Harden template escaping with shared tohtml helper (#5245)

* Harden template escaping with shared tohtml helper

* Remove double encoding

* more double-encode fixes

* fix

* fix

* fix

* double encode fix

* fix

* fix

* fix

* fix

* more htmlspecialchars > tohtml

* tohtml(urlencode(...)) fix

* more html(urlencode)

* fix

* fix copilot review

* make tohtml() accept null.

* Align edit_web escaping with chunk branch

Merge back the remaining edit_web.php adjustments from more-htmlencode-chunk1 to keep more-htmlencode in sync.

* Use JS-safe encoding for certificate toggle labels

Replace HTML-escaped Alpine x-text string literals with JSON-encoded strings in edit_web.php to avoid JS-context escaping issues in translations.

* fix

* fix

* fix

* fix

* fix

* fix

* Update web/templates/pages/list_user.php

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* fix

* fix

* fix

* fix

* Fix row ids and item counting

web/templates/pages/list_backup_detail.php
Comment on lines +103 to +104
						<input id="check2<?= tohtml($i) ?>" class="js-unit-checkbox" type="checkbox" name="mail[]" value="<?= tohtml($key) ?>">
						<label for="check2<?= tohtml($i) ?>" class="u-hide-desktop"><?= tohtml( _("Select")) ?></label>
Copilot AI
18 minutes ago
$i is only incremented in the WEB loop, but this MAIL section uses $i to form checkbox id/for. That means every mail row will reuse the same id (e.g. check2N), breaking label targeting and potentially any JS relying on unique ids; it also makes the footer item count inaccurate. Increment $i inside this loop (and the other loops) or use a unique per-row identifier (e.g. derived from $key) for the id/for attributes.

web/templates/pages/list_backup_detail.php
Comment on lines +143 to +144
						<input id="check3<?= tohtml($i) ?>" class="js-unit-checkbox" type="checkbox" name="dns[]" value="<?= tohtml($key) ?>">
						<label for="check3<?= tohtml($i) ?>" class="u-hide-desktop"><?= tohtml( _("Select")) ?></label>
Copilot AI
18 minutes ago
This DNS section also uses $i for id/for, but $i is not incremented in this loop, so multiple DNS rows will end up with duplicate checkbox ids. Increment $i per iteration (or switch the id to a unique value derived from $key) to keep ids unique and keep the footer count correct.

web/templates/pages/list_backup_detail.php
Comment on lines +183 to +184
						<input id="check4<?= tohtml($i) ?>" class="js-unit-checkbox" type="checkbox" name="db[]" value="<?= tohtml($key) ?>">
						<label for="check4<?= tohtml($i) ?>" class="u-hide-desktop"><?= tohtml( _("Select")) ?></label>
Copilot AI
19 minutes ago
In the DB loop, $i is reused for the checkbox id/for without being incremented per database entry, which will generate duplicate ids for multiple DB rows. Increment $i inside this loop (or generate a unique id from $key) to avoid broken label associations and incorrect item counting.

web/templates/pages/list_backup_detail.php
Comment on lines +259 to +260
						<input id="check6<?= tohtml($i) ?>" class="js-unit-checkbox" type="checkbox" name="udir[]" value="<?= tohtml($key) ?>">
						<label for="check6<?= tohtml($i) ?>" class="u-hide-desktop"><?= tohtml( _("Select")) ?></label>
Copilot AI
19 minutes ago
The UDIR loop reuses $i for checkbox id/for but doesn’t increment $i per user-directory row, so ids will be duplicated when there are multiple entries. Increment $i in this loop (or derive a unique id from $key) to keep ids unique and the footer item count accurate.

* fix

* unique counter names

so we don't accidentally end up with like "foo1 foo2 foo3 bar4 bar5" but instead "foo1 foo2 foo3 bar1 bar2"

* fix

* fix

* fix

* fix

* indentation

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* fix

* fix

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

web/templates/pages/add_access_key.php

@@ -3,12 +3,12 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/access-key/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 		<div class="toolbar-buttons">
 			<button type="submit" class="button" form="main-form">
-				<i class="fas fa-floppy-disk icon-purple"></i><?= _("Save") ?>
+				<i class="fas fa-floppy-disk icon-purple"></i><?= tohtml( _("Save")) ?>
 			</button>
 		</div>
 	</div>
@@ -17,24 +17,24 @@
 
 <div class="container">
 	<form id="main-form" name="v_add_access_key" method="post">
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<input type="hidden" name="ok" value="Add">
 
 		<div class="form-container">
-			<h1 class="u-mb20"><?= _("Add Access Key") ?></h1>
+			<h1 class="u-mb20"><?= tohtml( _("Add Access Key")) ?></h1>
 			<?php show_alert_message($_SESSION); ?>
-			<p class="u-mb10"><?= _("Permissions") ?></p>
+			<p class="u-mb10"><?= tohtml( _("Permissions")) ?></p>
 			<?php foreach ($apis as $api_name => $api_data) { ?>
 				<div class="form-check">
-					<input class="form-check-input" type="checkbox" value="<?= $api_name ?>" name="v_apis[]" id="v_apis_<?= $api_name ?>" tabindex="5">
-					<label for="v_apis_<?= $api_name ?>">
-						<?= _($api_name) ?>
+					<input class="form-check-input" type="checkbox" value="<?= tohtml($api_name) ?>" name="v_apis[]" id="v_apis_<?= tohtml($api_name) ?>" tabindex="5">
+					<label for="v_apis_<?= tohtml($api_name) ?>">
+						<?= tohtml( _($api_name)) ?>
 					</label>
 				</div>
 			<?php } ?>
 			<div class="u-mt15">
 				<label for="v_comment" class="form-label">
-					<?= _("Comment") ?> <span class="optional">(<?= _("Optional") ?>)</span>
+					<?= tohtml( _("Comment")) ?> <span class="optional">(<?= tohtml( _("Optional")) ?>)</span>
 				</label>
 				<input type="text" class="form-control" name="v_comment" id="v_comment" maxlength="255">
 			</div>

web/templates/pages/add_db.php

@@ -3,13 +3,13 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/db/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 		<div class="toolbar-buttons">
 			<?php if (($_SESSION["role"] == "admin" && $accept === "true") || $_SESSION["role"] !== "admin") { ?>
 				<button type="submit" class="button" form="main-form">
-					<i class="fas fa-floppy-disk icon-purple"></i><?= _("Save") ?>
+					<i class="fas fa-floppy-disk icon-purple"></i><?= tohtml( _("Save")) ?>
 				</button>
 			<?php } ?>
 		</div>
@@ -21,41 +21,45 @@
 
 	<form
 		x-data="{
-			showAdvanced: <?= empty($v_adv) ? "false" : "true" ?>
+			showAdvanced: <?= tohtml(empty($v_adv) ? "false" : "true") ?>
 		}"
 		id="main-form"
 		name="v_add_db"
 		method="post"
 	>
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<input type="hidden" name="ok" value="Add">
 
 		<div class="form-container">
-			<h1 class="u-mb20"><?= _("Add Database") ?></h1>
+			<h1 class="u-mb20"><?= tohtml( _("Add Database")) ?></h1>
 			<?php show_alert_message($_SESSION); ?>
 			<?php if ($_SESSION["role"] == "admin" && $accept !== "true") { ?>
 				<div class="alert alert-danger" role="alert">
 					<i class="fas fa-exclamation"></i>
-					<p><?= htmlify_trans(sprintf(_("It is strongly advised to {create a standard user account} before adding %s to the server due to the increased privileges the admin account possesses and potential security risks."), _('a database')), '</a>', '<a href="/add/user/">'); ?></p>
+					<p><?= htmlify_trans(sprintf(_("It is strongly advised to {create a standard user account} before adding %s to the server due to the increased privileges the admin account possesses and potential security risks."), _('a database')), '</a>', '<a href="/add/user/">') ?></p>
 				</div>
 			<?php } ?>
 			<?php if ($_SESSION["role"] == "admin" && empty($accept)) { ?>
 				<div class="u-side-by-side u-mt20">
-					<a href="/add/user/" class="button u-width-full u-mr10"><?= _("Add User") ?></a>
-					<a href="/add/db/?accept=true" class="button button-danger u-width-full u-ml10"><?= _("Continue") ?></a>
+					<a href="/add/user/" class="button u-width-full u-mr10"><?= tohtml( _("Add User")) ?></a>
+					<a href="/add/db/?<?= tohtml(http_build_query(["accept" => 'true'])) ?>" class="button button-danger u-width-full u-ml10"><?= tohtml( _("Continue")) ?></a>
 				</div>
 			<?php } ?>
 			<?php if (($_SESSION["role"] == "admin" && $accept === "true") || $_SESSION["role"] !== "admin") { ?>
-				<p class="hint u-mb20">
-					<?= sprintf(_("Prefix %s will be automatically added to database name and database user"), "<span class=\"u-text-bold\">" . $user_plain . "_</span>") ?>
-				</p>
+					<p class="hint u-mb20">
+						<?php
+							$prefix_hint = tohtml(_("Prefix %s will be automatically added to database name and database user"));
+							$prefix_hint_html = '<span class="u-text-bold">' . tohtml($user_plain) . '_</span>';
+							printf($prefix_hint, $prefix_hint_html);
+						?>
+					</p>
 				<div class="u-mb10">
-					<label for="v_database" class="form-label"><?= _("Database") ?></label>
-					<input type="text" class="form-control js-db-hint-database-name" name="v_database" id="v_database" value="<?= htmlentities(trim($v_database, "'")) ?>">
+					<label for="v_database" class="form-label"><?= tohtml( _("Database")) ?></label>
+					<input type="text" class="form-control js-db-hint-database-name" name="v_database" id="v_database" value="<?= tohtml(trim($v_database, "'")) ?>">
 					<small class="hint"></small>
 				</div>
 				<div class="u-mb10">
-					<label for="v_type" class="form-label"><?= _("Type") ?></label>
+					<label for="v_type" class="form-label"><?= tohtml( _("Type")) ?></label>
 					<select class="form-select" name="v_type" id="v_type">
 						<?php
 							foreach ($db_types as $key => $value) {
@@ -68,16 +72,16 @@
 				</div>
 				<div class="u-mb10">
 					<label for="v_dbuser" class="form-label u-side-by-side">
-						<?= _("Username") ?>
-						<em><small>(<?= sprintf(_("Maximum %s characters length, including prefix"), 32) ?>)</small></em>
+						<?= tohtml( _("Username")) ?>
+						<em><small>(<?= tohtml(sprintf(_("Maximum %s characters length, including prefix"), 32)) ?>)</small></em>
 					</label>
-					<input type="text" class="form-control js-db-hint-username" name="v_dbuser" id="v_dbuser" value="<?= htmlentities(trim($v_dbuser, "'")) ?>">
+					<input type="text" class="form-control js-db-hint-username" name="v_dbuser" id="v_dbuser" value="<?= tohtml(trim($v_dbuser, "'")) ?>">
 					<small class="hint"></small>
 				</div>
 				<div class="u-mb10">
 					<label for="v_password" class="form-label">
-						<?= _("Password") ?>
-						<button type="button" title="<?= _("Generate") ?>" class="u-unstyled-button u-ml5 js-generate-password">
+						<?= tohtml( _("Password")) ?>
+						<button type="button" title="<?= tohtml( _("Generate")) ?>" class="u-unstyled-button u-ml5 js-generate-password">
 							<i class="fas fa-arrows-rotate icon-green"></i>
 						</button>
 					</label>
@@ -91,18 +95,18 @@
 				<?php require $_SERVER["HESTIA"] . "/web/templates/includes/password-requirements.php"; ?>
 				<div class="u-mb20">
 					<label for="v_db_email" class="form-label">
-						<?= _("Email login credentials to:") ?>
+						<?= tohtml( _("Email login credentials to:")) ?>
 					</label>
-					<input type="email" class="form-control" name="v_db_email" id="v_db_email" value="<?= htmlentities(trim($v_db_email, "'")) ?>">
+					<input type="email" class="form-control" name="v_db_email" id="v_db_email" value="<?= tohtml(trim($v_db_email, "'")) ?>">
 				</div>
 				<div class="u-mb20">
 					<button x-on:click="showAdvanced = !showAdvanced" type="button" class="button button-secondary">
-						<?= _("Advanced Options") ?>
+						<?= tohtml( _("Advanced Options")) ?>
 					</button>
 				</div>
 				<div x-cloak x-show="showAdvanced">
 					<div class="u-mb10">
-						<label for="v_host" class="form-label"><?= _("Host") ?></label>
+						<label for="v_host" class="form-label"><?= tohtml( _("Host")) ?></label>
 						<select class="form-select" name="v_host" id="v_host">
 							<?php
 								foreach ($db_hosts as $value) {
@@ -114,7 +118,7 @@
 						</select>
 					</div>
 					<div class="u-mb10">
-						<label for="v_charset" class="form-label"><?= _("Charset") ?></label>
+						<label for="v_charset" class="form-label"><?= tohtml( _("Charset")) ?></label>
 						<select class="form-select" name="v_charset" id="v_charset">
 							<option value=big5 <?php if ((!empty($v_charset)) && ( $v_charset == 'big5')) echo 'selected'; ?>>big5</option>
 							<option value=dec8 <?php if ((!empty($v_charset)) && ( $v_charset == 'dec8')) echo 'selected'; ?>>dec8</option>

web/templates/pages/add_firewall.php

@@ -3,12 +3,12 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/firewall/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 		<div class="toolbar-buttons">
 			<button type="submit" class="button" form="main-form">
-				<i class="fas fa-floppy-disk icon-purple"></i><?= _("Save") ?>
+				<i class="fas fa-floppy-disk icon-purple"></i><?= tohtml( _("Save")) ?>
 			</button>
 		</div>
 	</div>
@@ -18,21 +18,21 @@
 <div class="container">
 
 	<form id="main-form" name="v_add_ip" method="post">
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<input type="hidden" name="ok" value="Add">
 
 		<div class="form-container">
-			<h1 class="u-mb20"><?= _("Add Firewall Rule") ?></h1>
+			<h1 class="u-mb20"><?= tohtml( _("Add Firewall Rule")) ?></h1>
 			<?php show_alert_message($_SESSION); ?>
 			<div class="u-mb10">
-				<label for="v_action" class="form-label"><?= _("Action") ?></label>
+				<label for="v_action" class="form-label"><?= tohtml( _("Action")) ?></label>
 				<select class="form-select" name="v_action" id="v_action">
-					<option value="DROP" <?php if ((!empty($v_action)) && ( $v_action == "'DROP'" )) echo 'selected'?>><?= _("DROP") ?></option>
-					<option value="ACCEPT" <?php if ((!empty($v_action)) && ( $v_action == "'ACCEPT'" )) echo 'selected'?>><?= _("ACCEPT") ?></option>
+					<option value="DROP" <?php if ((!empty($v_action)) && ( $v_action == "'DROP'" )) echo 'selected'?>><?= tohtml( _("DROP")) ?></option>
+					<option value="ACCEPT" <?php if ((!empty($v_action)) && ( $v_action == "'ACCEPT'" )) echo 'selected'?>><?= tohtml( _("ACCEPT")) ?></option>
 				</select>
 			</div>
 			<div class="u-mb10">
-				<label for="v_protocol" class="form-label"><?= _("Protocol") ?></label>
+				<label for="v_protocol" class="form-label"><?= tohtml( _("Protocol")) ?></label>
 				<select class="form-select" name="v_protocol" id="v_protocol">
 					<option value="TCP" <?php if ((!empty($v_protocol)) && ( $v_protocol == "'TCP'" )) echo 'selected'?>>TCP</option>
 					<option value="UDP" <?php if ((!empty($v_protocol)) && ( $v_protocol == "'UDP'" )) echo 'selected'?>>UDP</option>
@@ -41,31 +41,31 @@
 			</div>
 			<div class="u-mb10">
 				<label for="v_port" class="form-label">
-					<?= _("Port") ?> <span class="optional">(<?= _("Ranges and lists are acceptable") ?>)</span>
+					<?= tohtml( _("Port")) ?> <span class="optional">(<?= tohtml( _("Ranges and lists are acceptable")) ?>)</span>
 				</label>
-				<input type="text" class="form-control" name="v_port" id="v_port" value="<?= htmlentities(trim($v_port, "'")) ?>" placeholder="<?= _("All ports: 0, Range: 80-82, List: 80,443,8080,8443") ?>">
+				<input type="text" class="form-control" name="v_port" id="v_port" value="<?= tohtml(trim($v_port, "'")) ?>" placeholder="<?= tohtml( _("All ports: 0, Range: 80-82, List: 80,443,8080,8443")) ?>">
 			</div>
 			<div class="u-mb10">
 				<label for="v_ip" class="form-label">
-					<?= _("IP Address / IPset IP List") ?> <span class="optional">(<?= _("Support CIDR format") ?>)</span>
+					<?= tohtml( _("IP Address / IPset IP List")) ?> <span class="optional">(<?= tohtml( _("Support CIDR format")) ?>)</span>
 				</label>
 				<div class="u-pos-relative">
 					<select
 						class="form-select js-ip-list-select"
 						tabindex="-1"
 						onchange="this.nextElementSibling.value=this.value"
-						data-ipset-lists="<?= htmlspecialchars($ipset_lists_json, ENT_QUOTES, "UTF-8") ?>"
+						data-ipset-lists="<?= tohtml($ipset_lists_json) ?>"
 					>
-						<option value=""><?= _("Clear") ?></option>
+						<option value=""><?= tohtml( _("Clear")) ?></option>
 					</select>
-					<input type="text" class="form-control list-editor" name="v_ip" id="v_ip" value="<?= htmlentities(trim($v_ip, "'")) ?>">
+					<input type="text" class="form-control list-editor" name="v_ip" id="v_ip" value="<?= tohtml(trim($v_ip, "'")) ?>">
 				</div>
 			</div>
 			<div class="u-mb10">
 				<label for="v_comment" class="form-label">
-					<?= _("Comment") ?> <span class="optional">(<?= _("Optional") ?>)</span>
+					<?= tohtml( _("Comment")) ?> <span class="optional">(<?= tohtml( _("Optional")) ?>)</span>
 				</label>
-				<input type="text" class="form-control" name="v_comment" id="v_comment" maxlength="255" value="<?= htmlentities(trim($v_comment, "'")) ?>">
+				<input type="text" class="form-control" name="v_comment" id="v_comment" maxlength="255" value="<?= tohtml(trim($v_comment, "'")) ?>">
 			</div>
 		</div>
 

web/templates/pages/add_firewall_ipset.php

@@ -3,12 +3,12 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/firewall/ipset/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 		<div class="toolbar-buttons">
 			<button type="submit" class="button" form="main-form">
-				<i class="fas fa-floppy-disk icon-purple"></i><?= _("Save") ?>
+				<i class="fas fa-floppy-disk icon-purple"></i><?= tohtml( _("Save")) ?>
 			</button>
 		</div>
 	</div>
@@ -18,7 +18,7 @@
 <div class="container">
 
 	<form id="main-form" name="v_add_ipset" method="post">
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<input type="hidden" name="ok" value="Add">
 
 		<?php
@@ -65,41 +65,41 @@
 		?>
 
 		<div class="form-container">
-			<h1 class="u-mb20"><?= _("Add IPset IP List for Firewall") ?></h1>
+			<h1 class="u-mb20"><?= tohtml( _("Add IPset IP List for Firewall")) ?></h1>
 			<?php show_alert_message($_SESSION); ?>
 			<div class="u-mb10">
-				<label for="v_ipname" class="form-label"><?= _("IP List Name") ?></label>
-				<input type="text" class="form-control" name="v_ipname" id="v_ipname" maxlength="255" value="<?= htmlentities(trim($v_ipname, "'")) ?>">
+				<label for="v_ipname" class="form-label"><?= tohtml( _("IP List Name")) ?></label>
+				<input type="text" class="form-control" name="v_ipname" id="v_ipname" maxlength="255" value="<?= tohtml(trim($v_ipname, "'")) ?>">
 			</div>
 			<div class="u-mb10">
 				<label for="v_datasource" class="form-label">
-					<?= _("Data Source") ?> <span class="optional">(<?= _("URL, script or file") ?>)</span>
+					<?= tohtml( _("Data Source")) ?> <span class="optional">(<?= tohtml( _("URL, script or file")) ?>)</span>
 				</label>
 				<div class="u-pos-relative">
 					<select
 						class="form-select js-datasource-select"
 						tabindex="-1"
 						onchange="this.nextElementSibling.value=this.value"
-						data-country-iplists="<?= htmlspecialchars(json_encode($country_iplists), ENT_QUOTES, "UTF-8") ?>"
-						data-blacklist-iplists="<?= htmlspecialchars(json_encode($blacklist_iplists), ENT_QUOTES, "UTF-8") ?>"
+						data-country-iplists="<?= tohtml(json_encode($country_iplists)) ?>"
+						data-blacklist-iplists="<?= tohtml(json_encode($blacklist_iplists)) ?>"
 					>
-						<option value=""><?= _("Clear") ?></option>
+						<option value=""><?= tohtml( _("Clear")) ?></option>
 					</select>
-					<input type="text" class="form-control list-editor" name="v_datasource" id="v_datasource" maxlength="255" value="<?= htmlentities(trim($v_datasource, "'")) ?>">
+					<input type="text" class="form-control list-editor" name="v_datasource" id="v_datasource" maxlength="255" value="<?= tohtml(trim($v_datasource, "'")) ?>">
 				</div>
 			</div>
 			<div class="u-mb10">
-				<label for="v_ipver" class="form-label"><?= _("IP Version") ?></label>
+				<label for="v_ipver" class="form-label"><?= tohtml( _("IP Version")) ?></label>
 				<select class="form-select" name="v_ipver" id="v_ipver">
 					<option value="v4" <?php if ((!empty($v_ipver)) && ( $v_ipver == "'v4'" )) echo 'selected'?>>IPv4</option>
 					<option value="v6" <?php if ((!empty($v_ipver)) && ( $v_ipver == "'v6'" )) echo 'selected'?>>IPv6</option>
 				</select>
 			</div>
 			<div class="u-mb10">
-				<label for="v_autoupdate" class="form-label"><?= _("Auto Update") ?></label>
+				<label for="v_autoupdate" class="form-label"><?= tohtml( _("Auto Update")) ?></label>
 				<select class="form-select" name="v_autoupdate" id="v_autoupdate">
-					<option value="yes" <?php if ((!empty($v_autoupdate)) && ( $v_autoupdate == "'yes'" )) echo 'selected'?>><?= _("Yes") ?></option>
-					<option value="no" <?php if ((!empty($v_autoupdate)) && ( $v_autoupdate == "'no'" )) echo 'selected'?>><?= _("No") ?></option>
+					<option value="yes" <?php if ((!empty($v_autoupdate)) && ( $v_autoupdate == "'yes'" )) echo 'selected'?>><?= tohtml( _("Yes")) ?></option>
+					<option value="no" <?php if ((!empty($v_autoupdate)) && ( $v_autoupdate == "'no'" )) echo 'selected'?>><?= tohtml( _("No")) ?></option>
 				</select>
 			</div>
 		</div>

web/templates/pages/add_ip.php

@@ -3,12 +3,12 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/ip/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 		<div class="toolbar-buttons">
 			<button type="submit" class="button" form="main-form">
-				<i class="fas fa-floppy-disk icon-purple"></i><?= _("Save") ?>
+				<i class="fas fa-floppy-disk icon-purple"></i><?= tohtml( _("Save")) ?>
 			</button>
 		</div>
 	</div>
@@ -19,28 +19,28 @@
 
 	<form
 		x-data="{
-			showUserTable: <?= empty($v_dedicated) ? "true" : "false" ?>
+			showUserTable: <?= tohtml(empty($v_dedicated) ? "true" : "false") ?>
 		}"
 		id="main-form"
 		name="v_add_ip"
 		method="post"
 	>
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<input type="hidden" name="ok" value="Add">
 
