
 					</span>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Bandwidth") ?>:</span>
-					<span title="<?= _("Bandwidth") ?>: <?= humanize_usage_size($data[$key]["BANDWIDTH"]) ?> <?= humanize_usage_measure($data[$key]["BANDWIDTH"]) ?>">
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Bandwidth")) ?>:</span>
+					<span title="<?= tohtml( _("Bandwidth")) ?>: <?= tohtml(humanize_usage_size($data[$key]["BANDWIDTH"])) ?> <?= tohtml(humanize_usage_measure($data[$key]["BANDWIDTH"])) ?>">
 						<?php if ($data[$key]["BANDWIDTH"] == "unlimited") { ?>
 							<span class="u-text-bold">
 								&infin;
 							</span>
 						<?php } else { ?>
 							<span class="u-text-bold">
-								<?= humanize_usage_size($data[$key]["BANDWIDTH"]) ?>
+								<?= tohtml(humanize_usage_size($data[$key]["BANDWIDTH"])) ?>
 							</span>
 							<span class="u-text-small">
-								<?= humanize_usage_measure($data[$key]["BANDWIDTH"]) ?>
+								<?= tohtml(humanize_usage_measure($data[$key]["BANDWIDTH"])) ?>
 							</span>
 						<?php } ?>
 					</span>
 				</div>
 				<div class="units-table-cell compact u-text-bold u-text-center-desktop">
-					<span class="u-hide-desktop"><?= _("Web Domains") ?>:</span>
-					<span class="units-table-badge" title="<?= _("Web Domains") ?>: <?= $data[$key]["WEB_DOMAINS"] ?>">
+					<span class="u-hide-desktop"><?= tohtml( _("Web Domains")) ?>:</span>
+					<span class="units-table-badge" title="<?= tohtml( _("Web Domains")) ?>: <?= tohtml($data[$key]["WEB_DOMAINS"]) ?>">
 						<?php if ($data[$key]["WEB_DOMAINS"] == "unlimited") { ?>
 							&infin;
 						<?php } else { ?>
-							<?= $data[$key]["WEB_DOMAINS"] ?>
+							<?= tohtml($data[$key]["WEB_DOMAINS"]) ?>
 						<?php } ?>
 					</span>
 				</div>
 				<div class="units-table-cell compact u-text-bold u-text-center-desktop">
-					<span class="u-hide-desktop"><?= _("Web Aliases") ?>:</span>
-					<span class="units-table-badge" title="<?= _("Web Aliases") ?>: <?= $data[$key]["WEB_ALIASES"] ?>">
+					<span class="u-hide-desktop"><?= tohtml( _("Web Aliases")) ?>:</span>
+					<span class="units-table-badge" title="<?= tohtml( _("Web Aliases")) ?>: <?= tohtml($data[$key]["WEB_ALIASES"]) ?>">
 						<?php if ($data[$key]["WEB_ALIASES"] == "unlimited") { ?>
 							&infin;
 						<?php } else { ?>
-							<?= $data[$key]["WEB_ALIASES"] ?>
+							<?= tohtml($data[$key]["WEB_ALIASES"]) ?>
 						<?php } ?>
 					</span>
 				</div>
 				<div class="units-table-cell compact u-text-bold u-text-center-desktop">
-					<span class="u-hide-desktop"><?= _("DNS Zones") ?>:</span>
-					<span class="units-table-badge" title="<?= _("DNS Zones") ?>: <?= $data[$key]["DNS_DOMAINS"] ?>">
+					<span class="u-hide-desktop"><?= tohtml( _("DNS Zones")) ?>:</span>
+					<span class="units-table-badge" title="<?= tohtml( _("DNS Zones")) ?>: <?= tohtml($data[$key]["DNS_DOMAINS"]) ?>">
 						<?php if ($data[$key]["DNS_DOMAINS"] == "unlimited") { ?>
 							&infin;
 						<?php } else { ?>
-							<?= $data[$key]["DNS_DOMAINS"] ?>
+							<?= tohtml($data[$key]["DNS_DOMAINS"]) ?>
 						<?php } ?>
 					</span>
 				</div>
 				<div class="units-table-cell compact u-text-bold u-text-center-desktop">
-					<span class="u-hide-desktop"><?= _("DNS Records") ?>:</span>
-					<span class="units-table-badge" title="<?= _("DNS Records") ?>: <?= $data[$key]["DNS_RECORDS"] ?>">
+					<span class="u-hide-desktop"><?= tohtml( _("DNS Records")) ?>:</span>
+					<span class="units-table-badge" title="<?= tohtml( _("DNS Records")) ?>: <?= tohtml($data[$key]["DNS_RECORDS"]) ?>">
 						<?php if ($data[$key]["DNS_RECORDS"] == "unlimited") { ?>
 							&infin;
 						<?php } else { ?>
-							<?= $data[$key]["DNS_RECORDS"] ?>
+							<?= tohtml($data[$key]["DNS_RECORDS"]) ?>
 						<?php } ?>
 					</span>
 				</div>
 				<div class="units-table-cell compact u-text-bold u-text-center-desktop">
-					<span class="u-hide-desktop"><?= _("Mail Domains") ?>:</span>
-					<span class="units-table-badge" title="<?= _("Mail Domains") ?>: <?= $data[$key]["MAIL_DOMAINS"] ?>">
+					<span class="u-hide-desktop"><?= tohtml( _("Mail Domains")) ?>:</span>
+					<span class="units-table-badge" title="<?= tohtml( _("Mail Domains")) ?>: <?= tohtml($data[$key]["MAIL_DOMAINS"]) ?>">