 		<div class="form-container">
-			<h1 class="u-mb20"><?= _("Add IP Address") ?></h1>
+			<h1 class="u-mb20"><?= tohtml( _("Add IP Address")) ?></h1>
 			<?php show_alert_message($_SESSION); ?>
 			<div class="u-mb10">
-				<label for="v_ip" class="form-label"><?= _("IP Address") ?></label>
-				<input type="text" class="form-control" name="v_ip" id="v_ip" value="<?= htmlentities(trim($v_ip, "'")) ?>">
+				<label for="v_ip" class="form-label"><?= tohtml( _("IP Address")) ?></label>
+				<input type="text" class="form-control" name="v_ip" id="v_ip" value="<?= tohtml(trim($v_ip, "'")) ?>">
 			</div>
 			<div class="u-mb10">
-				<label for="v_netmask" class="form-label"><?= _("Netmask") ?></label>
-				<input type="text" class="form-control" name="v_netmask" id="v_netmask" value="<?= htmlentities(trim($v_netmask, "'")) ?>">
+				<label for="v_netmask" class="form-label"><?= tohtml( _("Netmask")) ?></label>
+				<input type="text" class="form-control" name="v_netmask" id="v_netmask" value="<?= tohtml(trim($v_netmask, "'")) ?>">
 			</div>
 			<div class="u-mb10">
-				<label for="v_interface" class="form-label"><?= _("Interface") ?></label>
+				<label for="v_interface" class="form-label"><?= tohtml( _("Interface")) ?></label>
 				<select class="form-select" name="v_interface" id="v_interface">
 					<?php
 						foreach ($interfaces as $key => $value) {
@@ -54,12 +54,12 @@
 			<div class="form-check u-mb10">
 				<input x-model="showUserTable" class="form-check-input" type="checkbox" name="v_shared" id="v_shared">
 				<label for="v_shared">
-					<?= _("Shared") ?>
+					<?= tohtml( _("Shared")) ?>
 				</label>
 			</div>
 			<div x-cloak x-show="!showUserTable" id="usrtable">
 				<div class="u-mb10">
-					<label for="v_owner" class="form-label"><?= _("Assigned User") ?></label>
+					<label for="v_owner" class="form-label"><?= tohtml( _("Assigned User")) ?></label>
 					<select class="form-select" name="v_owner" id="v_owner">
 						<?php
 							foreach ($users as $key => $value) {
@@ -73,15 +73,15 @@
 			</div>
 			<div class="u-mb10">
 				<label for="v_name" class="form-label">
-					<?= _("Assigned Domain") ?> <span class="optional">(<?= _("Optional") ?>)</span>
+					<?= tohtml( _("Assigned Domain")) ?> <span class="optional">(<?= tohtml( _("Optional")) ?>)</span>
 				</label>
-				<input type="text" class="form-control" name="v_name" id="v_name" value="<?= htmlentities(trim($v_name, "'")) ?>">
+				<input type="text" class="form-control" name="v_name" id="v_name" value="<?= tohtml(trim($v_name, "'")) ?>">
 			</div>
 			<div class="u-mb10">
 				<label for="v_nat" class="form-label">
-					<?= _("NAT IP Association") ?> <span class="optional">(<?= _("Optional") ?>)</span>
+					<?= tohtml( _("NAT IP Association")) ?> <span class="optional">(<?= tohtml( _("Optional")) ?>)</span>
 				</label>
-				<input type="text" class="form-control" name="v_nat" id="v_nat" value="<?= htmlentities(trim($v_nat, "'")) ?>">
+				<input type="text" class="form-control" name="v_nat" id="v_nat" value="<?= tohtml(trim($v_nat, "'")) ?>">
 			</div>
 		</div>
 

web/templates/pages/add_key.php

@@ -3,18 +3,18 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<?php if ($_SESSION["userContext"] === "admin" && isset($_GET["user"]) && $_GET["user"] !== "admin") { ?>
-				<a class="button button-secondary button-back js-button-back" href="/list/key/?user=<?= htmlentities($_GET["user"]) ?>">
-					<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<a class="button button-secondary button-back js-button-back" href="/list/key/?<?= tohtml(http_build_query(["user" => $_GET["user"]])) ?>">
+					<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 				</a>
 			<?php } else { ?>
 				<a class="button button-secondary button-back js-button-back" href="/list/key/">
-					<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+					<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 				</a>
 			<?php } ?>
 		</div>
 		<div class="toolbar-buttons">
 			<button type="submit" class="button" form="main-form">
-				<i class="fas fa-floppy-disk icon-purple"></i><?= _("Save") ?>
+				<i class="fas fa-floppy-disk icon-purple"></i><?= tohtml( _("Save")) ?>
 			</button>
 		</div>
 	</div>
@@ -24,15 +24,15 @@
 <div class="container">
 
 	<form id="main-form" name="v_add_key" method="post">
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<input type="hidden" name="ok" value="Add">
 
 		<div class="form-container">
-			<h1 class="u-mb20"><?= _("Add SSH Key") ?></h1>
+			<h1 class="u-mb20"><?= tohtml( _("Add SSH Key")) ?></h1>
 			<?php show_alert_message($_SESSION); ?>
 			<div>
-				<label for="v_key" class="form-label"><?= _("SSH Key") ?></label>
-				<textarea class="form-control u-min-height300" name="v_key" id="v_key" required><?= htmlentities(trim($v_key, "'")) ?></textarea>
+				<label for="v_key" class="form-label"><?= tohtml( _("SSH Key")) ?></label>
+				<textarea class="form-control u-min-height300" name="v_key" id="v_key" required><?= tohtml(trim($v_key, "'")) ?></textarea>
 			</div>
 		</div>
 

web/templates/pages/add_mail.php

@@ -3,13 +3,13 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/mail/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 		<div class="toolbar-buttons">
 			<?php if (($_SESSION["role"] == "admin" && $accept === "true") || $user_plain !== "admin") { ?>
 				<button type="submit" class="button" form="main-form">
-					<i class="fas fa-floppy-disk icon-purple"></i><?= _("Save") ?>
+					<i class="fas fa-floppy-disk icon-purple"></i><?= tohtml( _("Save")) ?>
 				</button>
 			<?php } ?>
 		</div>
@@ -21,22 +21,22 @@
 
 	<form
 		x-data="{
-			hasSmtpRelay: <?= $v_smtp_relay == "true" ? "true" : "false" ?>
+			hasSmtpRelay: <?= tohtml($v_smtp_relay == "true" ? "true" : "false") ?>
 		}"
 		id="main-form"
 		name="v_add_mail"
 		method="post"
 	>
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<input type="hidden" name="ok" value="Add">
 
 		<div class="form-container">
-			<h1 class="u-mb20"><?= _("Add Mail Domain") ?></h1>
+			<h1 class="u-mb20"><?= tohtml( _("Add Mail Domain")) ?></h1>
 			<?php show_alert_message($_SESSION); ?>
 			<?php if ($_SESSION["role"] == "admin" && $accept !== "true") { ?>
 				<div class="alert alert-danger" role="alert">
 					<i class="fas fa-exclamation"></i>
-					<p><?= htmlify_trans(
+						<p><?= htmlify_trans(
      	sprintf(
      		_("It is strongly advised to {create a standard user account} before adding %s to the server due to the increased privileges the admin account possesses and potential security risks."),
      		_("a mail domain"),
@@ -48,18 +48,18 @@
 			<?php } ?>
 			<?php if ($_SESSION["role"] == "admin" && empty($accept)) { ?>
 				<div class="u-side-by-side u-mt20">
-					<a href="/add/user/" class="button u-width-full u-mr10"><?= _("Add User") ?></a>
-					<a href="/add/mail/?accept=true" class="button button-danger u-width-full u-ml10"><?= _("Continue") ?></a>
+					<a href="/add/user/" class="button u-width-full u-mr10"><?= tohtml( _("Add User")) ?></a>
+					<a href="/add/mail/?<?= tohtml(http_build_query(["accept" => 'true'])) ?>" class="button button-danger u-width-full u-ml10"><?= tohtml( _("Continue")) ?></a>
 				</div>
 			<?php } ?>
 			<?php if (($_SESSION["role"] == "admin" && $accept === "true") || $_SESSION["role"] !== "admin") { ?>
 				<div class="u-mb20">
-					<label for="v_domain" class="form-label"><?= _("Domain") ?></label>
-					<input type="text" class="form-control" name="v_domain" id="v_domain" value="<?= htmlentities(trim($v_domain, "'")) ?>" required>
+					<label for="v_domain" class="form-label"><?= tohtml( _("Domain")) ?></label>
+					<input type="text" class="form-control" name="v_domain" id="v_domain" value="<?= tohtml(trim($v_domain, "'")) ?>" required>
 				</div>
 				<?php if ($_SESSION["WEBMAIL_SYSTEM"]) { ?>
 					<div class="u-mb20">
-						<label for="v_webmail" class="form-label"><?= _("Webmail Client") ?></label>
+						<label for="v_webmail" class="form-label"><?= tohtml( _("Webmail Client")) ?></label>
 						<select class="form-select" name="v_webmail" id="v_webmail" tabindex="6">
 							<?php foreach ($webmail_clients as $client) {
        	echo "\t\t\t\t<option value=\"" . htmlentities($client) . "\"";
@@ -70,7 +70,7 @@
        } ?>
 							<option value="" <?php if (empty($v_webmail) || $v_webmail == "disabled") {
        	echo "selected";
-       } ?>><?= _("Disabled") ?></option>
+       } ?>><?= tohtml( _("Disabled")) ?></option>
 						</select>
 					</div>
 				<?php } ?>
@@ -80,7 +80,7 @@
       	echo "checked";
       } ?>>
 						<label for="v_antispam">
-							<?= _("Spam Filter") ?>
+							<?= tohtml( _("Spam Filter")) ?>
 						</label>
 					</div>
 					<div class="form-check u-mb10">
@@ -88,7 +88,7 @@
       	echo "checked";
       } ?>>
 						<label for="v_reject">
-							<?= _("Reject Spam") ?>
+							<?= tohtml( _("Reject Spam")) ?>
 						</label>
 					</div>
 				<?php } ?>
@@ -98,7 +98,7 @@
       	echo "checked";
       } ?>>
 						<label for="v_antivirus">
-							<?= _("Anti-Virus") ?>
+							<?= tohtml( _("Anti-Virus")) ?>
 						</label>
 					</div>
 				<?php } ?>
@@ -107,30 +107,30 @@
      	echo "checked";
      } ?>>
 					<label for="v_dkim">
-						<?= _("DKIM Support") ?>
+						<?= tohtml( _("DKIM Support")) ?>
 					</label>
 				</div>
 				<div class="form-check u-mb10">
 					<input x-model="hasSmtpRelay" class="form-check-input" type="checkbox" name="v_smtp_relay" id="v_smtp_relay">
 					<label for="v_smtp_relay">
-						<?= _("SMTP Relay") ?>
+						<?= tohtml( _("SMTP Relay")) ?>
 					</label>
 				</div>
 				<div x-cloak x-show="hasSmtpRelay" id="smtp_relay_table" class="u-pl30">
 					<div class="u-mb10">
-						<label for="v_smtp_relay_host" class="form-label"><?= _("Host") ?></label>
-						<input type="text" class="form-control" name="v_smtp_relay_host" id="v_smtp_relay_host" value="<?= htmlentities(trim($v_smtp_relay_host, "'")) ?>">
+						<label for="v_smtp_relay_host" class="form-label"><?= tohtml( _("Host")) ?></label>
+						<input type="text" class="form-control" name="v_smtp_relay_host" id="v_smtp_relay_host" value="<?= tohtml(trim($v_smtp_relay_host, "'")) ?>">
 					</div>
 					<div class="u-mb10">
-						<label for="v_smtp_relay_port" class="form-label"><?= _("Port") ?></label>
-						<input type="text" class="form-control" name="v_smtp_relay_port" id="v_smtp_relay_port" value="<?= htmlentities(trim($v_smtp_relay_port, "'")) ?>">
+						<label for="v_smtp_relay_port" class="form-label"><?= tohtml( _("Port")) ?></label>
+						<input type="text" class="form-control" name="v_smtp_relay_port" id="v_smtp_relay_port" value="<?= tohtml(trim($v_smtp_relay_port, "'")) ?>">
 					</div>
 					<div class="u-mb10">
-						<label for="v_smtp_relay_user" class="form-label"><?= _("Username") ?></label>
-						<input type="text" class="form-control" name="v_smtp_relay_user" id="v_smtp_relay_user" value="<?= htmlentities(trim($v_smtp_relay_user, "'")) ?>">
+						<label for="v_smtp_relay_user" class="form-label"><?= tohtml( _("Username")) ?></label>
+						<input type="text" class="form-control" name="v_smtp_relay_user" id="v_smtp_relay_user" value="<?= tohtml(trim($v_smtp_relay_user, "'")) ?>">
 					</div>
 					<div class="u-mb10">
-						<label for="v_smtp_relay_pass" class="form-label"><?= _("Password") ?></label>
+						<label for="v_smtp_relay_pass" class="form-label"><?= tohtml( _("Password")) ?></label>
 						<input type="text" class="form-control" name="v_smtp_relay_pass" id="v_smtp_relay_pass">
 					</div>
 				</div>

web/templates/pages/add_mail_acc.php

@@ -2,13 +2,13 @@
 <div class="toolbar">
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
-			<a class="button button-secondary button-back js-button-back" href="/list/mail/?domain=<?= htmlentities(trim($v_domain, "'")) ?>&token=<?= $_SESSION["token"] ?>">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+			<a class="button button-secondary button-back js-button-back" href="/list/mail/?<?= tohtml(http_build_query(["domain" => trim($v_domain, "'"), "token" => $_SESSION["token"]])) ?>">
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 		<div class="toolbar-buttons">
 			<button type="submit" class="button" form="main-form">
-				<i class="fas fa-floppy-disk icon-purple"></i><?= _("Save") ?>
+				<i class="fas fa-floppy-disk icon-purple"></i><?= tohtml( _("Save")) ?>
 			</button>
 		</div>
 	</div>
@@ -19,33 +19,33 @@
 
 	<form
 		x-data="{
-			showAdvanced: <?= empty($v_adv) ? "false" : "true" ?>
+			showAdvanced: <?= tohtml(empty($v_adv) ? "false" : "true") ?>
 		}"
 		id="main-form"
 		name="v_add_mail_acc"
 		method="post"
 	>
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<input type="hidden" name="ok_acc" value="add">
 
 		<div class="form-container form-container-wide">
-			<h1 class="u-mb20"><?= _("Add Mail Account") ?></h1>
+			<h1 class="u-mb20"><?= tohtml( _("Add Mail Account")) ?></h1>
 			<?php show_alert_message($_SESSION); ?>
 			<div class="sidebar-right-grid">
 				<div class="sidebar-right-grid-content">
 					<div class="u-mb10">
-						<label for="v_domain" class="form-label"><?= _("Domain") ?></label>
-						<input type="text" class="form-control" name="v_domain" id="v_domain" value="<?= htmlentities(trim($v_domain, "'")) ?>" disabled>
-						<input type="hidden" name="v_domain" value="<?= htmlentities(trim($v_domain, "'")) ?>">
+						<label for="v_domain" class="form-label"><?= tohtml( _("Domain")) ?></label>
+						<input type="text" class="form-control" name="v_domain" id="v_domain" value="<?= tohtml(trim($v_domain, "'")) ?>" disabled>
+						<input type="hidden" name="v_domain" value="<?= tohtml(trim($v_domain, "'")) ?>">
 					</div>
 					<div class="u-mb10">
-						<label for="v_account" class="form-label"><?= _("Account") ?></label>
-						<input type="text" class="form-control js-account-input" name="v_account" id="v_account" value="<?= htmlentities(trim($v_account, "'")) ?>" required>
+						<label for="v_account" class="form-label"><?= tohtml( _("Account")) ?></label>
+						<input type="text" class="form-control js-account-input" name="v_account" id="v_account" value="<?= tohtml(trim($v_account, "'")) ?>" required>
 					</div>
 					<div class="u-mb10">
 						<label for="v_password" class="form-label">
-							<?= _("Password") ?>
-							<button type="button" title="<?= _("Generate") ?>" class="u-unstyled-button u-ml5 js-generate-password">
+							<?= tohtml( _("Password")) ?>
+							<button type="button" title="<?= tohtml( _("Generate")) ?>" class="u-unstyled-button u-ml5 js-generate-password">
 								<i class="fas fa-arrows-rotate icon-green"></i>
 							</button>
 						</label>
@@ -56,63 +56,63 @@
 							</div>
 						</div>
 					</div>
-					<p class="u-mb10"><?= _("Your password must have at least") ?>:</p>
+					<p class="u-mb10"><?= tohtml( _("Your password must have at least")) ?>:</p>
 					<ul class="u-list-bulleted u-mb20">
-						<li><?= _("8 characters long") ?></li>
-						<li><?= _("1 uppercase & 1 lowercase character") ?></li>
-						<li><?= _("1 number") ?></li>
+						<li><?= tohtml( _("8 characters long")) ?></li>
+						<li><?= tohtml( _("1 uppercase & 1 lowercase character")) ?></li>
+						<li><?= tohtml( _("1 number")) ?></li>
 					</ul>
 					<button x-on:click="showAdvanced = !showAdvanced" type="button" class="button button-secondary u-mb20">
-						<?= _("Advanced Options") ?>
+						<?= tohtml( _("Advanced Options")) ?>
 					</button>
 					<div x-cloak x-show="showAdvanced" id="advtable">
 						<div class="u-mb10">
 							<label for="v_quota" class="form-label">
-								<?= _("Quota") ?> <span class="optional">(<?= _("in MB") ?>)</span>
+								<?= tohtml( _("Quota")) ?> <span class="optional">(<?= tohtml( _("in MB")) ?>)</span>
 							</label>
 							<div class="u-pos-relative">
-								<input type="text" class="form-control" name="v_quota" id="v_quota" value="<?= htmlentities(trim($v_quota, "'")) ?>">
-								<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= _("Unlimited") ?>">
+								<input type="text" class="form-control" name="v_quota" id="v_quota" value="<?= tohtml(trim($v_quota, "'")) ?>">
+								<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= tohtml( _("Unlimited")) ?>">
 									<i class="fas fa-infinity"></i>
 								</button>
 							</div>
 						</div>
 						<div class="u-mb10">
 							<label for="v_aliases" class="form-label">
-								<?= _("Aliases") ?> <span class="optional">(<?= _("Use local-part without domain name") ?>)</span>
+								<?= tohtml( _("Aliases")) ?> <span class="optional">(<?= tohtml( _("Use local-part without domain name")) ?>)</span>
 							</label>
-							<textarea class="form-control" name="v_aliases" id="v_aliases"><?= htmlentities(trim($v_aliases, "'")) ?></textarea>
+							<textarea class="form-control" name="v_aliases" id="v_aliases"><?= tohtml(trim($v_aliases, "'")) ?></textarea>
 						</div>
 						<div class="u-mb10">
 							<label for="v_fwd" class="form-label">
-								<?= _("Forward to") ?> <span class="optional">(<?= _("One or more email addresses") ?>)</span>
+								<?= tohtml( _("Forward to")) ?> <span class="optional">(<?= tohtml( _("One or more email addresses")) ?>)</span>
 							</label>
-							<textarea class="form-control js-forward-to-textarea" name="v_fwd" id="v_fwd" <?php if ($v_blackhole == 'yes') echo "disabled"; ?>><?= htmlentities(trim($v_fwd, "'")) ?></textarea>
+							<textarea class="form-control js-forward-to-textarea" name="v_fwd" id="v_fwd" <?php if ($v_blackhole == 'yes') echo "disabled"; ?>><?= tohtml(trim($v_fwd, "'")) ?></textarea>
 						</div>
 						<div class="form-check">
 							<input class="form-check-input js-discard-all-mail" type="checkbox" name="v_blackhole" id="v_blackhole" <?php if ($v_blackhole == 'yes') echo 'checked' ?>>
 							<label for="v_blackhole">
-								<?= _("Discard all mail") ?>
+								<?= tohtml( _("Discard all mail")) ?>
 							</label>
 						</div>
 						<div class="form-check <?php if ($v_blackhole == 'yes') { echo 'u-hidden'; } ?>">
 							<input class="form-check-input js-do-not-store-checkbox" type="checkbox" name="v_fwd_only" id="v_fwd_for" <?php if ($v_fwd_only == 'yes') echo 'checked' ?>>
 							<label for="v_fwd_for">
-								<?= _("Do not store forwarded mail") ?>
+								<?= tohtml( _("Do not store forwarded mail")) ?>
 							</label>
 						</div>
 						<div class="u-mt10 u-mb10">
 							<label for="v_rate" class="form-label">
-								<?= _("Rate Limit") ?> <span class="optional">(<?= _("email / hour") ?>)</span>
+								<?= tohtml( _("Rate Limit")) ?> <span class="optional">(<?= tohtml( _("email / hour")) ?>)</span>
 							</label>
-							<input type="text" class="form-control" name="v_rate" id="v_rate" value="<?= htmlentities(trim($v_rate, "'")) ?>" <?php if ($_SESSION['userContext'] != "admin"){ echo "disabled"; }?>>
+							<input type="text" class="form-control" name="v_rate" id="v_rate" value="<?= tohtml(trim($v_rate, "'")) ?>" <?php if ($_SESSION['userContext'] != "admin"){ echo "disabled"; }?>>
 						</div>
 					</div>
 					<div class="u-mt15 u-mb20">
 						<label for="v_send_email" class="form-label">
-							<?= _("Email login credentials to:") ?>
+							<?= tohtml( _("Email login credentials to:")) ?>
 						</label>
-						<input type="email" class="form-control" name="v_send_email" id="v_send_email" value="<?= htmlentities(trim($v_send_email, "'")) ?>">
+						<input type="email" class="form-control" name="v_send_email" id="v_send_email" value="<?= tohtml(trim($v_send_email, "'")) ?>">
 					</div>
 				</div>
 				<div class="sidebar-right-grid-sidebar">

web/templates/pages/add_user.php

@@ -3,12 +3,12 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/user/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 		<div class="toolbar-buttons">
 			<button type="submit" class="button" form="main-form">
-				<i class="fas fa-floppy-disk icon-purple"></i><?= _("Save") ?>
+				<i class="fas fa-floppy-disk icon-purple"></i><?= tohtml( _("Save")) ?>
 			</button>
 		</div>
 	</div>
@@ -19,39 +19,39 @@
 
 	<form
 		x-data="{
-			loginDisabled: <?= $v_login_disabled == "yes" ? "true" : "false" ?>
+			loginDisabled: <?= tohtml($v_login_disabled == "yes" ? "true" : "false") ?>
 		}"
 		id="main-form"
 		name="v_add_user"
 		method="post"
 	>
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<input type="hidden" name="ok" value="Add">
 
 		<div class="form-container">
-			<h1 class="u-mb20"><?= _("Add User") ?></h1>
+			<h1 class="u-mb20"><?= tohtml( _("Add User")) ?></h1>
 			<?php show_alert_message($_SESSION); ?>
 			<div class="u-mb10">
-				<label for="v_username" class="form-label"><?= _("Username") ?></label>
-				<input type="text" class="form-control" name="v_username" id="v_username" value="<?= htmlentities(trim($v_username, "'")) ?>" tabindex="1" required>
+				<label for="v_username" class="form-label"><?= tohtml( _("Username")) ?></label>
+				<input type="text" class="form-control" name="v_username" id="v_username" value="<?= tohtml(trim($v_username, "'")) ?>" tabindex="1" required>
 			</div>
 			<div class="u-mb10">
-				<label for="v_name" class="form-label"><?= _("Contact Name") ?></label>
-				<input type="text" class="form-control" name="v_name" id="v_name" value="<?= htmlentities(trim($v_name, "'")) ?>" tabindex="2" required>
+				<label for="v_name" class="form-label"><?= tohtml( _("Contact Name")) ?></label>
+				<input type="text" class="form-control" name="v_name" id="v_name" value="<?= tohtml(trim($v_name, "'")) ?>" tabindex="2" required>
 			</div>
 			<div class="u-mb10">
-				<label for="v_email" class="form-label"><?= _("Email") ?></label>
-				<input type="email" class="form-control js-sync-email-input" name="v_email" id="v_email" value="<?= htmlentities(trim($v_email, "'")) ?>" tabindex="3" required>
+				<label for="v_email" class="form-label"><?= tohtml( _("Email")) ?></label>
+				<input type="email" class="form-control js-sync-email-input" name="v_email" id="v_email" value="<?= tohtml(trim($v_email, "'")) ?>" tabindex="3" required>
 			</div>
 			<div class="u-mb10">
 				<label for="v_password" class="form-label">
-					<?= _("Password") ?>
-					<button type="button" title="<?= _("Generate") ?>" class="u-unstyled-button u-ml5 js-generate-password">
+					<?= tohtml( _("Password")) ?>
+					<button type="button" title="<?= tohtml( _("Generate")) ?>" class="u-unstyled-button u-ml5 js-generate-password">
 						<i class="fas fa-arrows-rotate icon-green"></i>
 					</button>
 				</label>
 				<div class="u-pos-relative u-mb10">
-					<input type="text" class="form-control js-password-input" name="v_password" id="v_password" value="<?= htmlentities(trim($v_password, "'")) ?>" tabindex="4" required>
+					<input type="text" class="form-control js-password-input" name="v_password" id="v_password" value="<?= tohtml(trim($v_password, "'")) ?>" tabindex="4" required>
 					<div class="password-meter">
 						<meter max="4" class="password-meter-input js-password-meter"></meter>
 					</div>
@@ -61,19 +61,19 @@
 			<div class="form-check">
 				<input x-model="loginDisabled" class="form-check-input" type="checkbox" name="v_login_disabled" id="v_login_disabled">
 				<label for="v_login_disabled">
-					<?= _("Do not allow user to log in to Control Panel") ?>
+					<?= tohtml( _("Do not allow user to log in to Control Panel")) ?>
 				</label>
 			</div>
 			<div x-cloak x-show="!loginDisabled" id="send-welcome">
 				<div class="form-check u-mb10">
 					<input class="form-check-input js-sync-email-checkbox" type="checkbox" name="v_email_notice" id="v_email_notify" tabindex="5">
 					<label for="v_email_notify">
-						<?= _("Send welcome email") ?>
+						<?= tohtml( _("Send welcome email")) ?>
 					</label>
 				</div>
 			</div>
 			<div class="u-mb10">
-				<label for="v_language" class="form-label"><?= _("Language") ?></label>
+				<label for="v_language" class="form-label"><?= tohtml( _("Language")) ?></label>
 				<select class="form-select" name="v_language" id="v_language" tabindex="6" required>
 					<?php
 						foreach ($languages as $key => $value) {
@@ -92,15 +92,15 @@
 				</select>
 			</div>
 			<div class="u-mb10">
-				<label for="v_role" class="form-label"><?= _("Role") ?></label>
+				<label for="v_role" class="form-label"><?= tohtml( _("Role")) ?></label>
 				<select class="form-select" name="v_role" id="v_role" required>
-					<option value="user"><?= _("User") ?></option>
-					<option value="admin" <?= $v_role == "admin" ? "selected" : "" ?>><?= _("Administrator") ?></option>
-					<option value="dns-cluster" <?= $v_role == "dns-cluster" ? "selected" : "" ?>><?= _("DNS Sync User") ?></option>
+					<option value="user"><?= tohtml( _("User")) ?></option>
+					<option value="admin" <?= tohtml($v_role == "admin" ? "selected" : "") ?>><?= tohtml( _("Administrator")) ?></option>
+					<option value="dns-cluster" <?= tohtml($v_role == "dns-cluster" ? "selected" : "") ?>><?= tohtml( _("DNS Sync User")) ?></option>
 				</select>
 			</div>
 			<div class="u-mb10">
-				<label for="v_package" class="form-label"><?= _("Package") ?></label>
+				<label for="v_package" class="form-label"><?= tohtml( _("Package")) ?></label>
 				<select class="form-select" name="v_package" id="v_package" tabindex="8" required>
 					<?php
 						foreach ($data as $key => $value) {
@@ -119,9 +119,9 @@
 			</div>
 			<div class="u-mb10">
 				<label for="v_notify" class="form-label">
-					<?= _("Email login credentials to:") ?>
+					<?= tohtml( _("Email login credentials to:")) ?>
 				</label>
-				<input type="email" class="form-control js-sync-email-output" name="v_notify" id="v_notify" value="<?= htmlentities(trim($v_notify, "'")) ?>" tabindex="8">
+				<input type="email" class="form-control js-sync-email-output" name="v_notify" id="v_notify" value="<?= tohtml(trim($v_notify, "'")) ?>" tabindex="8">
 			</div>
 		</div>
 

web/templates/pages/add_web.php

@@ -3,13 +3,13 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/web/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 		<div class="toolbar-buttons">
 			<?php if (($_SESSION["role"] == "admin" && $accept === "true") || $_SESSION["role"] !== "admin") { ?>
 				<button type="submit" class="button" form="main-form">
-					<i class="fas fa-floppy-disk icon-purple"></i><?= _("Save") ?>
+					<i class="fas fa-floppy-disk icon-purple"></i><?= tohtml( _("Save")) ?>
 				</button>
 			<?php } ?>
 		</div>
@@ -20,31 +20,31 @@
 <div class="container">
 
 	<form id="main-form" name="v_add_web" method="post" class="js-enable-inputs-on-submit">
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<input type="hidden" name="ok" value="Add">
 
 		<div class="form-container">
-			<h1 class="u-mb20"><?= _("Add Web Domain") ?></h1>
+			<h1 class="u-mb20"><?= tohtml( _("Add Web Domain")) ?></h1>
 			<?php show_alert_message($_SESSION); ?>
 			<?php if ($_SESSION["role"] == "admin" && $accept !== "true") { ?>
 				<div class="alert alert-danger" role="alert">
 					<i class="fas fa-exclamation"></i>
-					<p><?= htmlify_trans(sprintf(_("It is strongly advised to {create a standard user account} before adding %s to the server due to the increased privileges the admin account possesses and potential security risks."), _('a web domain')), '</a>', '<a href="/add/user/">'); ?></p>
+					<p><?= htmlify_trans(sprintf(_("It is strongly advised to {create a standard user account} before adding %s to the server due to the increased privileges the admin account possesses and potential security risks."), _('a web domain')), '</a>', '<a href="/add/user/">') ?></p>
 				</div>
 			<?php } ?>
 			<?php if ($_SESSION["role"] == "admin" && empty($accept)) { ?>
 				<div class="u-side-by-side u-mt20">
-					<a href="/add/user/" class="button u-width-full u-mr10"><?= _("Add User") ?></a>
-					<a href="/add/web/?accept=true" class="button button-danger u-width-full u-ml10"><?= _("Continue") ?></a>
+					<a href="/add/user/" class="button u-width-full u-mr10"><?= tohtml( _("Add User")) ?></a>
+					<a href="/add/web/?<?= tohtml(http_build_query(["accept" => 'true'])) ?>" class="button button-danger u-width-full u-ml10"><?= tohtml( _("Continue")) ?></a>
 				</div>
 			<?php } ?>
 			<?php if (($_SESSION["role"] == "admin" && $accept === "true") || $_SESSION["role"] !== "admin") { ?>
 				<div class="u-mb10">
-					<label for="v_domain" class="form-label"><?= _("Domain") ?></label>
-					<input type="text" class="form-control" name="v_domain" id="v_domain" value="<?= htmlentities(trim($v_domain, "'")) ?>" required>
+					<label for="v_domain" class="form-label"><?= tohtml( _("Domain")) ?></label>
+					<input type="text" class="form-control" name="v_domain" id="v_domain" value="<?= tohtml(trim($v_domain, "'")) ?>" required>
 				</div>
 				<div class="u-mb20">
-					<label for="v_ip" class="form-label"><?= _("IP Address") ?></label>
+					<label for="v_ip" class="form-label"><?= tohtml( _("IP Address")) ?></label>
 					<select class="form-select" name="v_ip" id="v_ip">
 						<?php
 							foreach ($ips as $ip => $value) {
@@ -60,7 +60,7 @@
 						<div class="form-check u-mb10">
 							<input class="form-check-input" type="checkbox" name="v_dns" id="v_dns" <?php if (empty($v_dns) && $panel[$user_plain]["DNS_DOMAINS"] != "0"); ?>>
 							<label for="v_dns">
-								<?= _("DNS Support") ?>
+								<?= tohtml( _("DNS Support")) ?>
 							</label>
 						</div>
 					<?php } ?>
@@ -70,7 +70,7 @@
 						<div class="form-check">
 							<input class="form-check-input" type="checkbox" name="v_mail" id="v_mail" <?php if (empty($v_mail) && $panel[$user_plain]["MAIL_DOMAINS"] != "0"); ?>>
 							<label for="v_mail">
-								<?= _("Mail Support") ?>
+								<?= tohtml( _("Mail Support")) ?>
 							</label>
 						</div>
 					<?php } ?>

web/templates/pages/edit_backup_exclusions.php

@@ -3,12 +3,12 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/backup/exclusions/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 		<div class="toolbar-buttons">
 			<button type="submit" class="button" form="main-form">
-				<i class="fas fa-floppy-disk icon-purple"></i><?= _("Save") ?>
+				<i class="fas fa-floppy-disk icon-purple"></i><?= tohtml( _("Save")) ?>
 			</button>
 		</div>
 	</div>
@@ -18,27 +18,27 @@
 <div class="container">
 
 	<form id="main-form" name="v_edit_backup_exclusions" method="post">
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<input type="hidden" name="save" value="save">
 
 		<div class="form-container">
-			<h1 class="u-mb20"><?= _("Edit Backup Exclusions") ?></h1>
+			<h1 class="u-mb20"><?= tohtml( _("Edit Backup Exclusions")) ?></h1>
 			<?php show_alert_message($_SESSION); ?>
 			<div class="u-mb10">
-				<label for="v_web" class="form-label"><?= _("Web Domains") ?></label>
-				<textarea class="form-control" name="v_web" id="v_web" placeholder="<?= _("Type domain name, one per line. To exclude all domains use *. To exclude specific dirs use following format: domain.tld:public_html/cache:public_html/tmp") ?>"><?= htmlentities(trim($v_web, "'")) ?></textarea>
+				<label for="v_web" class="form-label"><?= tohtml( _("Web Domains")) ?></label>
+				<textarea class="form-control" name="v_web" id="v_web" placeholder="<?= tohtml( _("Type domain name, one per line. To exclude all domains use *. To exclude specific dirs use following format: domain.tld:public_html/cache:public_html/tmp")) ?>"><?= tohtml(trim($v_web, "'")) ?></textarea>
 			</div>
 			<div class="u-mb10">
-				<label for="v_mail" class="form-label"><?= _("Mail Domains") ?></label>
-				<textarea class="form-control" name="v_mail" id="v_mail" placeholder="<?= _("Type domain name, one per line. To exclude all domains use *. To exclude specific accounts use following format: domain.tld:info:support:postmaster") ?>"><?= htmlentities(trim($v_mail, "'")) ?></textarea>
+				<label for="v_mail" class="form-label"><?= tohtml( _("Mail Domains")) ?></label>
+				<textarea class="form-control" name="v_mail" id="v_mail" placeholder="<?= tohtml( _("Type domain name, one per line. To exclude all domains use *. To exclude specific accounts use following format: domain.tld:info:support:postmaster")) ?>"><?= tohtml(trim($v_mail, "'")) ?></textarea>
 			</div>
 			<div class="u-mb10">
-				<label for="v_db" class="form-label"><?= _("Databases") ?></label>
-				<textarea class="form-control" name="v_db" id="v_db" placeholder="<?= _("Type full database name, one per line. To exclude all databases use *") ?>"><?= htmlentities(trim($v_db, "'")) ?></textarea>
+				<label for="v_db" class="form-label"><?= tohtml( _("Databases")) ?></label>
+				<textarea class="form-control" name="v_db" id="v_db" placeholder="<?= tohtml( _("Type full database name, one per line. To exclude all databases use *")) ?>"><?= tohtml(trim($v_db, "'")) ?></textarea>
 			</div>
 			<div class="u-mb10">
-				<label for="v_userdir" class="form-label"><?= _("User Directory") ?></label>
-				<textarea class="form-control" name="v_userdir" id="v_userdir" placeholder="<?= _("Type directory name, one per line. To exlude all dirs use *") ?>"><?= htmlentities(trim($v_userdir, "'")) ?></textarea>
+				<label for="v_userdir" class="form-label"><?= tohtml( _("User Directory")) ?></label>
+				<textarea class="form-control" name="v_userdir" id="v_userdir" placeholder="<?= tohtml( _("Type directory name, one per line. To exlude all dirs use *")) ?>"><?= tohtml(trim($v_userdir, "'")) ?></textarea>
 			</div>
 		</div>
 

web/templates/pages/edit_dns.php

@@ -3,12 +3,12 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/dns/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 		<div class="toolbar-buttons">
 			<button type="submit" class="button" form="main-form">
-				<i class="fas fa-floppy-disk icon-purple"></i><?= _("Save") ?>
+				<i class="fas fa-floppy-disk icon-purple"></i><?= tohtml( _("Save")) ?>
 			</button>
 		</div>
 	</div>
@@ -17,20 +17,20 @@
 
 <div class="container">
 
-	<form id="main-form" name="v_edit_dns" method="post" class="<?= $v_status ?>">
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+	<form id="main-form" name="v_edit_dns" method="post" class="<?= tohtml($v_status) ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<input type="hidden" name="save" value="save">
 
 		<div class="form-container">
-			<h1 class="u-mb20"><?= _("Edit DNS Domain") ?></h1>
+			<h1 class="u-mb20"><?= tohtml( _("Edit DNS Domain")) ?></h1>
 			<?php show_alert_message($_SESSION); ?>
 			<div class="u-mb10">
-				<label for="v_domain" class="form-label"><?= _("Domain") ?></label>
-				<input type="text" class="form-control" name="v_domain" id="v_domain" value="<?= htmlentities(trim($v_domain, "'")) ?>" disabled required>
-				<input type="hidden" name="v_domain" value="<?= htmlentities(trim($v_domain, "'")) ?>">
+				<label for="v_domain" class="form-label"><?= tohtml( _("Domain")) ?></label>
+				<input type="text" class="form-control" name="v_domain" id="v_domain" value="<?= tohtml(trim($v_domain, "'")) ?>" disabled required>
+				<input type="hidden" name="v_domain" value="<?= tohtml(trim($v_domain, "'")) ?>">
 			</div>
 			<div class="u-mb10">
-				<label for="v_ip" class="form-label"><?= _("IP Address") ?></label>
+				<label for="v_ip" class="form-label"><?= tohtml( _("IP Address")) ?></label>
 				<div class="u-pos-relative">
 					<select class="form-select" tabindex="-1" onchange="this.nextElementSibling.value=this.value">
 						<option value="">clear</option>
@@ -42,13 +42,13 @@
 							}
 						?>
 					</select>
-					<input type="text" class="form-control list-editor" name="v_ip" id="v_ip" value="<?= htmlentities(trim($v_ip, "'")) ?>">
+					<input type="text" class="form-control list-editor" name="v_ip" id="v_ip" value="<?= tohtml(trim($v_ip, "'")) ?>">
 				</div>
 			</div>
 			<?php if ($_SESSION["userContext"] === "admin" || ($_SESSION["userContext"] === "user" && $_SESSION["POLICY_USER_EDIT_DNS_TEMPLATES"] === "yes")) { ?>
 				<div class="u-mb10">
 					<label for="v_template" class="form-label">
-						<?= _("Template") . "<span class='optional'>" . strtoupper($_SESSION["DNS_SYSTEM"]) . "</span>" ?>
+						<?= tohtml( _("Template")) ?> <span class="optional"><?= tohtml(strtoupper($_SESSION["DNS_SYSTEM"])) ?></span>
 					</label>
 					<select class="form-select" name="v_template" id="v_template">
 						<?php
@@ -68,23 +68,23 @@
 				<div class="form-check u-mb10">
 					<input class="form-check-input" type="checkbox" name="v_dnssec" id="v_dnssec" value="yes" <?php if ($v_dnssec === 'yes'){ echo ' checked'; } ?>>
 					<label for="v_dnssec">
-						<?= _("Enable DNSSEC") ?>
+						<?= tohtml( _("Enable DNSSEC")) ?>
 					</label>
 				</div>
 			<?php } ?>
 			<div class="u-mb10">
 				<label for="v_exp" class="form-label">
-					<?= _("Expiration Date") ?><span class="optional">(<?= _("YYYY-MM-DD") ?>)</span>
+					<?= tohtml( _("Expiration Date")) ?><span class="optional">(<?= tohtml( _("YYYY-MM-DD")) ?>)</span>
 				</label>
-				<input type="text" class="form-control" name="v_exp" id="v_exp" value="<?= htmlentities(trim($v_exp, "'")) ?>">
+				<input type="text" class="form-control" name="v_exp" id="v_exp" value="<?= tohtml(trim($v_exp, "'")) ?>">
 			</div>
 			<div class="u-mb10">
-				<label for="v_soa" class="form-label"><?= _("SOA") ?></label>
-				<input type="text" class="form-control" name="v_soa" id="v_soa" value="<?= htmlentities(trim($v_soa, "'")) ?>">
+				<label for="v_soa" class="form-label"><?= tohtml( _("SOA")) ?></label>
+				<input type="text" class="form-control" name="v_soa" id="v_soa" value="<?= tohtml(trim($v_soa, "'")) ?>">
 			</div>
 			<div class="u-mb10">
-				<label for="v_ttl" class="form-label"><?= _("TTL") ?></label>
-				<input type="text" class="form-control" name="v_ttl" id="v_ttl" value="<?= htmlentities(trim($v_ttl, "'")) ?>">
+				<label for="v_ttl" class="form-label"><?= tohtml( _("TTL")) ?></label>
+				<input type="text" class="form-control" name="v_ttl" id="v_ttl" value="<?= tohtml(trim($v_ttl, "'")) ?>">
 			</div>
 		</div>
 

web/templates/pages/edit_dns_rec.php

@@ -2,13 +2,13 @@
 <div class="toolbar">
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
-			<a class="button button-secondary button-back js-button-back" href="/list/dns/?domain=<?= htmlentities(trim($v_domain, "'")) ?>&token=<?= $_SESSION["token"] ?>">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<a class="button button-secondary button-back js-button-back" href="/list/dns/?<?= tohtml(http_build_query(array("domain" => trim($v_domain, "'"), "token" => $_SESSION["token"]))) ?>">
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 		<div class="toolbar-buttons">
 			<button type="submit" class="button" form="main-form">
-				<i class="fas fa-floppy-disk icon-purple"></i><?= _("Save") ?>
+				<i class="fas fa-floppy-disk icon-purple"></i><?= tohtml( _("Save")) ?>
 			</button>
 		</div>
 	</div>
@@ -17,26 +17,26 @@
 
 <div class="container">
 
-	<form id="main-form" name="v_edit_dns_rec" method="post" class="<?= $v_status ?>">
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+	<form id="main-form" name="v_edit_dns_rec" method="post" class="<?= tohtml($v_status) ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<input type="hidden" name="save" value="save">
 
 		<div class="form-container">
-			<h1 class="u-mb20"><?= _("Edit DNS Record") ?></h1>
+			<h1 class="u-mb20"><?= tohtml( _("Edit DNS Record")) ?></h1>
 			<?php show_alert_message($_SESSION); ?>
 			<div class="u-mb10">
-				<label for="v_domain" class="form-label"><?= _("Domain") ?></label>
-				<input type="text" class="form-control js-dns-record-domain" name="v_domain" id="v_domain" value="<?= htmlentities(trim($v_domain, "'")) ?>" disabled>
-				<input type="hidden" name="v_domain" value="<?= htmlentities(trim($v_domain, "'")) ?>">
+				<label for="v_domain" class="form-label"><?= tohtml( _("Domain")) ?></label>
+				<input type="text" class="form-control js-dns-record-domain" name="v_domain" id="v_domain" value="<?= tohtml(trim($v_domain, "'")) ?>" disabled>
+				<input type="hidden" name="v_domain" value="<?= tohtml(trim($v_domain, "'")) ?>">
 			</div>
 			<div class="u-mb10">
-				<label for="v_rec" class="form-label"><?= _("Record") ?></label>
-				<input type="text" class="form-control js-dns-record-input" name="v_rec" id="v_rec" value="<?= htmlentities(trim($v_rec, "'")) ?>">
-				<input type="hidden" name="v_record_id" value="<?= htmlentities(trim($v_record_id, "'")) ?>">
+				<label for="v_rec" class="form-label"><?= tohtml( _("Record")) ?></label>
+				<input type="text" class="form-control js-dns-record-input" name="v_rec" id="v_rec" value="<?= tohtml(trim($v_rec, "'")) ?>">
+				<input type="hidden" name="v_record_id" value="<?= tohtml(trim($v_record_id, "'")) ?>">
 				<small class="hint"></small>
 			</div>
 			<div class="u-mb10">
-				<label for="v_type" class="form-label"><?= _("Type") ?></label>
+				<label for="v_type" class="form-label"><?= tohtml( _("Type")) ?></label>
 				<select class="form-select" name="v_type" id="v_type">
 					<option value="A" <?php if ($v_type == 'A') echo "selected"; ?>>A</option>
 					<option value="AAAA" <?php if ($v_type == 'AAAA') echo "selected"; ?>>AAAA</option>
@@ -56,7 +56,7 @@
 				</select>
 			</div>
 			<div class="u-mb10">
-				<label for="v_val" class="form-label"><?= _("IP or Value") ?></label>
+				<label for="v_val" class="form-label"><?= tohtml( _("IP or Value")) ?></label>
 				<div class="u-pos-relative">
 					<select class="form-select" tabindex="-1" onchange="this.nextElementSibling.value=this.value">
 						<option value="">&nbsp;</option>
@@ -67,20 +67,20 @@
 							}
 						?>
 					</select>
-					<input type="text" class="form-control list-editor" name="v_val" id="v_val" value="<?= htmlentities(trim($v_val, "'")) ?>">
+					<input type="text" class="form-control list-editor" name="v_val" id="v_val" value="<?= tohtml(trim($v_val, "'")) ?>">
 				</div>
 			</div>
 			<div class="u-mb10">
 				<label for="v_priority" class="form-label">
-					<?= _("Priority") ?> <span class="optional">(<?= _("Optional") ?>)</span>
+					<?= tohtml( _("Priority")) ?> <span class="optional">(<?= tohtml( _("Optional")) ?>)</span>
 				</label>
-				<input type="text" class="form-control" name="v_priority" id="v_priority" value="<?= htmlentities(trim($v_priority, "'")) ?>">
+				<input type="text" class="form-control" name="v_priority" id="v_priority" value="<?= tohtml(trim($v_priority, "'")) ?>">
 			</div>
 			<div class="u-mb10">
 				<label for="v_ttl" class="form-label">
-					<?= _("TTL") ?> <span class="optional">(<?= _("Optional") ?>)</span>
+					<?= tohtml( _("TTL")) ?> <span class="optional">(<?= tohtml( _("Optional")) ?>)</span>
 				</label>
-				<input type="text" class="form-control" name="v_ttl" id="v_ttl" value="<?= htmlentities(trim($v_ttl, "'")) ?>">
+				<input type="text" class="form-control" name="v_ttl" id="v_ttl" value="<?= tohtml(trim($v_ttl, "'")) ?>">
 			</div>
 		</div>
 

web/templates/pages/edit_firewall.php

@@ -3,12 +3,12 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/firewall/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 		<div class="toolbar-buttons">
 			<button type="submit" class="button" form="main-form">
-				<i class="fas fa-floppy-disk icon-purple"></i><?= _("Save") ?>
+				<i class="fas fa-floppy-disk icon-purple"></i><?= tohtml( _("Save")) ?>
 			</button>
 		</div>
 	</div>
@@ -17,22 +17,22 @@
 
 <div class="container">
 
-	<form id="main-form" name="v_edit_firewall" method="post" class="<?= $v_status ?>">
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+	<form id="main-form" name="v_edit_firewall" method="post" class="<?= tohtml($v_status) ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<input type="hidden" name="save" value="save">
 
 		<div class="form-container">
-			<h1 class="u-mb20"><?= _("Edit Firewall Rule") ?></h1>
+			<h1 class="u-mb20"><?= tohtml( _("Edit Firewall Rule")) ?></h1>
 			<?php show_alert_message($_SESSION); ?>
 			<div class="u-mb10">
-				<label for="v_action" class="form-label"><?= _("Action") ?></label>
+				<label for="v_action" class="form-label"><?= tohtml( _("Action")) ?></label>
 				<select class="form-select" name="v_action" id="v_action">
-					<option value="DROP" <?php if ((!empty($v_action)) && ( $v_action == "DROP" )) echo 'selected'?>><?= _("DROP") ?></option>
-					<option value="ACCEPT" <?php if ((!empty($v_action)) && ( $v_action == "ACCEPT" )) echo 'selected'?>><?= _("ACCEPT") ?></option>
+					<option value="DROP" <?php if ((!empty($v_action)) && ( $v_action == "DROP" )) echo 'selected'?>><?= tohtml( _("DROP")) ?></option>
+					<option value="ACCEPT" <?php if ((!empty($v_action)) && ( $v_action == "ACCEPT" )) echo 'selected'?>><?= tohtml( _("ACCEPT")) ?></option>
 				</select>
 			</div>
 			<div class="u-mb10">
-				<label for="v_protocol" class="form-label"><?= _("Protocol") ?></label>
+				<label for="v_protocol" class="form-label"><?= tohtml( _("Protocol")) ?></label>
 				<select class="form-select" name="v_protocol" id="v_protocol">
 					<option value="TCP" <?php if ((!empty($v_protocol)) && ( $v_protocol == "TCP" )) echo 'selected'?>>TCP</option>
 					<option value="UDP" <?php if ((!empty($v_protocol)) && ( $v_protocol == "UDP" )) echo 'selected'?>>UDP</option>
@@ -41,31 +41,31 @@
 			</div>
 			<div class="u-mb10">
 				<label for="v_port" class="form-label">
-					<?= _("Port") ?> <span class="optional">(<?= _("Ranges and lists are acceptable") ?>)</span>
+					<?= tohtml( _("Port")) ?> <span class="optional">(<?= tohtml( _("Ranges and lists are acceptable")) ?>)</span>
 				</label>
-				<input type="text" class="form-control" name="v_port" id="v_port" value="<?= htmlentities(trim($v_port, "'")) ?>" placeholder="<?= _("All ports: 0, Range: 80-82, List: 80,443,8080,8443") ?>">
+				<input type="text" class="form-control" name="v_port" id="v_port" value="<?= tohtml(trim($v_port, "'")) ?>" placeholder="<?= tohtml( _("All ports: 0, Range: 80-82, List: 80,443,8080,8443")) ?>">
 			</div>
 			<div class="u-mb10">
 				<label for="v_ip" class="form-label">
-					<?= _("IP Address / IPset IP List") ?> <span class="optional">(<?= _("Support CIDR format") ?>)</span>
+					<?= tohtml( _("IP Address / IPset IP List")) ?> <span class="optional">(<?= tohtml( _("Support CIDR format")) ?>)</span>
 				</label>
 				<div class="u-pos-relative">
 					<select
 						class="form-select js-ip-list-select"
 						tabindex="-1"
 						onchange="this.nextElementSibling.value=this.value"
-						data-ipset-lists="<?= htmlspecialchars($ipset_lists_json, ENT_QUOTES, "UTF-8") ?>"
+						data-ipset-lists="<?= tohtml($ipset_lists_json) ?>"
 					>
-						<option value=""><?= _("Clear") ?></option>
+						<option value=""><?= tohtml( _("Clear")) ?></option>
 					</select>
-					<input type="text" class="form-control list-editor" name="v_ip" id="v_ip" value="<?= htmlentities(trim($v_ip, "'")) ?>">
+					<input type="text" class="form-control list-editor" name="v_ip" id="v_ip" value="<?= tohtml(trim($v_ip, "'")) ?>">
 				</div>
 			</div>
 			<div class="u-mb10">
 				<label for="v_comment" class="form-label">
-					<?= _("Comment") ?> <span class="optional">(<?= _("Optional") ?>)</span>
+					<?= tohtml( _("Comment")) ?> <span class="optional">(<?= tohtml( _("Optional")) ?>)</span>
 				</label>
-				<input type="text" class="form-control" name="v_comment" id="v_comment" maxlength="255" value="<?= htmlentities(trim($v_comment, "'")) ?>">
+				<input type="text" class="form-control" name="v_comment" id="v_comment" maxlength="255" value="<?= tohtml(trim($v_comment, "'")) ?>">
 			</div>
 		</div>
 

web/templates/pages/edit_ip.php

@@ -3,12 +3,12 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/ip/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 		<div class="toolbar-buttons">
 			<button type="submit" class="button" form="main-form">
-				<i class="fas fa-floppy-disk icon-purple"></i><?= _("Save") ?>
+				<i class="fas fa-floppy-disk icon-purple"></i><?= tohtml( _("Save")) ?>
 			</button>
 		</div>
 	</div>
@@ -19,40 +19,40 @@
 
 	<form
 		x-data="{
-			showUserTable: <?= empty($v_dedicated) ? "true" : "false" ?>
+			showUserTable: <?= tohtml(empty($v_dedicated) ? "true" : "false") ?>
 		}"
 		id="main-form"
 		name="v_edit_ip"
 		method="post"
 	>
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<input type="hidden" name="save" value="save">
 