 						<?php if ($data[$key]["MAIL_DOMAINS"] == "unlimited") { ?>
 							&infin;
 						<?php } else { ?>
-							<?= $data[$key]["MAIL_DOMAINS"] ?>
+							<?= tohtml($data[$key]["MAIL_DOMAINS"]) ?>
 						<?php } ?>
 					</span>
 				</div>
 				<div class="units-table-cell compact u-text-bold u-text-center-desktop">
-					<span class="u-hide-desktop"><?= _("Mail Accounts") ?>:</span>
-					<span class="units-table-badge" title="<?= _("Mail Accounts") ?>: <?= $data[$key]["MAIL_ACCOUNTS"] ?>">
+					<span class="u-hide-desktop"><?= tohtml( _("Mail Accounts")) ?>:</span>
+					<span class="units-table-badge" title="<?= tohtml( _("Mail Accounts")) ?>: <?= tohtml($data[$key]["MAIL_ACCOUNTS"]) ?>">
 						<?php if ($data[$key]["MAIL_ACCOUNTS"] == "unlimited") { ?>
 							&infin;
 						<?php } else { ?>
-							<?= $data[$key]["MAIL_ACCOUNTS"] ?>
+							<?= tohtml($data[$key]["MAIL_ACCOUNTS"]) ?>
 						<?php } ?>
 					</span>
 				</div>
 				<div class="units-table-cell compact u-text-bold u-text-center-desktop">
-					<span class="u-hide-desktop"><?= _("Databases") ?>:</span>
-					<span class="units-table-badge" title="<?= _("Databases") ?>: <?= $data[$key]["DATABASES"] ?>">
+					<span class="u-hide-desktop"><?= tohtml( _("Databases")) ?>:</span>
+					<span class="units-table-badge" title="<?= tohtml( _("Databases")) ?>: <?= tohtml($data[$key]["DATABASES"]) ?>">
 						<?php if ($data[$key]["DATABASES"] == "unlimited") { ?>
 							&infin;
 						<?php } else { ?>
-							<?= $data[$key]["DATABASES"] ?>
+							<?= tohtml($data[$key]["DATABASES"]) ?>
 						<?php } ?>
 					</span>
 				</div>
 				<div class="units-table-cell compact u-text-bold u-text-center-desktop">
-					<span class="u-hide-desktop"><?= _("Cron Jobs") ?>:</span>
-					<span class="units-table-badge" title="<?= _("Cron Jobs") ?>: <?= $data[$key]["CRON_JOBS"] ?>">
+					<span class="u-hide-desktop"><?= tohtml( _("Cron Jobs")) ?>:</span>
+					<span class="units-table-badge" title="<?= tohtml( _("Cron Jobs")) ?>: <?= tohtml($data[$key]["CRON_JOBS"]) ?>">
 						<?php if ($data[$key]["CRON_JOBS"] == "unlimited") { ?>
 							&infin;
 						<?php } else { ?>
-							<?= $data[$key]["CRON_JOBS"] ?>
+							<?= tohtml($data[$key]["CRON_JOBS"]) ?>
 						<?php } ?>
 					</span>
 				</div>
 				<div class="units-table-cell compact u-text-bold u-text-center-desktop">
-					<span class="u-hide-desktop"><?= _("Backups") ?>:</span>
-					<span class="units-table-badge" title="<?= _("Backups") ?>: <?= $data[$key]["BACKUPS"] ?>">
+					<span class="u-hide-desktop"><?= tohtml( _("Backups")) ?>:</span>
+					<span class="units-table-badge" title="<?= tohtml( _("Backups")) ?>: <?= tohtml($data[$key]["BACKUPS"]) ?>">
 						<?php if ($data[$key]["BACKUPS"] == "unlimited") { ?>
 							&infin;
 						<?php } else { ?>
-							<?= $data[$key]["BACKUPS"] ?>
+							<?= tohtml($data[$key]["BACKUPS"]) ?>
 						<?php } ?>
 					</span>
 				</div>

web/templates/pages/login/login.php

@@ -1,21 +1,21 @@
 <div class="login">
 	<a href="/" class="u-block u-mb40">
-		<img src="/images/logo.svg" alt="<?= htmlentities($_SESSION["APP_NAME"]) ?>" width="100" height="120">
+		<img src="/images/logo.svg" alt="<?= tohtml($_SESSION["APP_NAME"]) ?>" width="100" height="120">
 	</a>
 	<form id="login-form" method="post" action="/login/">
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<h1 class="login-title">
-			<?= sprintf(_("Welcome to %s"), htmlentities($_SESSION["APP_NAME"])) ?>
+			<?= tohtml(sprintf(_("Welcome to %s"), $_SESSION["APP_NAME"])) ?>
 		</h1>
 		<?php if (!empty($error)) { ?>
-			<p class="error"><?= $error ?></p>
+			<p class="error"><?= tohtml($error) ?></p>
 		<?php } ?>
 		<div class="u-mb20">
-			<label for="username" class="form-label"><?= _("Username") ?></label>
+			<label for="username" class="form-label"><?= tohtml( _("Username")) ?></label>
 			<input type="text" class="form-control" name="user" id="username" autocomplete="username" required autofocus>
 		</div>
 		<button type="submit" class="button">
-			<i class="fas fa-right-to-bracket"></i><?= _("Next") ?>
+			<i class="fas fa-right-to-bracket"></i><?= tohtml( _("Next")) ?>
 		</button>
 	</form>
 </div>