 		<div class="form-container">
-			<h1 class="u-mb20"><?= _("Edit IP Address") ?></h1>
+			<h1 class="u-mb20"><?= tohtml( _("Edit IP Address")) ?></h1>
 			<?php show_alert_message($_SESSION); ?>
 			<div class="u-mb10">
-				<label for="v_ip" class="form-label"><?= _("IP Address") ?></label>
-				<input type="text" class="form-control" name="v_ip" id="v_ip" value="<?= htmlentities(trim($v_ip, "'")) ?>" disabled>
-				<input type="hidden" name="v_ip" value="<?= htmlentities(trim($v_ip, "'")) ?>">
+				<label for="v_ip" class="form-label"><?= tohtml( _("IP Address")) ?></label>
+				<input type="text" class="form-control" name="v_ip" id="v_ip" value="<?= tohtml(trim($v_ip, "'")) ?>" disabled>
+				<input type="hidden" name="v_ip" value="<?= tohtml(trim($v_ip, "'")) ?>">
 			</div>
 			<div class="u-mb10">
-				<label for="v_netmask" class="form-label"><?= _("Netmask") ?></label>
-				<input type="text" class="form-control" name="v_netmask" id="v_netmask" value="<?= htmlentities(trim($v_netmask, "'")) ?>" disabled>
+				<label for="v_netmask" class="form-label"><?= tohtml( _("Netmask")) ?></label>
+				<input type="text" class="form-control" name="v_netmask" id="v_netmask" value="<?= tohtml(trim($v_netmask, "'")) ?>" disabled>
 			</div>
 			<div class="u-mb10">
-				<label for="v_interface" class="form-label"><?= _("Interface") ?></label>
-				<input type="text" class="form-control" name="v_interface" id="v_interface" value="<?= htmlentities(trim($v_interface, "'")) ?>" disabled>
+				<label for="v_interface" class="form-label"><?= tohtml( _("Interface")) ?></label>
+				<input type="text" class="form-control" name="v_interface" id="v_interface" value="<?= tohtml(trim($v_interface, "'")) ?>" disabled>
 			</div>
 			<div class="form-check u-mb10">
 				<input x-model="showUserTable" class="form-check-input" type="checkbox" name="v_shared" id="v_shared">
 				<label for="v_shared">
-					<?= _("Shared") ?>
+					<?= tohtml( _("Shared")) ?>
 				</label>
 			</div>
 			<div x-cloak x-show="!showUserTable" id="usrtable">
 				<div class="u-mb10">
-					<label for="v_owner" class="form-label"><?= _("Assigned User") ?></label>
+					<label for="v_owner" class="form-label"><?= tohtml( _("Assigned User")) ?></label>
 					<select class="form-select" name="v_owner" id="v_owner">
 						<?php
 							foreach ($users as $key => $value) {
@@ -66,15 +66,15 @@
 			</div>
 			<div class="u-mb10">
 				<label for="v_name" class="form-label">
-					<?= _("Assigned Domain") ?> <span class="optional">(<?= _("Optional") ?>)</span>
+					<?= tohtml( _("Assigned Domain")) ?> <span class="optional">(<?= tohtml( _("Optional")) ?>)</span>
 				</label>
-				<input type="text" class="form-control" name="v_name" id="v_name" value="<?= htmlentities(trim($v_name, "'")) ?>">
+				<input type="text" class="form-control" name="v_name" id="v_name" value="<?= tohtml(trim($v_name, "'")) ?>">
 			</div>
 			<div class="u-mb10">
 				<label for="v_nat" class="form-label">
-					<?= _("NAT IP Association") ?> <span class="optional">(<?= _("Optional") ?>)</span>
+					<?= tohtml( _("NAT IP Association")) ?> <span class="optional">(<?= tohtml( _("Optional")) ?>)</span>
 				</label>
-				<input type="text" class="form-control" name="v_nat" id="v_nat" value="<?= htmlentities(trim($v_nat, "'")) ?>">
+				<input type="text" class="form-control" name="v_nat" id="v_nat" value="<?= tohtml(trim($v_nat, "'")) ?>">
 			</div>
 		</div>
 

web/templates/pages/edit_mail.php

@@ -3,12 +3,12 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/mail/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 		<div class="toolbar-buttons">
 			<button type="submit" class="button" form="main-form">
-				<i class="fas fa-floppy-disk icon-purple"></i><?= _("Save") ?>
+				<i class="fas fa-floppy-disk icon-purple"></i><?= tohtml( _("Save")) ?>
 			</button>
 		</div>
 	</div>
@@ -19,29 +19,29 @@
 
 	<form
 		x-data="{
-			sslEnabled: <?= $v_ssl == "yes" ? "true" : "false" ?>,
-			letsEncryptEnabled: <?= $v_letsencrypt == "yes" ? "true" : "false" ?>,
-			hasSmtpRelay: <?= $v_smtp_relay == "true" ? "true" : "false" ?>
+			sslEnabled: <?= tohtml($v_ssl == "yes" ? "true" : "false") ?>,
+			letsEncryptEnabled: <?= tohtml($v_letsencrypt == "yes" ? "true" : "false") ?>,
+			hasSmtpRelay: <?= tohtml($v_smtp_relay == "true" ? "true" : "false") ?>
 		}"
 		id="main-form"
 		name="v_edit_mail"
 		method="post"
-		class="<?= $v_status ?> js-enable-inputs-on-submit"
+		class="<?= tohtml($v_status) ?> js-enable-inputs-on-submit"
 	>
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<input type="hidden" name="save" value="save">
 
 		<div class="form-container">
-			<h1 class="u-mb20"><?= _("Edit Mail Domain") ?></h1>
+			<h1 class="u-mb20"><?= tohtml( _("Edit Mail Domain")) ?></h1>
 			<?php show_alert_message($_SESSION); ?>
 			<div class="u-mb20">
-				<label for="v_domain" class="form-label"><?= _("Domain") ?></label>
-				<input type="text" class="form-control" name="v_domain" id="v_domain" value="<?= htmlentities(trim($v_domain, "'")) ?>" disabled required>
-				<input type="hidden" name="v_domain" value="<?= htmlentities(trim($v_domain, "'")) ?>">
+				<label for="v_domain" class="form-label"><?= tohtml( _("Domain")) ?></label>
+				<input type="text" class="form-control" name="v_domain" id="v_domain" value="<?= tohtml(trim($v_domain, "'")) ?>" disabled required>
+				<input type="hidden" name="v_domain" value="<?= tohtml(trim($v_domain, "'")) ?>">
 			</div>
 			<?php if ($_SESSION["WEBMAIL_SYSTEM"]) { ?>
 				<div class="u-mb10">
-					<label for="v_webmail" class="form-label"><?= _("Webmail Client") ?></label>
+					<label for="v_webmail" class="form-label"><?= tohtml( _("Webmail Client")) ?></label>
 					<select class="form-select" name="v_webmail" id="v_webmail" tabindex="6">
 						<?php foreach ($webmail_clients as $client){
 							echo "\t\t\t\t<option value=\"".htmlentities($client)."\"";
@@ -51,31 +51,31 @@
 							echo ">".htmlentities(ucfirst($client))."</option>\n";
 							}
 						?>
-						<option value="disabled" <?php if (htmlentities(trim($v_webmail,"'")) == 'disabled') { echo "selected"; }?>><?= _("Disabled") ?></option>
+						<option value="disabled" <?php if (htmlentities(trim($v_webmail,"'")) == 'disabled') { echo "selected"; }?>><?= tohtml( _("Disabled")) ?></option>
 					</select>
 				</div>
 			<?php } ?>
 			<div class="u-mb10">
-				<label for="v_catchall" class="form-label"><?= _("Catch-All Email") ?></label>
-				<input type="email" class="form-control" name="v_catchall" id="v_catchall" value="<?= htmlentities(trim($v_catchall, "'")) ?>">
+				<label for="v_catchall" class="form-label"><?= tohtml( _("Catch-All Email")) ?></label>
+				<input type="email" class="form-control" name="v_catchall" id="v_catchall" value="<?= tohtml(trim($v_catchall, "'")) ?>">
 			</div>
 			<div class="u-mb20">
 				<label for="v_rate" class="form-label">
-					<?= _("Rate Limit") ?> <span class="optional">(<?= _("email / hour / account") ?>)</span>
+					<?= tohtml( _("Rate Limit")) ?> <span class="optional">(<?= tohtml( _("email / hour / account")) ?>)</span>
 				</label>
-				<input type="text" class="form-control" name="v_rate" id="v_rate" value="<?= htmlentities(trim($v_rate, "'")) ?>" <?php if ($_SESSION['userContext'] != "admin"){ echo "disabled"; }?>>
+				<input type="text" class="form-control" name="v_rate" id="v_rate" value="<?= tohtml(trim($v_rate, "'")) ?>" <?php if ($_SESSION['userContext'] != "admin"){ echo "disabled"; }?>>
 			</div>
 			<?php if (!empty($_SESSION["ANTISPAM_SYSTEM"])) { ?>
 				<div class="form-check u-mb10">
 					<input class="form-check-input" type="checkbox" name="v_antispam" id="v_antispam" <?php if ($v_antispam == 'yes') echo 'checked'; ?>>
 					<label for="v_antispam">
-						<?= _("Spam Filter") ?>
+						<?= tohtml( _("Spam Filter")) ?>
 					</label>
 				</div>
 				<div class="form-check u-mb10">
 					<input class="form-check-input" type="checkbox" name="v_reject" id="v_reject" <?php if ($v_reject == 'yes') echo 'checked'; ?>>
 					<label for="v_reject">
-						<?= _("Reject Spam") ?>
+						<?= tohtml( _("Reject Spam")) ?>
 					</label>
 				</div>
 			<?php } ?>
@@ -83,87 +83,87 @@
 				<div class="form-check u-mb10">
 					<input class="form-check-input" type="checkbox" name="v_antivirus" id="v_antivirus" <?php if ($v_antivirus == 'yes') echo 'checked'; ?>>
 					<label for="v_antivirus">
-						<?= _("Anti-Virus") ?>
+						<?= tohtml( _("Anti-Virus")) ?>
 					</label>
 				</div>
 			<?php } ?>
 			<div class="form-check u-mb10">
 				<input class="form-check-input" type="checkbox" name="v_dkim" id="v_dkim" <?php if ($v_dkim == 'yes') echo 'checked'; ?>>
 				<label for="v_dkim">
-					<?= _("DKIM Support") ?>
+					<?= tohtml( _("DKIM Support")) ?>
 				</label>
 			</div>
 			<div class="form-check u-mb10">
 				<input x-model="sslEnabled" class="form-check-input" type="checkbox" name="v_ssl" id="v_ssl">
 				<label for="v_ssl">
-					<?= _("Enable SSL for this domain") ?>
+					<?= tohtml( _("Enable SSL for this domain")) ?>
 				</label>
 			</div>
 			<div x-cloak x-show="sslEnabled" class="u-pl30">
 				<div class="form-check u-mb10">
 					<input x-model="letsEncryptEnabled" class="form-check-input" type="checkbox" name="v_letsencrypt" id="v_letsencrypt">
 					<label for="v_letsencrypt">
-						<?= _("Use Let's Encrypt to obtain SSL certificate") ?>
+						<?= tohtml( _("Use Let's Encrypt to obtain SSL certificate")) ?>
 					</label>
 				</div>
 				<div class="alert alert-info u-mb20" role="alert">
 					<i class="fas fa-exclamation"></i>
 					<div>
 						<p><?php echo $v_webmail_alias; ?></p>
-						<p><?= sprintf(_("To enable Let's Encrypt SSL, ensure that DNS records exist for mail.%s and %s!"), $v_domain, $v_webmail_alias) ?></p>
+						<p><?= tohtml(sprintf(_("To enable Let's Encrypt SSL, ensure that DNS records exist for mail.%s and %s!"), $v_domain, $v_webmail_alias)) ?></p>
 					</div>
 				</div>
 				<div x-cloak x-show="!letsEncryptEnabled">
 					<div class="u-mb10">
 						<label for="v_ssl_crt" class="form-label">
-							<?= _("SSL Certificate") ?>
-							<span x-cloak x-show="!letsEncryptEnabled" id="generate-csr" > / <a class="form-link" target="_blank" href="/generate/ssl/?domain=<?= htmlentities($v_domain) ?>"><?= _("Generate Self-Signed SSL Certificate") ?></a></span>
+							<?= tohtml( _("SSL Certificate")) ?>
+							<span x-cloak x-show="!letsEncryptEnabled" id="generate-csr" > / <a class="form-link" target="_blank" href="/generate/ssl/?<?= tohtml(http_build_query(["domain" => $v_domain])) ?>"><?= tohtml( _("Generate Self-Signed SSL Certificate")) ?></a></span>
 						</label>
-						<textarea x-bind:disabled="letsEncryptEnabled" class="form-control u-min-height100 u-console" name="v_ssl_crt" id="v_ssl_crt"><?= htmlentities(trim($v_ssl_crt, "'")) ?></textarea>
+						<textarea x-bind:disabled="letsEncryptEnabled" class="form-control u-min-height100 u-console" name="v_ssl_crt" id="v_ssl_crt"><?= tohtml(trim($v_ssl_crt, "'")) ?></textarea>
 					</div>
 					<div class="u-mb10">
-						<label for="v_ssl_key" class="form-label"><?= _("SSL Private Key") ?></label>
-						<textarea x-bind:disabled="letsEncryptEnabled" class="form-control u-min-height100 u-console" name="v_ssl_key" id="v_ssl_key"><?= htmlentities(trim($v_ssl_key, "'")) ?></textarea>
+						<label for="v_ssl_key" class="form-label"><?= tohtml( _("SSL Private Key")) ?></label>
+						<textarea x-bind:disabled="letsEncryptEnabled" class="form-control u-min-height100 u-console" name="v_ssl_key" id="v_ssl_key"><?= tohtml(trim($v_ssl_key, "'")) ?></textarea>
 					</div>
 					<div class="u-mb20">
 						<label for="v_ssl_ca" class="form-label">
-							<?= _("SSL Certificate Authority / Intermediate") ?> <span class="optional">(<?= _("Optional") ?>)</span>
+							<?= tohtml( _("SSL Certificate Authority / Intermediate")) ?> <span class="optional">(<?= tohtml( _("Optional")) ?>)</span>
 						</label>
-						<textarea x-bind:disabled="letsEncryptEnabled" class="form-control u-min-height100 u-console" name="v_ssl_ca" id="v_ssl_ca"><?= htmlentities(trim($v_ssl_ca, "'")) ?></textarea>
+						<textarea x-bind:disabled="letsEncryptEnabled" class="form-control u-min-height100 u-console" name="v_ssl_ca" id="v_ssl_ca"><?= tohtml(trim($v_ssl_ca, "'")) ?></textarea>
 					</div>
 				</div>
 				<?php if ($v_ssl != "no") { ?>
 					<ul class="values-list u-mb20">
 						<li class="values-list-item">
-							<span class="values-list-label"><?= _("Issued To") ?></span>
-							<span class="values-list-value"><?= htmlentities($v_ssl_subject) ?></span>
+							<span class="values-list-label"><?= tohtml( _("Issued To")) ?></span>
+							<span class="values-list-value"><?= tohtml($v_ssl_subject) ?></span>
 						</li>
 						<?php if ($v_ssl_aliases) {
 							$v_ssl_aliases = str_replace(",", ", ", $v_ssl_aliases); ?>
 							<li class="values-list-item">
-								<span class="values-list-label"><?= _("Alternate") ?></span>
-								<span class="values-list-value"><?= htmlentities($v_ssl_aliases) ?></span>
+								<span class="values-list-label"><?= tohtml( _("Alternate")) ?></span>
+								<span class="values-list-value"><?= tohtml($v_ssl_aliases) ?></span>
 							</li>
 						<?php } ?>
 						<li class="values-list-item">
-							<span class="values-list-label"><?= _("Not Before") ?></span>
-							<span class="values-list-value"><?= htmlentities($v_ssl_not_before) ?></span>
+							<span class="values-list-label"><?= tohtml( _("Not Before")) ?></span>
+							<span class="values-list-value"><?= tohtml($v_ssl_not_before) ?></span>
 						</li>
 						<li class="values-list-item">
-							<span class="values-list-label"><?= _("Not After") ?></span>
-							<span class="values-list-value"><?= htmlentities($v_ssl_not_after) ?></span>
+							<span class="values-list-label"><?= tohtml( _("Not After")) ?></span>
+							<span class="values-list-value"><?= tohtml($v_ssl_not_after) ?></span>
 						</li>
 						<li class="values-list-item">
-							<span class="values-list-label"><?= _("Signature") ?></span>
-							<span class="values-list-value"><?= htmlentities($v_ssl_signature) ?></span>
+							<span class="values-list-label"><?= tohtml( _("Signature")) ?></span>
+							<span class="values-list-value"><?= tohtml($v_ssl_signature) ?></span>
 						</li>
 						<li class="values-list-item">
-							<span class="values-list-label"><?= _("Key Size") ?></span>
-							<span class="values-list-value"><?= htmlentities($v_ssl_pub_key) ?></span>
+							<span class="values-list-label"><?= tohtml( _("Key Size")) ?></span>
+							<span class="values-list-value"><?= tohtml($v_ssl_pub_key) ?></span>
 						</li>
 						<li class="values-list-item">
-							<span class="values-list-label"><?= _("Issued By") ?></span>
-							<span class="values-list-value"><?= htmlentities($v_ssl_issuer) ?></span>
+							<span class="values-list-label"><?= tohtml( _("Issued By")) ?></span>
+							<span class="values-list-value"><?= tohtml($v_ssl_issuer) ?></span>
 						</li>
 					</ul>
 				<?php } ?>
@@ -171,24 +171,24 @@
 			<div class="form-check u-mb10">
 				<input x-model="hasSmtpRelay" class="form-check-input" type="checkbox" name="v_smtp_relay" id="v_smtp_relay">
 				<label for="v_smtp_relay">
-					<?= _("SMTP Relay") ?>
+					<?= tohtml( _("SMTP Relay")) ?>
 				</label>
 			</div>
 			<div x-cloak x-show="hasSmtpRelay" id="smtp_relay_table" class="u-pl30">
 				<div class="u-mb10">
-					<label for="v_smtp_relay_host" class="form-label"><?= _("Host") ?></label>
-					<input type="text" class="form-control" name="v_smtp_relay_host" id="v_smtp_relay_host" value="<?= htmlentities(trim($v_smtp_relay_host, "'")) ?>">
+					<label for="v_smtp_relay_host" class="form-label"><?= tohtml( _("Host")) ?></label>
+					<input type="text" class="form-control" name="v_smtp_relay_host" id="v_smtp_relay_host" value="<?= tohtml(trim($v_smtp_relay_host, "'")) ?>">
 				</div>
 				<div class="u-mb10">
-					<label for="v_smtp_relay_port" class="form-label"><?= _("Port") ?></label>
-					<input type="text" class="form-control" name="v_smtp_relay_port" id="v_smtp_relay_port" value="<?= htmlentities(trim($v_smtp_relay_port, "'")) ?>">
+					<label for="v_smtp_relay_port" class="form-label"><?= tohtml( _("Port")) ?></label>
+					<input type="text" class="form-control" name="v_smtp_relay_port" id="v_smtp_relay_port" value="<?= tohtml(trim($v_smtp_relay_port, "'")) ?>">
 				</div>
 				<div class="u-mb10">
-					<label for="v_smtp_relay_user" class="form-label"><?= _("Username") ?></label>
-					<input type="text" class="form-control" name="v_smtp_relay_user" id="v_smtp_relay_user" value="<?= htmlentities(trim($v_smtp_relay_user, "'")) ?>">
+					<label for="v_smtp_relay_user" class="form-label"><?= tohtml( _("Username")) ?></label>
+					<input type="text" class="form-control" name="v_smtp_relay_user" id="v_smtp_relay_user" value="<?= tohtml(trim($v_smtp_relay_user, "'")) ?>">
 				</div>
 				<div class="u-mb10">
-					<label for="v_smtp_relay_pass" class="form-label"><?= _("Password") ?></label>
+					<label for="v_smtp_relay_pass" class="form-label"><?= tohtml( _("Password")) ?></label>
 					<input type="text" class="form-control" name="v_smtp_relay_pass" id="v_smtp_relay_pass">
 				</div>
 			</div>

web/templates/pages/edit_mail_acc.php

@@ -2,13 +2,13 @@
 <div class="toolbar">
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
-			<a class="button button-secondary button-back js-button-back" href="/list/mail/?domain=<?= htmlentities(trim($v_domain, "'")) ?>&token=<?= $_SESSION["token"] ?>">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+			<a class="button button-secondary button-back js-button-back" href="/list/mail/?<?= tohtml(http_build_query(["domain" => trim($v_domain, "'"), "token" => $_SESSION["token"]])) ?>">
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 		<div class="toolbar-buttons">
 			<button type="submit" class="button" form="main-form">
-				<i class="fas fa-floppy-disk icon-purple"></i><?= _("Save") ?>
+				<i class="fas fa-floppy-disk icon-purple"></i><?= tohtml( _("Save")) ?>
 			</button>
 		</div>
 	</div>
@@ -19,105 +19,105 @@
 
 	<form
 		x-data="{
-			hasAutoReply: <?= $v_autoreply == "yes" ? "true" : "false" ?>
+			hasAutoReply: <?= tohtml($v_autoreply == "yes" ? "true" : "false") ?>
 		}"
 		id="main-form"
 		name="v_edit_mail_acc"
 		method="post"
-		class="<?= $v_status ?>"
+		class="<?= tohtml($v_status) ?>"
 	>
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<input type="hidden" name="save" value="save">
 
 		<div class="form-container form-container-wide">
-			<h1 class="u-mb20"><?= _("Edit Mail Account") ?></h1>
+			<h1 class="u-mb20"><?= tohtml( _("Edit Mail Account")) ?></h1>
 			<?php show_alert_message($_SESSION); ?>
 			<div class="sidebar-right-grid">
 				<div class="sidebar-right-grid-content">
 					<div class="u-mb10">
-						<label for="v_email" class="form-label"><?= _("Account") ?></label>
-						<input type="text" class="form-control" name="v_email" id="v_email" value="<?= htmlentities($_GET["account"]) . "@" . htmlentities($_GET["domain"]) ?>" disabled>
-						<input type="hidden" name="v_domain" value="<?= htmlentities(trim($v_domain, "'")) ?>">
-						<input type="hidden" name="v_account" value="<?= htmlentities(trim($v_account, "'")) ?>" class="js-account-input">
+						<label for="v_email" class="form-label"><?= tohtml( _("Account")) ?></label>
+						<input type="text" class="form-control" name="v_email" id="v_email" value="<?= tohtml($_GET["account"] . "@" . $_GET["domain"]) ?>" disabled>
+						<input type="hidden" name="v_domain" value="<?= tohtml(trim($v_domain, "'")) ?>">
+						<input type="hidden" name="v_account" value="<?= tohtml(trim($v_account, "'")) ?>" class="js-account-input">
 					</div>
 					<div class="u-mb10">
 						<label for="v_password" class="form-label">
-							<?= _("Password") ?>
-							<button type="button" title="<?= _("Generate") ?>" class="u-unstyled-button u-ml5 js-generate-password">
+							<?= tohtml( _("Password")) ?>
+							<button type="button" title="<?= tohtml( _("Generate")) ?>" class="u-unstyled-button u-ml5 js-generate-password">
 								<i class="fas fa-arrows-rotate icon-green"></i>
 							</button>
 						</label>
 						<div class="u-pos-relative u-mb10">
-							<input type="text" class="form-control js-password-input" name="v_password" id="v_password" value="<?= htmlentities(trim($v_password, "'")) ?>">
+							<input type="text" class="form-control js-password-input" name="v_password" id="v_password" value="<?= tohtml(trim($v_password, "'")) ?>">
 							<div class="password-meter">
 								<meter max="4" class="password-meter-input js-password-meter"></meter>
 							</div>
 						</div>
 					</div>
-					<p class="u-mb10"><?= _("Your password must have at least") ?>:</p>
+					<p class="u-mb10"><?= tohtml( _("Your password must have at least")) ?>:</p>
 					<ul class="u-list-bulleted u-mb20">
-						<li><?= _("8 characters long") ?></li>
-						<li><?= _("1 uppercase & 1 lowercase character") ?></li>
-						<li><?= _("1 number") ?></li>
+						<li><?= tohtml( _("8 characters long")) ?></li>
+						<li><?= tohtml( _("1 uppercase & 1 lowercase character")) ?></li>
+						<li><?= tohtml( _("1 number")) ?></li>
 					</ul>
 					<div class="u-mb10">
 						<label for="v_send_email" class="form-label">
-							<?= _("Email login credentials to:") ?>
+							<?= tohtml( _("Email login credentials to:")) ?>
 						</label>
-						<input type="email" class="form-control" name="v_send_email" id="v_send_email" value="<?= htmlentities(trim($v_send_email, "'")) ?>">
+						<input type="email" class="form-control" name="v_send_email" id="v_send_email" value="<?= tohtml(trim($v_send_email, "'")) ?>">
 					</div>
 					<div class="u-mb10">
 						<label for="v_quota" class="form-label">
-							<?= _("Quota") ?> <span class="optional">(<?= _("in MB") ?>)</span>
+							<?= tohtml( _("Quota")) ?> <span class="optional">(<?= tohtml( _("in MB")) ?>)</span>
 						</label>
 						<div class="u-pos-relative">
 							<input type="text" class="form-control" name="v_quota" id="v_quota" value="<?php if (!empty($v_quota)) {echo htmlentities(trim($v_quota, "'"));} else { echo "0"; } ?>">
-							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= _("Unlimited") ?>">
+							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= tohtml( _("Unlimited")) ?>">
 								<i class="fas fa-infinity"></i>
 							</button>
 						</div>
 					</div>
 					<div class="u-mb10">
 						<label for="v_aliases" class="form-label">
-							<?= _("Aliases") ?> <span class="optional">(<?= _("Use local-part without domain name") ?>)</span>
+							<?= tohtml( _("Aliases")) ?> <span class="optional">(<?= tohtml( _("Use local-part without domain name")) ?>)</span>
 						</label>
-						<textarea class="form-control" name="v_aliases" id="v_aliases"><?= htmlentities(trim($v_aliases, "'")) ?></textarea>
+						<textarea class="form-control" name="v_aliases" id="v_aliases"><?= tohtml(trim($v_aliases, "'")) ?></textarea>
 					</div>
 					<div class="form-check">
 						<input class="form-check-input js-discard-all-mail" type="checkbox" name="v_blackhole" id="v_blackhole" <?php if ($v_blackhole == 'yes') echo 'checked' ?>>
 						<label for="v_blackhole">
-							<?= _("Discard all mail") ?>
+							<?= tohtml( _("Discard all mail")) ?>
 						</label>
 					</div>
 					<div class="form-check <?php if ($v_blackhole == 'yes') { echo 'u-hidden'; } ?>">
 						<input class="form-check-input js-do-not-store-checkbox" type="checkbox" name="v_fwd_only" id="v_fwd_for" <?php if ($v_fwd_only == 'yes') echo 'checked' ?>>
 						<label for="v_fwd_for">
-							<?= _("Do not store forwarded mail") ?>
+							<?= tohtml( _("Do not store forwarded mail")) ?>
 						</label>
 					</div>
 					<div class="u-mb10">
 						<label for="v_fwd" class="form-label">
-							<?= _("Forward to") ?> <span class="optional">(<?= _("one or more email addresses") ?>)</span>
+							<?= tohtml( _("Forward to")) ?> <span class="optional">(<?= tohtml( _("one or more email addresses")) ?>)</span>
 						</label>
-						<textarea class="form-control js-forward-to-textarea" name="v_fwd" id="v_fwd" <?php if ($v_blackhole == 'yes') echo "disabled"; ?>><?= htmlentities(trim($v_fwd, "'")) ?></textarea>
+						<textarea class="form-control js-forward-to-textarea" name="v_fwd" id="v_fwd" <?php if ($v_blackhole == 'yes') echo "disabled"; ?>><?= tohtml(trim($v_fwd, "'")) ?></textarea>
 					</div>
 					<div class="form-check u-mb10">
 						<input x-model="hasAutoReply" class="form-check-input" type="checkbox" name="v_autoreply" id="v_autoreply">
 						<label for="v_autoreply">
-							<?= _("Auto Reply") ?>
+							<?= tohtml( _("Auto Reply")) ?>
 						</label>
 					</div>
 					<div x-cloak x-show="hasAutoReply" id="autoreplytable">
 						<div class="u-mb10">
-							<label for="v_autoreply_message" class="form-label"><?= _("Message") ?></label>
-							<textarea class="form-control" name="v_autoreply_message" id="v_autoreply_message"><?= htmlentities(trim($v_autoreply_message, "'")) ?></textarea>
+							<label for="v_autoreply_message" class="form-label"><?= tohtml( _("Message")) ?></label>
+							<textarea class="form-control" name="v_autoreply_message" id="v_autoreply_message"><?= tohtml(trim($v_autoreply_message, "'")) ?></textarea>
 						</div>
 					</div>
 					<div class="u-mb20">
 						<label for="v_rate" class="form-label">
-							<?= _("Rate Limit") ?> <span class="optional">(<?= _("email / hour") ?>)</span>
+							<?= tohtml( _("Rate Limit")) ?> <span class="optional">(<?= tohtml( _("email / hour")) ?>)</span>
 						</label>
-						<input type="text" class="form-control" name="v_rate" id="v_rate" value="<?= htmlentities(trim($v_rate, "'")) ?>" <?php if ($_SESSION['userContext'] != "admin"){ echo "disabled"; }?>>
+						<input type="text" class="form-control" name="v_rate" id="v_rate" value="<?= tohtml(trim($v_rate, "'")) ?>" <?php if ($_SESSION['userContext'] != "admin"){ echo "disabled"; }?>>
 					</div>
 				</div>
 				<div class="sidebar-right-grid-sidebar">

web/templates/pages/edit_package.php

@@ -3,12 +3,12 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/package/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 		<div class="toolbar-buttons">
 			<button type="submit" class="button" form="main-form">
-				<i class="fas fa-floppy-disk icon-purple"></i><?= _("Save") ?>
+				<i class="fas fa-floppy-disk icon-purple"></i><?= tohtml( _("Save")) ?>
 			</button>
 		</div>
 	</div>
@@ -21,47 +21,47 @@
 		id="main-form"
 		name="v_edit_package"
 		method="post"
-		class="<?= $v_status ?>"
+		class="<?= tohtml($v_status) ?>"
 	>
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<input type="hidden" name="save" value="save">
 
 		<div class="form-container">
-			<h1 class="u-mb20"><?= _("Edit Package") ?></h1>
+			<h1 class="u-mb20"><?= tohtml( _("Edit Package")) ?></h1>
 			<?php show_alert_message($_SESSION); ?>
 			<div class="u-mb10">
-				<label for="v_package_new" class="form-label"><?= _("Package Name") ?></label>
-				<input type="text" class="form-control" name="v_package_new" id="v_package_new" value="<?= htmlentities(trim($v_package_new, "'")) ?>" required>
-				<input type="hidden" name="v_package" value="<?= htmlentities(trim($v_package, "'")) ?>">
+				<label for="v_package_new" class="form-label"><?= tohtml( _("Package Name")) ?></label>
+				<input type="text" class="form-control" name="v_package_new" id="v_package_new" value="<?= tohtml(trim($v_package_new, "'")) ?>" required>
+				<input type="hidden" name="v_package" value="<?= tohtml(trim($v_package, "'")) ?>">
 			</div>
 			<div class="u-mb10">
 				<label for="v_disk_quota" class="form-label">
-					<?= _("Quota") ?> <span class="optional">(<?= _("in MB") ?>)</span>
+					<?= tohtml( _("Quota")) ?> <span class="optional">(<?= tohtml( _("in MB")) ?>)</span>
 				</label>
 				<div class="u-pos-relative">
-					<input type="text" class="form-control" name="v_disk_quota" id="v_disk_quota" value="<?= htmlentities(trim($v_disk_quota, "'")) ?>">
-					<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= _("Unlimited") ?>">
+					<input type="text" class="form-control" name="v_disk_quota" id="v_disk_quota" value="<?= tohtml(trim($v_disk_quota, "'")) ?>">
+					<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= tohtml( _("Unlimited")) ?>">
 						<i class="fas fa-infinity"></i>
 					</button>
 				</div>
 			</div>
 			<div class="u-mb10">
 				<label for="v_bandwidth" class="form-label">
-					<?= _("Bandwidth") ?> <span class="optional">(<?= _("in MB") ?>)</span>
+					<?= tohtml( _("Bandwidth")) ?> <span class="optional">(<?= tohtml( _("in MB")) ?>)</span>
 				</label>
 				<div class="u-pos-relative">
-					<input type="text" class="form-control" name="v_bandwidth" id="v_bandwidth" value="<?= htmlentities(trim($v_bandwidth, "'")) ?>">
-					<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= _("Unlimited") ?>">
+					<input type="text" class="form-control" name="v_bandwidth" id="v_bandwidth" value="<?= tohtml(trim($v_bandwidth, "'")) ?>">
+					<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= tohtml( _("Unlimited")) ?>">
 						<i class="fas fa-infinity"></i>
 					</button>
 				</div>
 			</div>
 			<div class="u-mb10">
-				<label for="v_backups" class="form-label"><?= _("Backups") ?></label>
-				<input type="text" class="form-control" name="v_backups" id="v_backups" value="<?= htmlentities(trim($v_backups, "'")) ?>">
+				<label for="v_backups" class="form-label"><?= tohtml( _("Backups")) ?></label>
+				<input type="text" class="form-control" name="v_backups" id="v_backups" value="<?= tohtml(trim($v_backups, "'")) ?>">
 			</div>
 			<div class="u-mb10">
-				<label for="v_backups_incremental" class="form-label"><?= _("Incremental Backups") ?></label>
+				<label for="v_backups_incremental" class="form-label"><?= tohtml( _("Incremental Backups")) ?></label>
 				<select class="form-select" name="v_backups_incremental" id="v_backups_incremental">
 					<option value="no"><?=_('Disabled')?></option>
 					<option value="yes" <?php if (!empty($v_backups_incremental) && 'yes' == trim($v_backups_incremental, "''")): ?>
@@ -71,32 +71,32 @@
 			</div>
 			<details class="collapse" id="web-options">
 				<summary class="collapse-header">
-					<?= _("WEB") ?>
+					<?= tohtml( _("WEB")) ?>
 				</summary>
 				<div class="collapse-content">
 					<div class="u-mb10">
-						<label for="v_web_domains" class="form-label"><?= _("Web Domains") ?></label>
+						<label for="v_web_domains" class="form-label"><?= tohtml( _("Web Domains")) ?></label>
 						<div class="u-pos-relative">
-							<input type="text" class="form-control" name="v_web_domains" id="v_web_domains" value="<?= htmlentities(trim($v_web_domains, "'")) ?>">
-							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= _("Unlimited") ?>">
+							<input type="text" class="form-control" name="v_web_domains" id="v_web_domains" value="<?= tohtml(trim($v_web_domains, "'")) ?>">
+							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= tohtml( _("Unlimited")) ?>">
 								<i class="fas fa-infinity"></i>
 							</button>
 						</div>
 					</div>
 					<div class="u-mb10">
 						<label for="v_web_aliases" class="form-label">
-							<?= _("Web Aliases") ?> <span class="optional">(<?= _("per domain") ?>)</span>
+							<?= tohtml( _("Web Aliases")) ?> <span class="optional">(<?= tohtml( _("per domain")) ?>)</span>
 						</label>
 						<div class="u-pos-relative">
-							<input type="text" class="form-control" name="v_web_aliases" id="v_web_aliases" value="<?= htmlentities(trim($v_web_aliases, "'")) ?>">
-							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= _("Unlimited") ?>">
+							<input type="text" class="form-control" name="v_web_aliases" id="v_web_aliases" value="<?= tohtml(trim($v_web_aliases, "'")) ?>">
+							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= tohtml( _("Unlimited")) ?>">
 								<i class="fas fa-infinity"></i>
 							</button>
 						</div>
 					</div>
 					<div class="u-mb10">
 						<label for="v_web_template" class="form-label">
-							<?= _("Web Template") . " <span class='optional'> " . strtoupper($_SESSION["WEB_SYSTEM"]) . "</span>" ?>
+							<?= tohtml( _("Web Template")) ?> <span class="optional"><?= tohtml(strtoupper($_SESSION["WEB_SYSTEM"])) ?></span>
 						</label>
 						<select class="form-select" name="v_web_template" id="v_web_template">
 							<?php
@@ -113,9 +113,9 @@
 					<?php if (!empty($_SESSION['WEB_BACKEND'])) {
 						echo ""; ?>
 						<div class="u-mb10">
-							<label for="v_backend_template" class="form-label">
-								<?= _("Backend Template") . "<span class='optional'>" . strtoupper($_SESSION["WEB_BACKEND"]) . "</span>" ?>
-							</label>
+								<label for="v_backend_template" class="form-label">
+									<?= tohtml( _("Backend Template")) ?> <span class="optional"><?= tohtml(strtoupper($_SESSION["WEB_BACKEND"])) ?></span>
+								</label>
 							<select class="form-select" name="v_backend_template" id="v_backend_template">
 								<?php
 								foreach ($backend_templates as $key => $value) {
@@ -128,14 +128,13 @@
 								?>
 							</select>
 						</div>
-						<?= "";
-					} ?>
+							<?php } ?>
 					<?php if (!empty($_SESSION['PROXY_SYSTEM'])) {
 						echo ""; ?>
 						<div class="u-mb10">
-							<label for="v_proxy_template" class="form-label">
-								<?= _("Proxy Template") . "<span class='optional'>" . strtoupper($_SESSION["PROXY_SYSTEM"]) . "</span>" ?>
-							</label>
+								<label for="v_proxy_template" class="form-label">
+									<?= tohtml( _("Proxy Template")) ?> <span class="optional"><?= tohtml(strtoupper($_SESSION["PROXY_SYSTEM"])) ?></span>
+								</label>
 							<select class="form-select" name="v_proxy_template" id="v_proxy_template">
 								<?php
 								foreach ($proxy_templates as $key => $value) {
@@ -148,18 +147,17 @@
 								?>
 							</select>
 						</div>
-						<?= "";
-					} ?>
+							<?php } ?>
 				</div>
 			</details>
 			<details class="collapse" id="dns-options">
 				<summary class="collapse-header">
-					<?= _("DNS") ?>
+					<?= tohtml( _("DNS")) ?>
 				</summary>
 				<div class="collapse-content">
 					<div class="u-mb10">
 						<label for="v_dns_template" class="form-label">
-							<?= _("DNS Template") . "<span class='optional'>" . strtoupper($_SESSION["DNS_SYSTEM"]) . "</span>" ?>
+							<?= tohtml( _("DNS Template")) ?> <span class="optional"><?= tohtml(strtoupper($_SESSION["DNS_SYSTEM"])) ?></span>
 						</label>
 						<select class="form-select" name="v_dns_template" id="v_dns_template">
 							<?php
@@ -177,83 +175,83 @@
 						</select>
 					</div>
 					<div class="u-mb10">
-						<label for="v_dns_domains" class="form-label"><?= _("DNS Zones") ?></label>
+						<label for="v_dns_domains" class="form-label"><?= tohtml( _("DNS Zones")) ?></label>
 						<div class="u-pos-relative">
-							<input type="text" class="form-control" name="v_dns_domains" id="v_dns_domains" value="<?= htmlentities(trim($v_dns_domains, "'")) ?>">
-							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= _("Unlimited") ?>">
+							<input type="text" class="form-control" name="v_dns_domains" id="v_dns_domains" value="<?= tohtml(trim($v_dns_domains, "'")) ?>">
+							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= tohtml( _("Unlimited")) ?>">
 								<i class="fas fa-infinity"></i>
 							</button>
 						</div>
 					</div>
 					<div class="u-mb10">
 						<label for="v_dns_records" class="form-label">
-							<?= _("DNS Records") ?> <span class="optional">(<?= _("per domain") ?>)</span>
+							<?= tohtml( _("DNS Records")) ?> <span class="optional">(<?= tohtml( _("per domain")) ?>)</span>
 						</label>
 						<div class="u-pos-relative">
-							<input type="text" class="form-control" name="v_dns_records" id="v_dns_records" value="<?= htmlentities(trim($v_dns_records, "'")) ?>">
-							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= _("Unlimited") ?>">
+							<input type="text" class="form-control" name="v_dns_records" id="v_dns_records" value="<?= tohtml(trim($v_dns_records, "'")) ?>">
+							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= tohtml( _("Unlimited")) ?>">
 								<i class="fas fa-infinity"></i>
 							</button>
 						</div>
 					</div>
 					<?php if (isset($_SESSION["DNS_SYSTEM"]) && !empty($_SESSION["DNS_SYSTEM"])) { ?>
-						<p class="form-label u-mb10"><?= _("Name Servers") ?></p>
+						<p class="form-label u-mb10"><?= tohtml( _("Name Servers")) ?></p>
 						<div class="u-mb5">
-							<input type="text" class="form-control" name="v_ns1" value="<?= htmlentities(trim($v_ns1, "'")) ?>">
+							<input type="text" class="form-control" name="v_ns1" value="<?= tohtml(trim($v_ns1, "'")) ?>">
 						</div>
 						<div class="u-mb5">
-							<input type="text" class="form-control" name="v_ns2" value="<?= htmlentities(trim($v_ns2, "'")) ?>">
+							<input type="text" class="form-control" name="v_ns2" value="<?= tohtml(trim($v_ns2, "'")) ?>">
 						</div>
 						<?php require $_SERVER["HESTIA"] . "/web/templates/includes/extra-ns-fields.php"; ?>
 						<button type="button" class="form-link u-mt20 js-add-ns" <?php if ($v_ns8) echo 'style="display:none;"'; ?>>
-							<?= _("Add Name Server") ?>
+							<?= tohtml( _("Add Name Server")) ?>
 						</button>
 					<?php } ?>
 				</div>
 			</details>
 			<details class="collapse" id="mail-options">
 				<summary class="collapse-header">
-					<?= _("MAIL") ?>
+					<?= tohtml( _("MAIL")) ?>
 				</summary>
 				<div class="collapse-content">
 					<div class="u-mb10">
-						<label for="v_mail_domains" class="form-label"><?= _("Mail Domains") ?></label>
+						<label for="v_mail_domains" class="form-label"><?= tohtml( _("Mail Domains")) ?></label>
 						<div class="u-pos-relative">
-							<input type="text" class="form-control" name="v_mail_domains" id="v_mail_domains" value="<?= htmlentities(trim($v_mail_domains, "'")) ?>">
-							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= _("Unlimited") ?>">
+							<input type="text" class="form-control" name="v_mail_domains" id="v_mail_domains" value="<?= tohtml(trim($v_mail_domains, "'")) ?>">
+							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= tohtml( _("Unlimited")) ?>">
 								<i class="fas fa-infinity"></i>
 							</button>
 						</div>
 					</div>
 					<div class="u-mb10">
 						<label for="v_mail_accounts" class="form-label">
-							<?= _("Mail Accounts") ?> <span class="optional">(<?= _("per domain") ?>)</span>
+							<?= tohtml( _("Mail Accounts")) ?> <span class="optional">(<?= tohtml( _("per domain")) ?>)</span>
 						</label>
 						<div class="u-pos-relative">
-							<input type="text" class="form-control" name="v_mail_accounts" id="v_mail_accounts" value="<?= htmlentities(trim($v_mail_accounts, "'")) ?>">
-							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= _("Unlimited") ?>">
+							<input type="text" class="form-control" name="v_mail_accounts" id="v_mail_accounts" value="<?= tohtml(trim($v_mail_accounts, "'")) ?>">
+							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= tohtml( _("Unlimited")) ?>">
 								<i class="fas fa-infinity"></i>
 							</button>
 						</div>
 					</div>
 					<div class="u-mb10">
 						<label for="v_ratelimit" class="form-label">
-							<?= _("Rate Limit") ?> <span class="optional">(<?= _("per account / hour") ?>)</span>
+							<?= tohtml( _("Rate Limit")) ?> <span class="optional">(<?= tohtml( _("per account / hour")) ?>)</span>
 						</label>
-						<input type="text" class="form-control" name="v_ratelimit" id="v_ratelimit" value="<?= htmlentities(trim($v_ratelimit, "'")) ?>">
+						<input type="text" class="form-control" name="v_ratelimit" id="v_ratelimit" value="<?= tohtml(trim($v_ratelimit, "'")) ?>">
 					</div>
 				</div>
 			</details>
 			<details class="collapse" id="database-options">
 				<summary class="collapse-header">
-					<?= _("DB") ?>
+					<?= tohtml( _("DB")) ?>
 				</summary>
 				<div class="collapse-content">
 					<div class="u-mb10">
-						<label for="v_databases" class="form-label"><?= _("Databases") ?></label>
+						<label for="v_databases" class="form-label"><?= tohtml( _("Databases")) ?></label>
 						<div class="u-pos-relative">
-							<input type="text" class="form-control" name="v_databases" id="v_databases" value="<?= htmlentities(trim($v_databases, "'")) ?>">
-							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= _("Unlimited") ?>">
+							<input type="text" class="form-control" name="v_databases" id="v_databases" value="<?= tohtml(trim($v_databases, "'")) ?>">
+							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= tohtml( _("Unlimited")) ?>">
 								<i class="fas fa-infinity"></i>
 							</button>
 						</div>
@@ -262,28 +260,28 @@
 			</details>
 			<details class="collapse" id="system-options">
 				<summary class="collapse-header">
-					<?= _("System") ?>
+					<?= tohtml( _("System")) ?>
 				</summary>
 				<div class="collapse-content">
 					<div class="u-mb10">
-						<label for="v_cron_jobs" class="form-label"><?= _("Cron Jobs") ?></label>
+						<label for="v_cron_jobs" class="form-label"><?= tohtml( _("Cron Jobs")) ?></label>
 						<div class="u-pos-relative">
-							<input type="text" class="form-control" name="v_cron_jobs" id="v_cron_jobs" value="<?= htmlentities(trim($v_cron_jobs, "'")) ?>">
-							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= _("Unlimited") ?>">
+							<input type="text" class="form-control" name="v_cron_jobs" id="v_cron_jobs" value="<?= tohtml(trim($v_cron_jobs, "'")) ?>">
+							<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= tohtml( _("Unlimited")) ?>">
 								<i class="fas fa-infinity"></i>
 							</button>
 						</div>
 					</div>
 					<div class="u-mb10">
-						<label for="v_shell" class="form-label"><?= _("SSH Access") ?></label>
+						<label for="v_shell" class="form-label"><?= tohtml( _("SSH Access")) ?></label>
 						<select class="form-select" name="v_shell" id="v_shell">
 							<?php foreach ($shells as $key => $value): ?>
-								<option value="<?= htmlentities($value) ?>"
+								<option value="<?= tohtml($value) ?>"
 									<?php if (!empty($v_shell) && $value == trim($v_shell, "''")): ?>
 										selected
 									<?php endif; ?>
 								>
-									<?= htmlentities($value) ?>
+									<?= tohtml($value) ?>
 								</option>
 							<?php endforeach; ?>
 						</select>
@@ -294,59 +292,59 @@
 			<?php if ($_SESSION['RESOURCES_LIMIT'] == 'yes') { ?>
 				<details class="collapse" id="system-resources-options">
 					<summary class="collapse-header">
-						<?= _("System Resources") ?>
+						<?= tohtml( _("System Resources")) ?>
 					</summary>
 					<div class="collapse-content">
 						<div class="u-mb10">
 							<label for="cfs_quota" class="form-label">
-								<?= _("CPU Quota (in %)") ?>
+								<?= tohtml( _("CPU Quota (in %)")) ?>
 							</label>
 							<div class="u-pos-relative">
-								<input type="text" class="form-control" name="v_cpu_quota" id="v_cpu_quota" value="<?= htmlentities(trim($v_cpu_quota, "'")) ?>">
-								<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= _("Unlimited") ?>">
+								<input type="text" class="form-control" name="v_cpu_quota" id="v_cpu_quota" value="<?= tohtml(trim($v_cpu_quota, "'")) ?>">
+								<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= tohtml( _("Unlimited")) ?>">
 									<i class="fas fa-infinity"></i>
 								</button>
 							</div>
-							<small class="form-text text-muted"><?= _("CPUQuota=20% ensures that the executed processes will never get more than 20% CPU time on one CPU.") ?></small>
+							<small class="form-text text-muted"><?= tohtml( _("CPUQuota=20% ensures that the executed processes will never get more than 20% CPU time on one CPU.")) ?></small>
 						</div>
 
 						<div class="u-mb10">
 							<label for="cfs_period" class="form-label">
-								<?= _("CPU Quota Period (in ms for milliseconds or s for seconds.)") ?>
+								<?= tohtml( _("CPU Quota Period (in ms for milliseconds or s for seconds.)")) ?>
 							</label>
 							<div class="u-pos-relative">
-								<input type="text" class="form-control" name="v_cpu_quota_period" id="v_cpu_quota_period" value="<?= htmlentities(trim($v_cpu_quota_period, "'")) ?>">
-								<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= _("Unlimited") ?>">
+								<input type="text" class="form-control" name="v_cpu_quota_period" id="v_cpu_quota_period" value="<?= tohtml(trim($v_cpu_quota_period, "'")) ?>">
+								<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= tohtml( _("Unlimited")) ?>">
 									<i class="fas fa-infinity"></i>
 								</button>
 							</div>
-							<small class="form-text text-muted"><?= _("CPUQuotaPeriodSec=10ms to request that the CPU quota is measured in periods of 10ms.") ?></small>
+							<small class="form-text text-muted"><?= tohtml( _("CPUQuotaPeriodSec=10ms to request that the CPU quota is measured in periods of 10ms.")) ?></small>
 						</div>
 
 						<div class="u-mb10">
 							<label for="memory_limit" class="form-label">
-								<?= _("Memory Limit (in bytes or with units like '2G')") ?>
+								<?= tohtml( _("Memory Limit (in bytes or with units like '2G')")) ?>
 							</label>
 							<div class="u-pos-relative">
-								<input type="text" class="form-control" name="v_memory_limit" id="v_memory_limit" value="<?= htmlentities(trim($v_memory_limit, "'")) ?>">
-								<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= _("Unlimited") ?>">
+								<input type="text" class="form-control" name="v_memory_limit" id="v_memory_limit" value="<?= tohtml(trim($v_memory_limit, "'")) ?>">
+								<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= tohtml( _("Unlimited")) ?>">
 									<i class="fas fa-infinity"></i>
 								</button>
 							</div>
-							<small class="form-text text-muted"><?= _("Takes a memory size in bytes. If the value is suffixed with K, M, G or T, the specified memory size is parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes (with the base 1024), respectively") ?></small>
+							<small class="form-text text-muted"><?= tohtml( _("Takes a memory size in bytes. If the value is suffixed with K, M, G or T, the specified memory size is parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes (with the base 1024), respectively")) ?></small>
 						</div>
 
 						<div class="u-mb10">
 							<label for="swap_limit" class="form-label">
-								<?= _("Swap Limit (in bytes or with units like '2G')") ?>
+								<?= tohtml( _("Swap Limit (in bytes or with units like '2G')")) ?>
 							</label>
 							<div class="u-pos-relative">
-								<input type="text" class="form-control" name="v_swap_limit" id="v_swap_limit" value="<?= htmlentities(trim($v_swap_limit, "'")) ?>">
-								<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= _("Unlimited") ?>">
+								<input type="text" class="form-control" name="v_swap_limit" id="v_swap_limit" value="<?= tohtml(trim($v_swap_limit, "'")) ?>">
+								<button type="button" class="unlimited-toggle js-unlimited-toggle" title="<?= tohtml( _("Unlimited")) ?>">
 									<i class="fas fa-infinity"></i>
 								</button>
 							</div>
-							<small class="form-text text-muted"><?= _("Takes a swap size in bytes. If the value is suffixed with K, M, G or T, the specified swap size is parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes (with the base 1024), respectively") ?></small>
+							<small class="form-text text-muted"><?= tohtml( _("Takes a swap size in bytes. If the value is suffixed with K, M, G or T, the specified swap size is parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes (with the base 1024), respectively")) ?></small>
 						</div>
 					</div>
 				</details>

web/templates/pages/edit_server_bind9.php

@@ -3,12 +3,12 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/server/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 		<div class="toolbar-buttons">
 			<button type="submit" class="button" form="main-form">
-				<i class="fas fa-floppy-disk icon-purple"></i><?= _("Save") ?>
+				<i class="fas fa-floppy-disk icon-purple"></i><?= tohtml( _("Save")) ?>
 			</button>
 		</div>
 	</div>
@@ -18,24 +18,24 @@
 <div class="container">
 
 	<form id="main-form" name="v_configure_server" method="post">
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<input type="hidden" name="save" value="save">
 
 		<div class="form-container">
-			<h1 class="u-mb20"><?= _("Configure Server") ?>: <?= $v_service_name ?></h1>
+			<h1 class="u-mb20"><?= tohtml( _("Configure Server")) ?>: <?= tohtml($v_service_name) ?></h1>
 			<?php show_alert_message($_SESSION); ?>
 			<div class="u-mb20">
-				<label for="v_options" class="form-label"><?= $v_options_path ?></label>
-				<textarea class="form-control u-min-height300 u-allow-resize u-console" name="v_options" id="v_options"><?= $v_options ?></textarea>
+				<label for="v_options" class="form-label"><?= tohtml($v_options_path) ?></label>
+				<textarea class="form-control u-min-height300 u-allow-resize u-console" name="v_options" id="v_options"><?= tohtml($v_options) ?></textarea>
 			</div>
 			<div class="u-mb20">
-				<label for="v_config" class="form-label"><?= $v_config_path ?></label>
-				<textarea class="form-control u-min-height300 u-allow-resize u-console" name="v_config" id="v_config"><?= $v_config ?></textarea>
+				<label for="v_config" class="form-label"><?= tohtml($v_config_path) ?></label>
+				<textarea class="form-control u-min-height300 u-allow-resize u-console" name="v_config" id="v_config"><?= tohtml($v_config) ?></textarea>
 			</div>
 			<div class="form-check">
 				<input class="form-check-input" type="checkbox" name="v_restart" id="v_restart" checked>
 				<label for="v_restart">
-					<?= _("Restart") ?>
+					<?= tohtml( _("Restart")) ?>
 				</label>
 			</div>
 		</div>

web/templates/pages/edit_server_dovecot.php

@@ -3,12 +3,12 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/server/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 		<div class="toolbar-buttons">
 			<button type="submit" class="button" form="main-form">
-				<i class="fas fa-floppy-disk icon-purple"></i><?= _("Save") ?>
+				<i class="fas fa-floppy-disk icon-purple"></i><?= tohtml( _("Save")) ?>
 			</button>
 		</div>
 	</div>
@@ -18,54 +18,54 @@
 <div class="container">
 
 	<form id="main-form" name="v_configure_server" method="post">
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<input type="hidden" name="save" value="save">
 
 		<div class="form-container">
-			<h1 class="u-mb20"><?= _("Configure Server") ?>: <?= $v_service_name ?></h1>
+			<h1 class="u-mb20"><?= tohtml( _("Configure Server")) ?>: <?= tohtml($v_service_name) ?></h1>
 			<?php show_alert_message($_SESSION); ?>
 			<div class="u-mb20">
-				<label for="v_config" class="form-label"><?= $v_config_path ?></label>
-				<textarea class="form-control u-min-height300 u-allow-resize u-console" name="v_config" id="v_config"><?= $v_config ?></textarea>
+				<label for="v_config" class="form-label"><?= tohtml($v_config_path) ?></label>
+				<textarea class="form-control u-min-height300 u-allow-resize u-console" name="v_config" id="v_config"><?= tohtml($v_config) ?></textarea>
 			</div>
 			<?php if (!empty($v_config_path1)) { ?>
 				<div class="u-mb20">
-					<label for="v_config1" class="form-label"><?= $v_config_path1 ?></label>
-					<textarea class="form-control u-min-height300 u-allow-resize u-console" name="v_config1" id="v_config1"><?= $v_config1 ?></textarea>
+					<label for="v_config1" class="form-label"><?= tohtml($v_config_path1) ?></label>
+					<textarea class="form-control u-min-height300 u-allow-resize u-console" name="v_config1" id="v_config1"><?= tohtml($v_config1) ?></textarea>
 				</div>
 				<div class="u-mb20">
-					<label for="v_config2" class="form-label"><?= $v_config_path2 ?></label>
-					<textarea class="form-control u-min-height300 u-allow-resize u-console" name="v_config2" id="v_config2"><?= $v_config2 ?></textarea>
+					<label for="v_config2" class="form-label"><?= tohtml($v_config_path2) ?></label>
+					<textarea class="form-control u-min-height300 u-allow-resize u-console" name="v_config2" id="v_config2"><?= tohtml($v_config2) ?></textarea>
 				</div>
 				<div class="u-mb20">
-					<label for="v_config3" class="form-label"><?= $v_config_path3 ?></label>
-					<textarea class="form-control u-min-height300 u-allow-resize u-console" name="v_config3" id="v_config3"><?= $v_config3 ?></textarea>
+					<label for="v_config3" class="form-label"><?= tohtml($v_config_path3) ?></label>
+					<textarea class="form-control u-min-height300 u-allow-resize u-console" name="v_config3" id="v_config3"><?= tohtml($v_config3) ?></textarea>
 				</div>
 				<div class="u-mb20">
-					<label for="v_config4" class="form-label"><?= $v_config_path4 ?></label>
-					<textarea class="form-control u-min-height300 u-allow-resize u-console" name="v_config4" id="v_config4"><?= $v_config4 ?></textarea>
+					<label for="v_config4" class="form-label"><?= tohtml($v_config_path4) ?></label>
+					<textarea class="form-control u-min-height300 u-allow-resize u-console" name="v_config4" id="v_config4"><?= tohtml($v_config4) ?></textarea>
 				</div>
 				<div class="u-mb20">
-					<label for="v_config5" class="form-label"><?= $v_config_path5 ?></label>
-					<textarea class="form-control u-min-height300 u-allow-resize u-console" name="v_config5" id="v_config5"><?= $v_config5 ?></textarea>
+					<label for="v_config5" class="form-label"><?= tohtml($v_config_path5) ?></label>
+					<textarea class="form-control u-min-height300 u-allow-resize u-console" name="v_config5" id="v_config5"><?= tohtml($v_config5) ?></textarea>
 				</div>
 				<div class="u-mb20">
-					<label for="v_config6" class="form-label"><?= $v_config_path6 ?></label>
-					<textarea class="form-control u-min-height300 u-allow-resize u-console" name="v_config6" id="v_config6"><?= $v_config6 ?></textarea>
+					<label for="v_config6" class="form-label"><?= tohtml($v_config_path6) ?></label>
+					<textarea class="form-control u-min-height300 u-allow-resize u-console" name="v_config6" id="v_config6"><?= tohtml($v_config6) ?></textarea>
 				</div>
 				<div class="u-mb20">
-					<label for="v_config7" class="form-label"><?= $v_config_path7 ?></label>
-					<textarea class="form-control u-min-height300 u-allow-resize u-console" name="v_config7" id="v_config7"><?= $v_config7 ?></textarea>
+					<label for="v_config7" class="form-label"><?= tohtml($v_config_path7) ?></label>
+					<textarea class="form-control u-min-height300 u-allow-resize u-console" name="v_config7" id="v_config7"><?= tohtml($v_config7) ?></textarea>
 				</div>
 				<div class="u-mb20">
-					<label for="v_config8" class="form-label"><?= $v_config_path8 ?></label>
-					<textarea class="form-control u-min-height300 u-allow-resize u-console" name="v_config8" id="v_config8"><?= $v_config8 ?></textarea>
+					<label for="v_config8" class="form-label"><?= tohtml($v_config_path8) ?></label>
+					<textarea class="form-control u-min-height300 u-allow-resize u-console" name="v_config8" id="v_config8"><?= tohtml($v_config8) ?></textarea>
 				</div>
 			<?php } ?>
 			<div class="form-check">
 				<input class="form-check-input" type="checkbox" name="v_restart" id="v_restart" checked>
 				<label for="v_restart">
-					<?= _("Restart") ?>
+					<?= tohtml( _("Restart")) ?>
 				</label>
 			</div>
 		</div>

web/templates/pages/edit_server_httpd.php

@@ -3,15 +3,15 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/server/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 			<a href="/edit/server/php/" class="button button-secondary">
-				<i class="fas fa-pencil icon-orange"></i><?= _("Configure") ?> PHP
+				<i class="fas fa-pencil icon-orange"></i><?= tohtml( _("Configure")) ?> PHP
 			</a>
 		</div>
 		<div class="toolbar-buttons">
 			<button type="submit" class="button" form="main-form">
-				<i class="fas fa-floppy-disk icon-purple"></i><?= _("Save") ?>
+				<i class="fas fa-floppy-disk icon-purple"></i><?= tohtml( _("Save")) ?>
 			</button>
 		</div>
 	</div>
@@ -21,20 +21,20 @@
 <div class="container">
 
 	<form id="main-form" name="v_configure_server" method="post">
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<input type="hidden" name="save" value="save">
 
 		<div class="form-container">
-			<h1 class="u-mb20"><?= _("Configure Server") ?>: <?= $v_service_name ?></h1>
+			<h1 class="u-mb20"><?= tohtml( _("Configure Server")) ?>: <?= tohtml($v_service_name) ?></h1>
 			<?php show_alert_message($_SESSION); ?>
 			<div class="u-mb20">
-				<label for="v_config" class="form-label"><?= $v_config_path ?></label>
-				<textarea class="form-control u-min-height300 u-allow-resize u-console" name="v_config" id="v_config"><?= $v_config ?></textarea>
+				<label for="v_config" class="form-label"><?= tohtml($v_config_path) ?></label>
+				<textarea class="form-control u-min-height300 u-allow-resize u-console" name="v_config" id="v_config"><?= tohtml($v_config) ?></textarea>
 			</div>
 			<div class="form-check">
 				<input class="form-check-input" type="checkbox" name="v_restart" id="v_restart" checked>
 				<label for="v_restart">
-					<?= _("Restart") ?>
+					<?= tohtml( _("Restart")) ?>
 				</label>
 			</div>
 		</div>

web/templates/pages/edit_server_mysql.php

@@ -3,12 +3,12 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/server/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 		<div class="toolbar-buttons">
 			<button type="submit" class="button" form="main-form">
-				<i class="fas fa-floppy-disk icon-purple"></i><?= _("Save") ?>
+				<i class="fas fa-floppy-disk icon-purple"></i><?= tohtml( _("Save")) ?>
 			</button>
 		</div>
 	</div>
@@ -18,53 +18,53 @@
 <div class="container">
 
 	<form id="main-form" name="v_configure_server" method="post">
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<input type="hidden" name="save" value="save">
 
 		<div class="form-container">
-			<h1 class="u-mb20"><?= _("Configure Server") ?>: <?= $v_service_name ?></h1>
+			<h1 class="u-mb20"><?= tohtml( _("Configure Server")) ?>: <?= tohtml($v_service_name) ?></h1>
 			<?php show_alert_message($_SESSION); ?>
 			<div class="js-basic-options">
 				<div class="u-mb10">
 					<label for="v_max_connections" class="form-label">max_connections</label>
-					<input type="text" class="form-control" data-regexp="max_connections" data-prev-value="<?= htmlentities($v_max_connections) ?>" name="v_max_connections" id="v_max_connections" value="<?= htmlentities($v_max_connections) ?>">
+					<input type="text" class="form-control" data-regexp="max_connections" data-prev-value="<?= tohtml($v_max_connections) ?>" name="v_max_connections" id="v_max_connections" value="<?= tohtml($v_max_connections) ?>">
 				</div>
 				<div class="u-mb10">
 					<label for="v_max_user_connections" class="form-label">max_user_connections</label>
-					<input type="text" class="form-control" data-regexp="max_user_connections" data-prev-value="<?= htmlentities($v_max_user_connections) ?>" name="v_max_user_connections" id="v_max_user_connections" value="<?= htmlentities($v_max_user_connections) ?>">
+					<input type="text" class="form-control" data-regexp="max_user_connections" data-prev-value="<?= tohtml($v_max_user_connections) ?>" name="v_max_user_connections" id="v_max_user_connections" value="<?= tohtml($v_max_user_connections) ?>">
 				</div>
 				<div class="u-mb10">
 					<label for="v_wait_timeout" class="form-label">wait_timeout</label>
-					<input type="text" class="form-control" data-regexp="wait_timeout" data-prev-value="<?= htmlentities($v_wait_timeout) ?>" name="v_wait_timeout" id="v_wait_timeout" value="<?= htmlentities($v_wait_timeout) ?>">
+					<input type="text" class="form-control" data-regexp="wait_timeout" data-prev-value="<?= tohtml($v_wait_timeout) ?>" name="v_wait_timeout" id="v_wait_timeout" value="<?= tohtml($v_wait_timeout) ?>">
 				</div>
 				<div class="u-mb10">
 					<label for="v_interactive_timeout" class="form-label">interactive_timeout</label>
-					<input type="text" class="form-control" data-regexp="interactive_timeout" data-prev-value="<?= htmlentities($v_interactive_timeout) ?>" name="v_interactive_timeout" id="v_interactive_timeout" value="<?= htmlentities($v_interactive_timeout) ?>">
+					<input type="text" class="form-control" data-regexp="interactive_timeout" data-prev-value="<?= tohtml($v_interactive_timeout) ?>" name="v_interactive_timeout" id="v_interactive_timeout" value="<?= tohtml($v_interactive_timeout) ?>">
 				</div>
 				<div class="u-mb20">
 					<label for="v_display_errors" class="form-label">max_allowed_packet</label>
-					<input type="text" class="form-control" data-regexp="max_allowed_packet" data-prev-value="<?= htmlentities($v_max_allowed_packet) ?>" name="v_display_errors" id="v_display_errors" value="<?= htmlentities($v_max_allowed_packet) ?>">
+					<input type="text" class="form-control" data-regexp="max_allowed_packet" data-prev-value="<?= tohtml($v_max_allowed_packet) ?>" name="v_display_errors" id="v_display_errors" value="<?= tohtml($v_max_allowed_packet) ?>">
 				</div>
 				<div class="u-mb20">
 					<button type="button" class="button button-secondary js-toggle-options">
-						<?= _("Advanced Options") ?>
+						<?= tohtml( _("Advanced Options")) ?>
 					</button>
 				</div>
 			</div>
 			<div class="js-advanced-options <?php if (empty($v_adv)) echo 'u-hidden'; ?>">
 				<div class="u-mb20">
 					<button type="button" class="button button-secondary js-toggle-options">
-						<?= _("Basic Options") ?>
+						<?= tohtml( _("Basic Options")) ?>
 					</button>
 				</div>
 				<div class="u-mb20">
-					<label for="v_config" class="form-label"><?= $v_config_path ?></label>
-					<textarea class="form-control u-min-height600 u-allow-resize u-console js-advanced-textarea" name="v_config" id="v_config"><?= $v_config ?></textarea>
+					<label for="v_config" class="form-label"><?= tohtml($v_config_path) ?></label>
+					<textarea class="form-control u-min-height600 u-allow-resize u-console js-advanced-textarea" name="v_config" id="v_config"><?= tohtml($v_config) ?></textarea>
 				</div>
 				<div class="form-check">
 					<input class="form-check-input" type="checkbox" name="v_restart" id="v_restart" checked>
 					<label for="v_restart">
-						<?= _("Restart") ?>
+						<?= tohtml( _("Restart")) ?>
 					</label>
 				</div>
 			</div>

web/templates/pages/edit_server_pgsql.php

@@ -3,12 +3,12 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/server/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 		<div class="toolbar-buttons">
 			<button type="submit" class="button" form="main-form">
-				<i class="fas fa-floppy-disk icon-purple"></i><?= _("Save") ?>
+				<i class="fas fa-floppy-disk icon-purple"></i><?= tohtml( _("Save")) ?>
 			</button>
 		</div>
 	</div>
@@ -18,24 +18,24 @@
 <div class="container">
 
 	<form id="main-form" name="v_configure_server" method="post">
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<input type="hidden" name="save" value="save">
 
 		<div class="form-container">
-			<h1 class="u-mb20"><?= _("Configure Server") ?>: <?= $v_service_name ?></h1>
+			<h1 class="u-mb20"><?= tohtml( _("Configure Server")) ?>: <?= tohtml($v_service_name) ?></h1>
 			<?php show_alert_message($_SESSION); ?>
 			<div class="u-mb20">
-				<label for="v_options" class="form-label"><?= $v_options_path ?></label>
-				<textarea class="form-control u-min-height300 u-allow-resize u-console" name="v_options" id="v_options"><?= $v_options ?></textarea>
+				<label for="v_options" class="form-label"><?= tohtml($v_options_path) ?></label>
+				<textarea class="form-control u-min-height300 u-allow-resize u-console" name="v_options" id="v_options"><?= tohtml($v_options) ?></textarea>
 			</div>
 			<div class="u-mb20">
-				<label for="v_config" class="form-label"><?= $v_config_path ?></label>
-				<textarea class="form-control u-min-height300 u-allow-resize u-console" name="v_config" id="v_config"><?= $v_config ?></textarea>
+				<label for="v_config" class="form-label"><?= tohtml($v_config_path) ?></label>
+				<textarea class="form-control u-min-height300 u-allow-resize u-console" name="v_config" id="v_config"><?= tohtml($v_config) ?></textarea>
 			</div>
 			<div class="form-check">
 				<input class="form-check-input" type="checkbox" name="v_restart" id="v_restart" checked>
 				<label for="v_restart">
-					<?= _("Restart") ?>
+					<?= tohtml( _("Restart")) ?>
 				</label>
 			</div>
 		</div>

web/templates/pages/edit_server_php.php

@@ -3,12 +3,12 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/server/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 		<div class="toolbar-buttons">
 			<button type="submit" class="button" form="main-form">
-				<i class="fas fa-floppy-disk icon-purple"></i><?= _("Save") ?>
+				<i class="fas fa-floppy-disk icon-purple"></i><?= tohtml( _("Save")) ?>
 			</button>
 		</div>
 	</div>
@@ -18,61 +18,61 @@
 <div class="container">
 
 	<form id="main-form" name="v_configure_server" method="post">
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<input type="hidden" name="save" value="save">
 
 		<div class="form-container">
-			<h1 class="u-mb20"><?= _("Configure Server") ?>: PHP</h1>
+			<h1 class="u-mb20"><?= tohtml( _("Configure Server")) ?>: PHP</h1>
 			<?php show_alert_message($_SESSION); ?>
 			<div class="js-basic-options">
 				<div class="u-mb10">
 					<label for="v_max_execution_time" class="form-label">max_execution_time</label>
-					<input type="text" class="form-control" data-regexp="max_execution_time" data-prev-value="<?= htmlentities($v_max_execution_time) ?>" name="v_max_execution_time" id="v_max_execution_time" value="<?= htmlentities($v_max_execution_time) ?>">
+					<input type="text" class="form-control" data-regexp="max_execution_time" data-prev-value="<?= tohtml($v_max_execution_time) ?>" name="v_max_execution_time" id="v_max_execution_time" value="<?= tohtml($v_max_execution_time) ?>">
 				</div>
 				<div class="u-mb10">
 					<label for="v_worker_connections" class="form-label">max_input_time</label>
-					<input type="text" class="form-control" data-regexp="max_input_time" data-prev-value="<?= htmlentities($v_max_input_time) ?>" name="v_worker_connections" id="v_worker_connections" value="<?= htmlentities($v_max_input_time) ?>">
+					<input type="text" class="form-control" data-regexp="max_input_time" data-prev-value="<?= tohtml($v_max_input_time) ?>" name="v_worker_connections" id="v_worker_connections" value="<?= tohtml($v_max_input_time) ?>">
 				</div>
 				<div class="u-mb10">
 					<label for="v_memory_limit" class="form-label">memory_limit</label>
-					<input type="text" class="form-control" data-regexp="memory_limit" data-prev-value="<?= htmlentities($v_memory_limit) ?>" name="v_memory_limit" id="v_memory_limit" value="<?= htmlentities($v_memory_limit) ?>">
+					<input type="text" class="form-control" data-regexp="memory_limit" data-prev-value="<?= tohtml($v_memory_limit) ?>" name="v_memory_limit" id="v_memory_limit" value="<?= tohtml($v_memory_limit) ?>">
 				</div>
 				<div class="u-mb10">
 					<label for="v_error_reporting" class="form-label">error_reporting</label>
-					<input type="text" class="form-control" data-regexp="error_reporting" data-prev-value="<?= htmlentities($v_error_reporting) ?>" name="v_error_reporting" id="v_error_reporting" value="<?= htmlentities($v_error_reporting) ?>">
+					<input type="text" class="form-control" data-regexp="error_reporting" data-prev-value="<?= tohtml($v_error_reporting) ?>" name="v_error_reporting" id="v_error_reporting" value="<?= tohtml($v_error_reporting) ?>">
 				</div>
 				<div class="u-mb10">
 					<label for="v_display_errors" class="form-label">display_errors</label>
-					<input type="text" class="form-control" data-regexp="display_errors" data-prev-value="<?= htmlentities($v_display_errors) ?>" name="v_display_errors" id="v_display_errors" value="<?= htmlentities($v_display_errors) ?>">
+					<input type="text" class="form-control" data-regexp="display_errors" data-prev-value="<?= tohtml($v_display_errors) ?>" name="v_display_errors" id="v_display_errors" value="<?= tohtml($v_display_errors) ?>">
 				</div>
 				<div class="u-mb10">
 					<label for="v_post_max_size" class="form-label">post_max_size</label>
-					<input type="text" class="form-control" data-regexp="post_max_size" data-prev-value="<?= htmlentities($v_post_max_size) ?>" name="v_post_max_size" id="v_post_max_size" value="<?= htmlentities($v_post_max_size) ?>">
+					<input type="text" class="form-control" data-regexp="post_max_size" data-prev-value="<?= tohtml($v_post_max_size) ?>" name="v_post_max_size" id="v_post_max_size" value="<?= tohtml($v_post_max_size) ?>">
 				</div>
 				<div class="u-mb20">
 					<label for="v_upload_max_filesize" class="form-label">upload_max_filesize</label>
-					<input type="text" class="form-control" data-regexp="upload_max_filesize" data-prev-value="<?= htmlentities($v_upload_max_filesize) ?>" name="v_upload_max_filesize" id="v_upload_max_filesize" value="<?= htmlentities($v_upload_max_filesize) ?>">
+					<input type="text" class="form-control" data-regexp="upload_max_filesize" data-prev-value="<?= tohtml($v_upload_max_filesize) ?>" name="v_upload_max_filesize" id="v_upload_max_filesize" value="<?= tohtml($v_upload_max_filesize) ?>">
 				</div>
 				<div class="u-mb20">
 					<button type="button" class="button button-secondary js-toggle-options">
-						<?= _("Advanced Options") ?>
+						<?= tohtml( _("Advanced Options")) ?>
 					</button>
 				</div>
 			</div>
 			<div class="js-advanced-options <?php if (empty($v_adv)) echo 'u-hidden'; ?>">
 				<div class="u-mb20">
 					<button type="button" class="button button-secondary js-toggle-options">
-						<?= _("Basic Options") ?>
+						<?= tohtml( _("Basic Options")) ?>
 					</button>
 				</div>
 				<div class="u-mb20">
-					<label for="v_config" class="form-label"><?= $v_config_path ?></label>
-					<textarea class="form-control u-min-height600 u-allow-resize u-console js-advanced-textarea" name="v_config" id="v_config"><?= $v_config ?></textarea>
+					<label for="v_config" class="form-label"><?= tohtml($v_config_path) ?></label>
+					<textarea class="form-control u-min-height600 u-allow-resize u-console js-advanced-textarea" name="v_config" id="v_config"><?= tohtml($v_config) ?></textarea>
 				</div>
 				<div class="form-check">
 					<input class="form-check-input" type="checkbox" name="v_restart" id="v_restart" checked>
 					<label for="v_restart">
-						<?= _("Restart") ?>
+						<?= tohtml( _("Restart")) ?>
 					</label>
 				</div>
 			</div>

web/templates/pages/edit_server_service.php

@@ -5,19 +5,19 @@
 			<?php if($v_config_path == "/var/spool/cron/crontabs/hestiaweb"){
 				?>
 				<a class="button button-secondary button-back js-button-back" href="/edit/server/">
-					<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+					<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 				</a>
 			<?php
 			}else{
 				?>
 			<a class="button button-secondary button-back js-button-back" href="/list/server/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 			<?php } ?>
 		</div>
 		<div class="toolbar-buttons">
 			<button type="submit" class="button" form="main-form">
-				<i class="fas fa-floppy-disk icon-purple"></i><?= _("Save") ?>
+				<i class="fas fa-floppy-disk icon-purple"></i><?= tohtml( _("Save")) ?>
 			</button>
 		</div>
 	</div>
@@ -27,20 +27,20 @@
 <div class="container">
 
 	<form id="main-form" name="v_configure_server" method="post">
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<input type="hidden" name="save" value="save">
 
 		<div class="form-container">
-			<h1 class="u-mb20"><?= _("Configure Server") ?>: <?= $v_service_name ?></h1>
+			<h1 class="u-mb20"><?= tohtml( _("Configure Server")) ?>: <?= tohtml($v_service_name) ?></h1>
 			<?php show_alert_message($_SESSION); ?>
 			<div class="u-mb20">
-				<label for="v_config" class="form-label"><?= $v_config_path ?></label>
-				<textarea class="form-control u-min-height300 u-allow-resize u-console" name="v_config" id="v_config"><?= $v_config ?></textarea>
+				<label for="v_config" class="form-label"><?= tohtml($v_config_path) ?></label>
+				<textarea class="form-control u-min-height300 u-allow-resize u-console" name="v_config" id="v_config"><?= tohtml($v_config) ?></textarea>
 			</div>
 			<div class="form-check">
 				<input class="form-check-input" type="checkbox" name="v_restart" id="v_restart" checked>
 				<label for="v_restart">
-					<?= _("Restart") ?>
+					<?= tohtml( _("Restart")) ?>
 				</label>
 			</div>
 		</div>

web/templates/pages/edit_whitelabel.php

@@ -3,12 +3,12 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a href="/edit/server/" class="button button-secondary" id="btn-back">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 		<div class="toolbar-buttons">
 			<button type="submit" class="button" form="main-form">
-				<i class="fas fa-floppy-disk icon-purple"></i><?= _("Save") ?>
+				<i class="fas fa-floppy-disk icon-purple"></i><?= tohtml( _("Save")) ?>
 			</button>
 		</div>
 	</div>
@@ -19,18 +19,18 @@
 <div class="container">
 	<form
 		x-data="{
-			hide_docs: '<?= $v_hide_docs ?? "no" ?>',
+			hide_docs: '<?= tohtml($v_hide_docs ?? "no") ?>',
 		}"
 		id="main-form"
 		name="v_configure_server"
 		method="post"
 	>
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<input type="hidden" name="save" value="save">
 
 		<div class="form-container">
 			<h1 class="u-mb20">
-				<?= _("White Label Options") ?>
+				<?= tohtml( _("White Label Options")) ?>
 			</h1>
 			<?php show_alert_message($_SESSION); ?>
 
@@ -38,76 +38,76 @@
 			<details class="box-collapse u-mb10">
 				<summary class="box-collapse-header">
 					<i class="fas fa-gear u-mr15"></i>
-					<?= _("General") ?>
+					<?= tohtml( _("General")) ?>
 				</summary>
 				<div class="box-collapse-content">
 					<div class="u-mb10">
 						<label for="v_app_name" class="form-label">
-							<?= _("Application Name") ?>
+							<?= tohtml( _("Application Name")) ?>
 						</label>
 						<input
 							type="text"
 							class="form-control"
 							name="v_app_name"
 							id="v_app_name"
-							value="<?= htmlentities(trim($v_app_name, "'")) ?>"
+							value="<?= tohtml(trim($v_app_name, "'")) ?>"
 						>
 					</div>
 					<div class="u-mb10">
 						<label for="v_title" class="form-label">
-							<?= _("Title") ?><span class="optional">(<?= _("Supported variables") ?>: {{appname}}, {{hostname}}, {{ip}} and {{page}} )</span>
+							<?= tohtml( _("Title")) ?><span class="optional">(<?= tohtml( _("Supported variables")) ?>: {{appname}}, {{hostname}}, {{ip}} and {{page}} )</span>
 						</label>
 						<input
 							type="text"
 							class="form-control"
 							name="v_title"
 							id="v_title"
-							value="<?= htmlentities(trim($v_title, "'")) ?>"
+							value="<?= tohtml(trim($v_title, "'")) ?>"
 						>
 					</div>
 					<div class="u-mb10">
 						<label for="v_from_name" class="form-label">
-							<?= _("Sender Name") ?><span class="optional">(<?= _("Default") ?>: <?= htmlentities(trim($v_app_name, "'")) ?>)</span>
+							<?= tohtml( _("Sender Name")) ?><span class="optional">(<?= tohtml( _("Default")) ?>: <?= tohtml(trim($v_app_name, "'")) ?>)</span>
 						</label>
 						<input
 							type="text"
 							class="form-control"
 							name="v_from_name"
 							id="v_from_name"
-							value="<?= htmlentities(trim($v_from_name, "'")) ?>"
+							value="<?= tohtml(trim($v_from_name, "'")) ?>"
 						>
 					</div>
 					<div class="u-mb10">
 						<label for="v_from_email" class="form-label">
-							<?= _("Sender Email Address") ?><span class="optional">(<?= _("Default") ?>: <?= sprintf("noreply@%s", htmlentities(trim(get_hostname(), "'"))) ?>)</span>
+							<?= tohtml( _("Sender Email Address")) ?><span class="optional">(<?= tohtml( _("Default")) ?>: <?= tohtml(sprintf("noreply@%s", trim(get_hostname(), "'"))) ?>)</span>
 						</label>
 						<input
 							type="email"
 							class="form-control"
 							name="v_from_email"
 							id="v_from_email"
-							value="<?= htmlentities(trim($v_from_email, "'")) ?>"
+							value="<?= tohtml(trim($v_from_email, "'")) ?>"
 						>
 					</div>
 					<div class="u-mb10">
 						<label for="v_subject_email" class="form-label">
-							<?= _("Email Subject") ?><span class="optional">(<?= _("Supported variables") ?>: {{appname}}, {{hostname}}, {{subject}} )</span>
+							<?= tohtml( _("Email Subject")) ?><span class="optional">(<?= tohtml( _("Supported variables")) ?>: {{appname}}, {{hostname}}, {{subject}} )</span>
 						</label>
 						<input
 							type="text"
 							class="form-control"
 							name="v_subject_email"
 							id="v_subject_email"
-							value="<?= htmlentities(trim($v_subject_email, "'")) ?>"
+							value="<?= tohtml(trim($v_subject_email, "'")) ?>"
 						>
 					</div>
 					<div class="u-mb10">
 						<label for="v_hide_docs" class="form-label">
-							<?= _("Hide link to Documentation") ?>
+							<?= tohtml( _("Hide link to Documentation")) ?>
 						</label>
 						<select x-model="hide_docs" class="form-select" name="v_hide_docs" id="v_hide_docs">
-							<option value="yes"><?= _("Yes") ?></option>
-							<option value="no"><?= _("No") ?></option>
+							<option value="yes"><?= tohtml( _("Yes")) ?></option>
+							<option value="no"><?= tohtml( _("No")) ?></option>
 						</select>
 					</div>
 				</div>
@@ -116,16 +116,16 @@
 			<details class="box-collapse u-mb10">
 				<summary class="box-collapse-header">
 					<i class="fas fa-gear u-mr15"></i>
-					<?= _("Custom Logo") ?>
+					<?= tohtml( _("Custom Logo")) ?>
 				</summary>
 				<div class="box-collapse-content">
 					<div class="u-mb10">
 						<label for="v_custom_logo" class="form-label">
-							<?= _("Custom Logo") ?>
+							<?= tohtml( _("Custom Logo")) ?>
 						</label>
 					</div>
 					<div class="u-mb10">
-						<p class="u-mb10"><?= sprintf(_("Upload the files to %s"), "/usr/local/hestia/web/images/custom/") ?></p>
+						<p class="u-mb10"><?= tohtml(sprintf(_("Upload the files to %s"), "/usr/local/hestia/web/images/custom/")) ?></p>
 						<ul>
 							<li><code>logo.svg</code> <small>(100px x 120px)</small></li>
 							<li><code>logo.png</code> <small>(100px x 120px)</small></li>
@@ -137,13 +137,13 @@
 					<div class="u-mb10">
 						<input type="checkbox" id="v_update_logo" name="v_update_logo" value="yes">
 						<label for="v_update_logo" class="form-label">
-							<?= _("Update logo") ?>
+							<?= tohtml( _("Update logo")) ?>
 						</label>
 					</div>
 					<div class="u-mb10">
 						<input type="checkbox" id="v_reset_logo" name="v_reset_logo" value="yes">
 						<label for="v_reset_logo" class="form-label">
-							<?= _("Reset Logo") ?>
+							<?= tohtml( _("Reset Logo")) ?>
 						</label>
 					</div>
 			</details>

web/templates/pages/generate_ssl.php

@@ -1,55 +1,55 @@
 <div class="container">
 
 	<form id="main-form" name="v_generate_csr" method="post">
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<input type="hidden" name="generate" value="generate">
 
 		<div class="form-container">
-			<h1 class="u-mb20"><?= _("Generate Self-Signed SSL Certificate") ?></h1>
+			<h1 class="u-mb20"><?= tohtml( _("Generate Self-Signed SSL Certificate")) ?></h1>
 			<?php show_alert_message($_SESSION); ?>
 			<div class="u-mb10">
-				<label for="v_domain" class="form-label"><?= _("Domain") ?></label>
-				<input type="text" class="form-control" name="v_domain" id="v_domain" value="<?= htmlentities(trim($v_domain, "'")) ?>">
+				<label for="v_domain" class="form-label"><?= tohtml( _("Domain")) ?></label>
+				<input type="text" class="form-control" name="v_domain" id="v_domain" value="<?= tohtml(trim($v_domain, "'")) ?>">
 			</div>
 			<div class="u-mb10">
-				<label for="v_aliases" class="form-label"><?= _("Aliases") ?></label>
-				<textarea class="form-control" name="v_aliases" id="v_aliases"><?= htmlentities(trim($v_aliases, "'")) ?></textarea>
+				<label for="v_aliases" class="form-label"><?= tohtml( _("Aliases")) ?></label>
+				<textarea class="form-control" name="v_aliases" id="v_aliases"><?= tohtml(trim($v_aliases, "'")) ?></textarea>
 			</div>
 			<div class="u-mb10">
 				<label for="v_email" class="form-label">
-					<?= _("Email") ?>
+					<?= tohtml( _("Email")) ?>
 					<span class="optional">(<?php print _("Optional"); ?>)</span>
 				</label>
-				<input type="email" class="form-control" name="v_email" id="v_email" value="<?= htmlentities(trim($v_email, "'")) ?>">
+				<input type="email" class="form-control" name="v_email" id="v_email" value="<?= tohtml(trim($v_email, "'")) ?>">
 			</div>
 			<div class="u-mb10">
 				<label for="v_country" class="form-label">
-					<?= _("Country") ?>
-					<span class="optional">(<?= _("ISO 3166-1 alpha-2 two-letter code") ?>)</span>
+					<?= tohtml( _("Country")) ?>
+					<span class="optional">(<?= tohtml( _("ISO 3166-1 alpha-2 two-letter code")) ?>)</span>
 				</label>
-				<input type="text" class="form-control" name="v_country" id="v_country" value="<?= htmlentities(trim($v_country, "'")) ?>">
+				<input type="text" class="form-control" name="v_country" id="v_country" value="<?= tohtml(trim($v_country, "'")) ?>">
 			</div>
 			<div class="u-mb10">
 				<label for="v_state" class="form-label">
-					<?= _("State / Province") ?>
+					<?= tohtml( _("State / Province")) ?>
 				</label>
-				<input type="text" class="form-control" name="v_state" id="v_state" value="<?= htmlentities(trim($v_state, "'")) ?>">
+				<input type="text" class="form-control" name="v_state" id="v_state" value="<?= tohtml(trim($v_state, "'")) ?>">
 			</div>
 			<div class="u-mb10">
 				<label for="v_locality" class="form-label">
-					<?= _("City / Locality") ?>
+					<?= tohtml( _("City / Locality")) ?>
 				</label>
-				<input type="text" class="form-control" name="v_locality" id="v_locality" value="<?= htmlentities(trim($v_locality, "'")) ?>">
+				<input type="text" class="form-control" name="v_locality" id="v_locality" value="<?= tohtml(trim($v_locality, "'")) ?>">
 			</div>
 			<div class="u-mb20">
 				<label for="v_org" class="form-label">
-					<?= _("Organization") ?>
+					<?= tohtml( _("Organization")) ?>
 				</label>
-				<input type="text" class="form-control" name="v_org" id="v_org" value="<?= htmlentities(trim($v_org, "'")) ?>">
+				<input type="text" class="form-control" name="v_org" id="v_org" value="<?= tohtml(trim($v_org, "'")) ?>">
 			</div>
 			<div>
 				<button type="submit" class="button" name="generate">
-					<?= _("Generate") ?>
+					<?= tohtml( _("Generate")) ?>
 				</button>
 			</div>
 		</div>

web/templates/pages/list_access_key.php

@@ -13,7 +13,7 @@ if (!empty($_POST["ok"])) { ?>
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/access-key/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 	</div>
@@ -24,34 +24,34 @@ if (!empty($_POST["ok"])) { ?>
 	<form id="main-form">
 
 		<div class="form-container">
-			<h1 class="u-mb20"><?= _("Access Key") ?></h1>
+			<h1 class="u-mb20"><?= tohtml( _("Access Key")) ?></h1>
 			<?php show_alert_message($_SESSION); ?>
 			<?php if (!empty($key_data["ACCESS_KEY_ID"])) { ?>
 				<div class="u-mt15 u-mb10">
-					<label for="access_key_id" class="form-label"><?= _("Access Key ID") ?></label>
-					<input type="text" class="form-control" id="access_key_id" maxlength="255" readonly value="<?= htmlentities(trim($key_data["ACCESS_KEY_ID"], "'")) ?>">
+					<label for="access_key_id" class="form-label"><?= tohtml( _("Access Key ID")) ?></label>
+					<input type="text" class="form-control" id="access_key_id" maxlength="255" readonly value="<?= tohtml(trim($key_data["ACCESS_KEY_ID"], "'")) ?>">
 				</div>
 			<?php } ?>
 			<?php if (!empty($_SESSION["ok_msg"])) { ?>
 				<?php if (!empty($key_data["ACCESS_KEY_ID"]) && !empty($key_data["SECRET_ACCESS_KEY"])) { ?>
 					<div class="u-mb20">
 						<label for="secret_key" class="form-label">
-							<?= _("Secret Key") ?><br>
-							<span class="inline-alert inline-alert-warning u-mb20"><?= _("Warning! Last chance to save secret key!") ?></span>
+							<?= tohtml( _("Secret Key")) ?><br>
+							<span class="inline-alert inline-alert-warning u-mb20"><?= tohtml( _("Warning! Last chance to save secret key!")) ?></span>
 						</label>
-						<input type="text" class="form-control" id="secret_key" maxlength="255" readonly value="<?= htmlentities(trim($key_data["SECRET_ACCESS_KEY"], "'")) ?>">
+						<input type="text" class="form-control" id="secret_key" maxlength="255" readonly value="<?= tohtml(trim($key_data["SECRET_ACCESS_KEY"], "'")) ?>">
 					</div>
 				<?php } ?>
 			<?php } ?>
-			<p class="u-mb10"><?= _("Permissions") ?></p>
+			<p class="u-mb10"><?= tohtml( _("Permissions")) ?></p>
 			<ul class="u-list-bulleted u-mb10">
 				<?php foreach ($key_data["PERMISSIONS"] as $api_name) { ?>
-					<li><?= _($api_name) ?></li>
+					<li><?= tohtml( _($api_name)) ?></li>
 				<?php } ?>
 			</ul>
 			<div class="u-mb10">
-				<label for="service" class="form-label"><?= _("Comment") ?></label>
-				<input type="text" class="form-control" id="service" maxlength="255" readonly value="<?= htmlentities(trim($key_data["COMMENT"], "'")) ?>">
+				<label for="service" class="form-label"><?= tohtml( _("Comment")) ?></label>
+				<input type="text" class="form-control" id="service" maxlength="255" readonly value="<?= tohtml(trim($key_data["COMMENT"], "'")) ?>">
 			</div>
 		</div>
 

web/templates/pages/list_access_keys.php

@@ -3,44 +3,44 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<?php if ($_SESSION["userContext"] === "admin" && $_SESSION['look'] !== '' && $_GET["user"] !== "admin") { ?>
-				<a href="/edit/user/?user=<?= htmlentities($_SESSION["look"]) ?>&token=<?= $_SESSION["token"] ?>" class="button button-secondary button-back js-button-back">
-					<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<a href="/edit/user/?<?= tohtml(http_build_query(["user" => $_SESSION["look"], "token" => $_SESSION["token"]])) ?>" class="button button-secondary button-back js-button-back">
+					<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 				</a>
 			<?php } else { ?>
-				<a href="/edit/user/?user=<?= htmlentities($_SESSION["user"]) ?>&token=<?= $_SESSION["token"] ?>" class="button button-secondary button-back js-button-back">
-					<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<a href="/edit/user/?<?= tohtml(http_build_query(["user" => $_SESSION["user"], "token" => $_SESSION["token"]])) ?>" class="button button-secondary button-back js-button-back">
+					<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 				</a>
 			<?php } ?>
 			<a href="/add/access-key/" class="button button-secondary js-button-create">
-				<i class="fas fa-circle-plus icon-green"></i><?= _("Add Access Key") ?>
+				<i class="fas fa-circle-plus icon-green"></i><?= tohtml( _("Add Access Key")) ?>
 			</a>
 		</div>
 		<div class="toolbar-right">
 			<div class="toolbar-sorting">
-				<button class="toolbar-sorting-toggle js-toggle-sorting-menu" type="button" title="<?= _("Sort items") ?>">
-					<?= _("Sort by") ?>:
+				<button class="toolbar-sorting-toggle js-toggle-sorting-menu" type="button" title="<?= tohtml( _("Sort items")) ?>">
+					<?= tohtml( _("Sort by")) ?>:
 					<span class="u-text-bold">
-						<?= _("Date") ?> <i class="fas fa-arrow-down-a-z"></i>
+						<?= tohtml( _("Date")) ?> <i class="fas fa-arrow-down-a-z"></i>
 					</span>
 				</button>
 				<ul class="toolbar-sorting-menu js-sorting-menu u-hidden">
 					<li data-entity="sort-date" data-sort-as-int="1">
-						<span class="name <?php if ($_SESSION['userSortOrder'] === 'date') { echo 'active'; } ?>"><?= _("Date") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name <?php if ($_SESSION['userSortOrder'] === 'date') { echo 'active'; } ?>"><?= tohtml( _("Date")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 					<li data-entity="sort-key">
-						<span class="name"><?= _("Access Key") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name"><?= tohtml( _("Access Key")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 					<li data-entity="sort-comment">
-						<span class="name"><?= _("Comment") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name"><?= tohtml( _("Comment")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 				</ul>
 				<form x-data x-bind="BulkEdit" action="/bulk/access-key/" method="post">
-					<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+					<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 					<select class="form-select" name="action">
-						<option value=""><?= _("Apply to selected") ?></option>
-						<option value="delete"><?= _("Delete") ?></option>
+						<option value=""><?= tohtml( _("Apply to selected")) ?></option>
+						<option value="delete"><?= tohtml( _("Delete")) ?></option>
 					</select>
-					<button type="submit" class="toolbar-input-submit" title="<?= _("Apply to selected") ?>">
+					<button type="submit" class="toolbar-input-submit" title="<?= tohtml( _("Apply to selected")) ?>">
 						<i class="fas fa-arrow-right"></i>
 					</button>
 				</form>
@@ -52,18 +52,18 @@
 
 <div class="container">
 
-	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= _("Access Keys") ?></h1>
+	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= tohtml( _("Access Keys")) ?></h1>
 
 	<div class="units-table js-units-container">
 		<div class="units-table-header">
 			<div class="units-table-cell">
-				<input type="checkbox" class="js-toggle-all-checkbox" title="<?= _("Select all") ?>">
+				<input type="checkbox" class="js-toggle-all-checkbox" title="<?= tohtml( _("Select all")) ?>">
 			</div>
-			<div class="units-table-cell"><?= _("Access Key") ?></div>
+			<div class="units-table-cell"><?= tohtml( _("Access Key")) ?></div>
 			<div class="units-table-cell"></div>
-			<div class="units-table-cell u-text-center"><?= _("Comment") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Date") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Time") ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Comment")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Date")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Time")) ?></div>
 		</div>
 
 		<?php
@@ -77,19 +77,19 @@
 				$key_time = !empty($value['TIME']) ? $value['TIME'] : '-';
 			?>
 			<div class="units-table-row js-unit"
-				data-sort-key="<?= strtolower($key) ?>"
-				data-sort-comment="<?= strtolower($key_comment) ?>"
-				data-sort-date="<?= strtotime($data[$key]["DATE"] . " " . $data[$key]["TIME"]) ?>">
+				data-sort-key="<?= tohtml(strtolower($key)) ?>"
+				data-sort-comment="<?= tohtml(strtolower($key_comment)) ?>"
+				data-sort-date="<?= tohtml(strtotime($data[$key]["DATE"] . " " . $data[$key]["TIME"])) ?>">
 				<div class="units-table-cell">
 					<div>
-						<input id="check<?= $i ?>" class="js-unit-checkbox" type="checkbox" title="<?= _("Select") ?>" name="key[]" value="<?= $key ?>">
-						<label for="check<?= $i ?>" class="u-hide-desktop"><?= _("Select") ?></label>
+						<input id="check<?= tohtml($i) ?>" class="js-unit-checkbox" type="checkbox" title="<?= tohtml( _("Select")) ?>" name="key[]" value="<?= tohtml($key) ?>">
+						<label for="check<?= tohtml($i) ?>" class="u-hide-desktop"><?= tohtml( _("Select")) ?></label>
 					</div>
 				</div>
 				<div class="units-table-cell units-table-heading-cell u-text-bold">
-					<span class="u-hide-desktop"><?= _("Access Key") ?>:</span>
-					<a href="/list/access-key/?key=<?= htmlentities($key) ?>&token=<?= $_SESSION["token"] ?>" title="<?= _("Access Key") ?>: <?= $key ?>">
-						<?= $key ?>
+					<span class="u-hide-desktop"><?= tohtml( _("Access Key")) ?>:</span>
+					<a href="/list/access-key/?<?= tohtml(http_build_query(["key" => $key, "token" => $_SESSION["token"]])) ?>" title="<?= tohtml( _("Access Key")) ?>: <?= tohtml($key) ?>">
+						<?= tohtml($key) ?>
 					</a>
 				</div>
 				<div class="units-table-cell">
@@ -97,28 +97,28 @@
 						<li class="units-table-row-action shortcut-delete" data-key-action="js">
 							<a
 								class="units-table-row-action-link data-controls js-confirm-action"
-								href="/delete/access-key/?key=<?= $key ?>&token=<?= $_SESSION["token"] ?>"
-								title="<?= _("Delete") ?>"
-								data-confirm-title="<?= _("Delete") ?>"
-								data-confirm-message="<?= sprintf(_("Are you sure you want to delete access key %s?"), $key) ?>"
+								href="/delete/access-key/?<?= tohtml(http_build_query(["key" => $key, "token" => $_SESSION["token"]])) ?>"
+								title="<?= tohtml( _("Delete")) ?>"
+								data-confirm-title="<?= tohtml( _("Delete")) ?>"
+								data-confirm-message="<?= tohtml(sprintf(_("Are you sure you want to delete access key %s?"), $key)) ?>"
 							>
 								<i class="fas fa-trash icon-red"></i>
-								<span class="u-hide-desktop"><?= _("Delete") ?></span>
+								<span class="u-hide-desktop"><?= tohtml( _("Delete")) ?></span>
 							</a>
 						</li>
 					</ul>
 				</div>
 				<div class="units-table-cell u-text-bold u-text-center-desktop">
-					<span class="u-hide-desktop"><?= _("Comment") ?>:</span>
-					<?= _($key_comment) ?>
+					<span class="u-hide-desktop"><?= tohtml( _("Comment")) ?>:</span>
+					<?= tohtml( _($key_comment)) ?>
 				</div>
 				<div class="units-table-cell u-text-bold u-text-center-desktop">
-					<span class="u-hide-desktop"><?= _("Date") ?>:</span>
-					<time datetime="<?= $key_date ?>"><?= $key_date ?></time>
+					<span class="u-hide-desktop"><?= tohtml( _("Date")) ?>:</span>
+					<time datetime="<?= tohtml($key_date) ?>"><?= tohtml($key_date) ?></time>
 				</div>
 				<div class="units-table-cell u-text-bold u-text-center-desktop">
-					<span class="u-hide-desktop"><?= _("Time") ?>:</span>
-					<?= $key_time ?>
+					<span class="u-hide-desktop"><?= tohtml( _("Time")) ?>:</span>
+					<?= tohtml($key_time) ?>
 				</div>
 			</div>
 		<?php } ?>

web/templates/pages/list_backup.php

@@ -3,31 +3,31 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<?php if ($read_only !== "true") { ?>
-				<a href="/schedule/backup/?token=<?= $_SESSION["token"] ?>" class="button button-secondary"><i class="fas fa-circle-plus icon-green"></i><?= _("Create Backup") ?></a>
-				<a href="/list/backup/exclusions/" class="button button-secondary"><i class="fas fa-folder-minus icon-orange"></i><?= _("Backup Exclusions") ?></a>
+				<a href="/schedule/backup/?<?= tohtml(http_build_query(["token" => $_SESSION["token"]])) ?>" class="button button-secondary"><i class="fas fa-circle-plus icon-green"></i><?= tohtml( _("Create Backup")) ?></a>
+				<a href="/list/backup/exclusions/" class="button button-secondary"><i class="fas fa-folder-minus icon-orange"></i><?= tohtml( _("Backup Exclusions")) ?></a>
 			<?php } ?>
 			<?php if ($panel[$user_plain]['BACKUPS_INCREMENTAL'] === 'yes') { ?>
-				<a href="/list/backup/incremental/" class="button button-secondary"><i class="fas fa-vault icon-blue"></i><?= _("Incremental Backups") ?></a>
+				<a href="/list/backup/incremental/" class="button button-secondary"><i class="fas fa-vault icon-blue"></i><?= tohtml( _("Incremental Backups")) ?></a>
 			<?php } ?>
 		</div>
 		<div class="toolbar-right">
 			<?php if ($read_only !== "true") { ?>
 				<form x-data x-bind="BulkEdit" action="/bulk/backup/" method="post">
-					<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+					<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 					<select class="form-select" name="action">
-						<option value=""><?= _("Apply to selected") ?></option>
-						<option value="delete"><?= _("Delete") ?></option>
+						<option value=""><?= tohtml( _("Apply to selected")) ?></option>
+						<option value="delete"><?= tohtml( _("Delete")) ?></option>
 					</select>
-					<button type="submit" class="toolbar-input-submit" title="<?= _("Apply to selected") ?>">
+					<button type="submit" class="toolbar-input-submit" title="<?= tohtml( _("Apply to selected")) ?>">
 						<i class="fas fa-arrow-right"></i>
 					</button>
 				</form>
 			<?php } ?>
 			<div class="toolbar-search">
 				<form action="/search/" method="get">
-					<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
-					<input type="search" class="form-control js-search-input" name="q" value="<? echo isset($_POST['q']) ? htmlspecialchars($_POST['q']) : '' ?>" title="<?= _("Search") ?>">
-					<button type="submit" class="toolbar-input-submit" title="<?= _("Search") ?>">
+					<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
+					<input type="search" class="form-control js-search-input" name="q" value="<?= tohtml($_POST['q'] ?? '') ?>" title="<?= tohtml( _("Search")) ?>">
+					<button type="submit" class="toolbar-input-submit" title="<?= tohtml( _("Search")) ?>">
 						<i class="fas fa-magnifying-glass"></i>
 					</button>
 				</form>
@@ -39,19 +39,19 @@
 
 <div class="container">
 
-	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= _("Backups") ?></h1>
+	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= tohtml( _("Backups")) ?></h1>
 
 	<div class="units-table js-units-container">
 		<div class="units-table-header">
 			<div class="units-table-cell">
-				<input type="checkbox" class="js-toggle-all-checkbox" title="<?= _("Select all") ?>" <?= $display_mode ?>>
+				<input type="checkbox" class="js-toggle-all-checkbox" title="<?= tohtml( _("Select all")) ?>" <?= tohtml($display_mode) ?>>
 			</div>
-			<div class="units-table-cell"><?= _("File Name") ?></div>
+			<div class="units-table-cell"><?= tohtml( _("File Name")) ?></div>
 			<div class="units-table-cell"></div>
-			<div class="units-table-cell u-text-center"><?= _("Date") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Size") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Type") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Runtime") ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Date")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Size")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Type")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Runtime")) ?></div>
 		</div>
 
 		<!-- Begin user backup list item loop -->
@@ -75,17 +75,17 @@
 			<div class="units-table-row js-unit">
 				<div class="units-table-cell">
 					<div>
-						<input id="check<?= $i ?>" class="js-unit-checkbox" type="checkbox" title="<?= _("Select") ?>" name="backup[]" value="<?= $key ?>" <?= $display_mode ?>>
-						<label for="check<?= $i ?>" class="u-hide-desktop"><?= _("Select") ?></label>
+						<input id="check<?= tohtml($i) ?>" class="js-unit-checkbox" type="checkbox" title="<?= tohtml( _("Select")) ?>" name="backup[]" value="<?= tohtml($key) ?>" <?= tohtml($display_mode) ?>>
+						<label for="check<?= tohtml($i) ?>" class="u-hide-desktop"><?= tohtml( _("Select")) ?></label>
 					</div>
 				</div>
 				<div class="units-table-cell units-table-heading-cell u-text-bold">
-					<span class="u-hide-desktop"><?= _("File Name") ?>:</span>
+					<span class="u-hide-desktop"><?= tohtml( _("File Name")) ?>:</span>
 					<?php if ($read_only === "true") { ?>
-						<?= $key ?>
+						<?= tohtml($key) ?>
 					<?php } else { ?>
-						<a href="/list/backup/?backup=<?= $key ?>&token=<?= $_SESSION["token"] ?>" title="<?= _("Restore") ?>">
-							<?= $key ?>
+						<a href="/list/backup/?<?= tohtml(http_build_query(["backup" => $key, "token" => $_SESSION["token"]])) ?>" title="<?= tohtml( _("Restore")) ?>">
+							<?= tohtml($key) ?>
 						</a>
 					<?php } ?>
 				</div>
@@ -95,34 +95,34 @@
 							<li class="units-table-row-action shortcut-d" data-key-action="href">
 								<a
 									class="units-table-row-action-link"
-									href="/download/backup/?backup=<?= $key ?>&token=<?= $_SESSION["token"] ?>"
-									title="<?= _("Download") ?>"
+									href="/download/backup/?<?= tohtml(http_build_query(["backup" => $key, "token" => $_SESSION["token"]])) ?>"
+									title="<?= tohtml( _("Download")) ?>"
 								>
 									<i class="fas fa-file-arrow-down icon-lightblue"></i>
-									<span class="u-hide-desktop"><?= _("Download") ?></span>
+									<span class="u-hide-desktop"><?= tohtml( _("Download")) ?></span>
 								</a>
 							</li>
 							<?php if ($read_only !== "true") { ?>
 								<li class="units-table-row-action shortcut-enter" data-key-action="href">
 									<a
 										class="units-table-row-action-link data-controls"
-										href="/list/backup/?backup=<?= $key ?>&token=<?= $_SESSION["token"] ?>"
-										title="<?= _("Restore") ?>"
+										href="/list/backup/?<?= tohtml(http_build_query(["backup" => $key, "token" => $_SESSION["token"]])) ?>"
+										title="<?= tohtml( _("Restore")) ?>"
 									>
 										<i class="fas fa-arrow-rotate-left icon-green"></i>
-										<span class="u-hide-desktop"><?= _("Restore") ?></span>
+										<span class="u-hide-desktop"><?= tohtml( _("Restore")) ?></span>
 									</a>
 								</li>
 								<li class="units-table-row-action shortcut-delete" data-key-action="js">
 									<a
 										class="units-table-row-action-link data-controls js-confirm-action"
-										href="/delete/backup/?backup=<?= $key ?>&token=<?= $_SESSION["token"] ?>"
-										title="<?= _("Delete") ?>"
-										data-confirm-title="<?= _("Delete") ?>"
-										data-confirm-message="<?= sprintf(_("Are you sure you want to delete backup %s?"), $key) ?>"
+										href="/delete/backup/?<?= tohtml(http_build_query(["backup" => $key, "token" => $_SESSION["token"]])) ?>"
+										title="<?= tohtml( _("Delete")) ?>"
+										data-confirm-title="<?= tohtml( _("Delete")) ?>"
+										data-confirm-message="<?= tohtml(sprintf(_("Are you sure you want to delete backup %s?"), $key)) ?>"
 									>
 										<i class="fas fa-trash icon-red"></i>
-										<span class="u-hide-desktop"><?= _("Delete") ?></span>
+										<span class="u-hide-desktop"><?= tohtml( _("Delete")) ?></span>
 									</a>
 								</li>
 							<?php } ?>
@@ -130,27 +130,27 @@
 					<?php } ?>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Date") ?>:</span>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Date")) ?>:</span>
 					<span class="u-text-bold">
-						<?= translate_date($data[$key]["DATE"]) ?>
+						<?= tohtml(translate_date($data[$key]["DATE"])) ?>
 					</span>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Size") ?>:</span>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Size")) ?>:</span>
 					<span class="u-text-bold">
-						<?= humanize_usage_size($data[$key]["SIZE"]) ?>
+						<?= tohtml(humanize_usage_size($data[$key]["SIZE"])) ?>
 					</span>
 					<span class="u-text-small">
-						<?= humanize_usage_measure($data[$key]["SIZE"]) ?>
+						<?= tohtml(humanize_usage_measure($data[$key]["SIZE"])) ?>
 					</span>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Type") ?>:</span>
-					<?= $data[$key]["TYPE"] ?>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Type")) ?>:</span>
+					<?= tohtml($data[$key]["TYPE"]) ?>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Runtime") ?>:</span>
-					<?= humanize_time($data[$key]["RUNTIME"]) ?>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Runtime")) ?>:</span>
+					<?= tohtml(humanize_time($data[$key]["RUNTIME"])) ?>
 				</div>
 			</div>
 		<?php } ?>

web/templates/pages/list_backup_detail_incremental.php

@@ -2,30 +2,30 @@
 <div class="toolbar">
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
-			<a class="button button-secondary button-back js-button-back" href="/list/backup/incremental/"><i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?></a>
+			<a class="button button-secondary button-back js-button-back" href="/list/backup/incremental/"><i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?></a>
 			<?php if ($read_only !== "true") { ?>
-			<a href="/schedule/restore/incremental/?token=<?= $_SESSION["token"] ?>&snapshot=<?= htmlentities($_GET["snapshot"]) ?>" class="button button-secondary"><i class="fas fa-arrow-rotate-left icon-green"></i><?= _("Restore All") ?></a>
+			<a href="/schedule/restore/incremental/?<?= tohtml(http_build_query(array("token" => $_SESSION["token"], "snapshot" => $_GET["snapshot"]))) ?>" class="button button-secondary"><i class="fas fa-arrow-rotate-left icon-green"></i><?= tohtml( _("Restore All")) ?></a>
 			<?php } ?>
 		</div>
 		<div class="toolbar-right">
 			<?php if ($read_only !== "true") { ?>
 				<form x-data x-bind="BulkEdit" action="/bulk/restore/incremental/" method="post">
-					<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
-					<input type="hidden" name="snapshot" value="<?= htmlentities($_GET["snapshot"]) ?>">
+					<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
+					<input type="hidden" name="snapshot" value="<?= tohtml($_GET["snapshot"]) ?>">
 					<select class="form-select" name="action">
-						<option value=""><?= _("Apply to selected") ?></option>
-						<option value="restore"><?= _("Restore Snapshot") ?></option>
+						<option value=""><?= tohtml( _("Apply to selected")) ?></option>
+						<option value="restore"><?= tohtml( _("Restore Snapshot")) ?></option>
 					</select>
-					<button type="submit" class="toolbar-input-submit" title="<?= _("Apply to selected") ?>">
+					<button type="submit" class="toolbar-input-submit" title="<?= tohtml( _("Apply to selected")) ?>">
 						<i class="fas fa-arrow-right"></i>
 					</button>
 				</form>
 			<?php } ?>
 			<div class="toolbar-search">
 				<form action="/search/" method="get">
-					<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
-					<input type="search" class="form-control js-search-input" name="q" value="<? echo isset($_POST['q']) ? htmlspecialchars($_POST['q']) : '' ?>" title="<?= _("Search") ?>">
-					<button type="submit" class="toolbar-input-submit" title="<?= _("Search") ?>">
+					<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
+					<input type="search" class="form-control js-search-input" name="q" value="<?= tohtml($_POST['q'] ?? '') ?>" title="<?= tohtml( _("Search")) ?>">
+					<button type="submit" class="toolbar-input-submit" title="<?= tohtml( _("Search")) ?>">
 						<i class="fas fa-magnifying-glass"></i>
 					</button>
 				</form>
@@ -37,16 +37,16 @@
 
 <div class="container">
 
-<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= _("Backup Details") ?></h1>
+<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= tohtml( _("Backup Details")) ?></h1>
 
 <div class="units-table js-units-container">
 	<div class="units-table-header">
 		<div class="units-table-cell">
-			<input type="checkbox" class="js-toggle-all-checkbox" title="<?= _("Select all") ?>">
+			<input type="checkbox" class="js-toggle-all-checkbox" title="<?= tohtml( _("Select all")) ?>">
 		</div>
-		<div class="units-table-cell"><?= _("Type") ?></div>
-		<div class="units-table-cell"><?= _("Details") ?></div>
-		<div class="units-table-cell"><?= _("Restore") ?></div>
+		<div class="units-table-cell"><?= tohtml( _("Type")) ?></div>
+		<div class="units-table-cell"><?= tohtml( _("Details")) ?></div>
+		<div class="units-table-cell"><?= tohtml( _("Restore")) ?></div>
 	</div>
 	<?php
 		$web = explode(',',$data['snapshot']['WEB']);
@@ -57,24 +57,24 @@
 		<div class="units-table-row js-unit">
 			<div class="units-table-cell">
 				<div class="clearfix l-unit__stat-col--left super-compact">
-					<input id="check<?= $i ?>" class="js-unit-checkbox" type="checkbox" name="web[]" value="<?= $key ?>">
-					<label for="check<?= $i ?>" class="u-hide-desktop"><?= _("Select") ?></label>
+					<input id="check<?= tohtml($i) ?>" class="js-unit-checkbox" type="checkbox" name="web[]" value="<?= tohtml($key) ?>">
+					<label for="check<?= tohtml($i) ?>" class="u-hide-desktop"><?= tohtml( _("Select")) ?></label>
 				</div>
 			</div>
 			<div class="units-table-cell units-table-heading-cell">
-				<span class="u-hide-desktop u-text-bold"><?= _("Type") ?>:</span>
-				<?= _("Web Domain") ?>
+				<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Type")) ?>:</span>
+				<?= tohtml( _("Web Domain")) ?>
 			</div>
 			<div class="units-table-cell u-text-bold">
-				<span class="u-hide-desktop"><?= _("Details") ?>:</span>
-				<?= $key ?>
+				<span class="u-hide-desktop"><?= tohtml( _("Details")) ?>:</span>
+					<?= tohtml($key) ?>
 			</div>
 			<div class="units-table-cell">
 				<ul class="units-table-row-actions">
 					<li class="units-table-row-action shortcut-enter" data-key-action="href">
-						<a href="/schedule/restore/incremental/?snapshot=<?= htmlentities($_GET["snapshot"]) ?>&type=web&object=<?= $key ?>&token=<?= $_SESSION["token"] ?>" title="<?= _("Restore") ?>">
+						<a href="/schedule/restore/incremental/?<?= tohtml(http_build_query(array("snapshot" => $_GET["snapshot"], "type" => "web", "object" => $key, "token" => $_SESSION["token"]))) ?>" title="<?= tohtml( _("Restore")) ?>">
 						<i class="fas fa-arrow-rotate-left icon-green"></i>
-						<span class="u-hide-desktop"><?= _("Restore") ?></span>
+						<span class="u-hide-desktop"><?= tohtml( _("Restore")) ?></span>
 						</a>
 					</li>
 				</ul>
@@ -91,24 +91,24 @@
 		<div class="units-table-row js-unit">
 			<div class="units-table-cell">
 				<div class="clearfix l-unit__stat-col--left super-compact">
-					<input id="check<?= $i ?>" class="js-unit-checkbox" type="checkbox" name="mail[]" value="<?= $key ?>">
-					<label for="check<?= $i ?>" class="u-hide-desktop"><?= _("Select") ?></label>
+					<input id="check<?= tohtml($i) ?>" class="js-unit-checkbox" type="checkbox" name="mail[]" value="<?= tohtml($key) ?>">
+					<label for="check<?= tohtml($i) ?>" class="u-hide-desktop"><?= tohtml( _("Select")) ?></label>
 				</div>
 			</div>
 			<div class="units-table-cell units-table-heading-cell">
-				<span class="u-hide-desktop u-text-bold"><?= _("Type") ?>:</span>
-				<?= _("Mail Domain") ?>
+				<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Type")) ?>:</span>
+				<?= tohtml( _("Mail Domain")) ?>
 			</div>
 			<div class="units-table-cell u-text-bold">
-				<span class="u-hide-desktop"><?= _("Details") ?>:</span>
-				<?= $key ?>
+				<span class="u-hide-desktop"><?= tohtml( _("Details")) ?>:</span>
+					<?= tohtml($key) ?>
 			</div>
 			<div class="units-table-cell">
 				<ul class="units-table-row-actions">
 					<li class="units-table-row-action shortcut-enter" data-key-action="href">
-						<a href="/schedule/restore/incremental/?snapshot=<?= htmlentities($_GET["snapshot"]) ?>&type=mail&object=<?= $key ?>&token=<?= $_SESSION["token"] ?>" title="<?= _("Restore") ?>">
+							<a href="/schedule/restore/incremental/?<?= tohtml(http_build_query(array("snapshot" => $_GET["snapshot"], "type" => "mail", "object" => $key, "token" => $_SESSION["token"]))) ?>" title="<?= tohtml( _("Restore")) ?>">
 						<i class="fas fa-arrow-rotate-left icon-green"></i>
-						<span class="u-hide-desktop"><?= _("Restore") ?></span>
+						<span class="u-hide-desktop"><?= tohtml( _("Restore")) ?></span>
 						</a>
 					</li>
 				</ul>
@@ -125,24 +125,24 @@
 		<div class="units-table-row js-unit">
 			<div class="units-table-cell">
 				<div class="clearfix l-unit__stat-col--left super-compact">
-					<input id="check<?= $i ?>" class="js-unit-checkbox" type="checkbox" name="dns[]" value="<?= $key ?>">
-					<label for="check<?= $i ?>" class="u-hide-desktop"><?= _("Select") ?></label>
+						<input id="check<?= tohtml($i) ?>" class="js-unit-checkbox" type="checkbox" name="dns[]" value="<?= tohtml($key) ?>">
+					<label for="check<?= tohtml($i) ?>" class="u-hide-desktop"><?= tohtml( _("Select")) ?></label>
 				</div>
 			</div>
 			<div class="units-table-cell units-table-heading-cell">
-				<span class="u-hide-desktop u-text-bold"><?= _("Type") ?>:</span>
-				<?= _("DNS Domain") ?>
+				<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Type")) ?>:</span>
+				<?= tohtml( _("DNS Domain")) ?>
 			</div>
 			<div class="units-table-cell u-text-bold">
-				<span class="u-hide-desktop"><?= _("Details") ?>:</span>
-				<?= $key ?>
+				<span class="u-hide-desktop"><?= tohtml( _("Details")) ?>:</span>
+					<?= tohtml($key) ?>
 			</div>
 			<div class="units-table-cell">
 				<ul class="units-table-row-actions">
 					<li class="units-table-row-action shortcut-enter" data-key-action="href">
-						<a href="/schedule/restore/incremental/?snapshot=<?= htmlentities($_GET["snapshot"]) ?>&type=dns&object=<?= $key ?>&token=<?= $_SESSION["token"] ?>" title="<?= _("Restore") ?>">
+							<a href="/schedule/restore/incremental/?<?= tohtml(http_build_query(array("snapshot" => $_GET["snapshot"], "type" => "dns", "object" => $key, "token" => $_SESSION["token"]))) ?>" title="<?= tohtml( _("Restore")) ?>">
 						<i class="fas fa-arrow-rotate-left icon-green"></i>
-						<span class="u-hide-desktop"><?= _("Restore") ?></span>
+						<span class="u-hide-desktop"><?= tohtml( _("Restore")) ?></span>
 						</a>
 					</li>
 				</ul>
@@ -159,24 +159,24 @@
 		<div class="units-table-row js-unit">
 			<div class="units-table-cell">
 				<div class="clearfix l-unit__stat-col--left super-compact">
-					<input id="check<?= $i ?>" class="js-unit-checkbox" type="checkbox" name="db[]" value="<?= $key ?>">
-					<label for="check<?= $i ?>" class="u-hide-desktop"><?= _("Select") ?></label>
+					<input id="check<?= tohtml($i) ?>" class="js-unit-checkbox" type="checkbox" name="db[]" value="<?= tohtml($key) ?>">
+					<label for="check<?= tohtml($i) ?>" class="u-hide-desktop"><?= tohtml( _("Select")) ?></label>
 				</div>
 			</div>
 			<div class="units-table-cell units-table-heading-cell">
-				<span class="u-hide-desktop u-text-bold"><?= _("Type") ?>:</span>
-				<?= _("Database") ?>
+				<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Type")) ?>:</span>
+				<?= tohtml( _("Database")) ?>
 			</div>
 			<div class="units-table-cell u-text-bold">
-				<span class="u-hide-desktop"><?= _("Details") ?>:</span>
-				<?= $key ?>
+				<span class="u-hide-desktop"><?= tohtml( _("Details")) ?>:</span>
+					<?= tohtml($key) ?>
 			</div>
 			<div class="units-table-cell">
 				<ul class="units-table-row-actions">
 					<li class="units-table-row-action shortcut-enter" data-key-action="href">
-						<a href="/schedule/restore/incremental/?snapshot=<?= htmlentities($_GET["snapshot"]) ?>&type=db&object=<?= $key ?>&token=<?= $_SESSION["token"] ?>" title="<?= _("Restore") ?>">
+							<a href="/schedule/restore/incremental/?<?= tohtml(http_build_query(array("snapshot" => $_GET["snapshot"], "type" => "db", "object" => $key, "token" => $_SESSION["token"]))) ?>" title="<?= tohtml( _("Restore")) ?>">
 						<i class="fas fa-arrow-rotate-left icon-green"></i>
-						<span class="u-hide-desktop"><?= _("Restore") ?></span>
+						<span class="u-hide-desktop"><?= tohtml( _("Restore")) ?></span>
 						</a>
 					</li>
 				</ul>
@@ -193,24 +193,24 @@
 	<div class="units-table-row js-unit">
 		<div class="units-table-cell">
 			<div class="clearfix l-unit__stat-col--left super-compact">
-				<input id="check<?= $i ?>" class="js-unit-checkbox" type="checkbox" name="cron[]" value="<?= $key ?>">
-				<label for="check<?= $i ?>" class="u-hide-desktop"><?= _("Select") ?></label>
+				<input id="check<?= tohtml($i) ?>" class="js-unit-checkbox" type="checkbox" name="cron[]" value="<?= tohtml($key) ?>">
+				<label for="check<?= tohtml($i) ?>" class="u-hide-desktop"><?= tohtml( _("Select")) ?></label>
 			</div>
 		</div>
 		<div class="units-table-cell units-table-heading-cell">
-			<span class="u-hide-desktop u-text-bold"><?= _("Type") ?>:</span>
-			<?= _("Cronjob") ?>
+			<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Type")) ?>:</span>
+			<?= tohtml( _("Cronjob")) ?>
 		</div>
 		<div class="units-table-cell u-text-bold">
-			<span class="u-hide-desktop"><?= _("Details") ?>:</span>
-			<?= $key ?>
+			<span class="u-hide-desktop"><?= tohtml( _("Details")) ?>:</span>
+				<?= tohtml($key) ?>
 		</div>
 		<div class="units-table-cell">
 			<ul class="units-table-row-actions">
 				<li class="units-table-row-action shortcut-enter" data-key-action="href">
-					<a href="/schedule/restore/incremental/?snapshot=<?= htmlentities($_GET["snapshot"]) ?>&type=cron&object=<?= $key ?>&token=<?= $_SESSION["token"] ?>" title="<?= _("Restore") ?>">
+					<a href="/schedule/restore/incremental/?<?= tohtml(http_build_query(array("snapshot" => $_GET["snapshot"], "type" => "cron", "object" => $key, "token" => $_SESSION["token"]))) ?>" title="<?= tohtml( _("Restore")) ?>">
 					<i class="fas fa-arrow-rotate-left icon-green"></i>
-					<span class="u-hide-desktop"><?= _("Restore") ?></span>
+					<span class="u-hide-desktop"><?= tohtml( _("Restore")) ?></span>
 					</a>
 				</li>
 			</ul>

web/templates/pages/list_backup_exclusions.php

@@ -3,18 +3,18 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/backup/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 			<a href="/edit/backup/exclusions/" class="button button-secondary">
-				<i class="fas fa-pencil icon-orange"></i><?= _("Edit Backup Exclusions") ?>
+				<i class="fas fa-pencil icon-orange"></i><?= tohtml( _("Edit Backup Exclusions")) ?>
 			</a>
 		</div>
 		<div class="toolbar-right">
 			<div class="toolbar-search">
 				<form action="/search/" method="get">
-					<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
-					<input type="search" class="form-control js-search-input" name="q" value="<? echo isset($_POST['q']) ? htmlspecialchars($_POST['q']) : '' ?>" title="<?= _("Search") ?>">
-					<button type="submit" class="toolbar-input-submit" title="<?= _("Search") ?>">
+					<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
+					<input type="search" class="form-control js-search-input" name="q" value="<?= tohtml($_POST['q'] ?? '') ?>" title="<?= tohtml( _("Search")) ?>">
+					<button type="submit" class="toolbar-input-submit" title="<?= tohtml( _("Search")) ?>">
 						<i class="fas fa-magnifying-glass"></i>
 					</button>
 				</form>
@@ -26,23 +26,23 @@
 
 <div class="container">
 
-	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= _("Backup Exclusions") ?></h1>
+	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= tohtml( _("Backup Exclusions")) ?></h1>
 
 	<div class="units-table js-units-container">
 		<div class="units-table-header">
-			<div class="units-table-cell"><?= _("Type") ?></div>
-			<div class="units-table-cell"><?= _("Value") ?></div>
+			<div class="units-table-cell"><?= tohtml( _("Type")) ?></div>
+			<div class="units-table-cell"><?= tohtml( _("Value")) ?></div>
 		</div>
 
 		<!-- Begin list of backup exclusions by type -->
 		<?php foreach ($data as $key => $value) { ?>
 			<div class="units-table-row js-unit">
 				<div class="units-table-cell units-table-heading-cell u-text-bold">
-					<span class="u-hide-desktop"><?= _("Type") ?>:</span>
-					<?= $key ?>
+					<span class="u-hide-desktop"><?= tohtml( _("Type")) ?>:</span>
+					<?= tohtml($key) ?>
 				</div>
 				<div class="units-table-cell">
-					<span class="u-hide-desktop u-text-bold"><?= _("Value") ?>:</span>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Value")) ?>:</span>
 					<?php
 						if (empty($value)) {
 							echo _("No exclusions");

web/templates/pages/list_backup_incremental.php

@@ -3,29 +3,29 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 		<?php if ($read_only !== "true") { ?>
-			<a href="/schedule/backup/incremental/?token=<?= $_SESSION["token"] ?>" class="button button-secondary js-button-create">
-				<i class="fas fa-circle-plus icon-green"></i><?= _("Create Snapshot") ?>
+			<a href="/schedule/backup/incremental/?<?= tohtml(http_build_query(["token" => $_SESSION["token"]])) ?>" class="button button-secondary js-button-create">
+				<i class="fas fa-circle-plus icon-green"></i><?= tohtml( _("Create Snapshot")) ?>
 			</a>
 		<?php } ?>
 		</div>
 		<div class="toolbar-right">
 			<?php if ($read_only !== "true") { ?>
 				<form x-data x-bind="BulkEdit" action="/bulk/backup/incremental/" method="post">
-					<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+					<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 					<select class="form-select" name="action">
-						<option value=""><?= _("Apply to selected") ?></option>
-						<option value="delete"><?= _("Delete") ?></option>
+						<option value=""><?= tohtml( _("Apply to selected")) ?></option>
+						<option value="delete"><?= tohtml( _("Delete")) ?></option>
 					</select>
-					<button type="submit" class="toolbar-input-submit" title="<?= _("Apply to selected") ?>">
+					<button type="submit" class="toolbar-input-submit" title="<?= tohtml( _("Apply to selected")) ?>">
 						<i class="fas fa-arrow-right"></i>
 					</button>
 				</form>
 			<?php } ?>
 			<div class="toolbar-search">
 				<form action="/search/" method="get">
-					<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
-					<input type="search" class="form-control js-search-input" name="q" value="<? echo isset($_POST['q']) ? htmlspecialchars($_POST['q']) : '' ?>" title="<?= _("Search") ?>">
-					<button type="submit" class="toolbar-input-submit" title="<?= _("Search") ?>">
+					<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
+						<input type="search" class="form-control js-search-input" name="q" value="<?= tohtml($_GET['q'] ?? '') ?>" title="<?= tohtml( _("Search")) ?>">
+					<button type="submit" class="toolbar-input-submit" title="<?= tohtml( _("Search")) ?>">
 						<i class="fas fa-magnifying-glass"></i>
 					</button>
 				</form>
@@ -37,18 +37,18 @@
 
 <div class="container">
 
-<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= _("Snapshots") ?></h1>
+<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= tohtml( _("Snapshots")) ?></h1>
 
 <div class="units-table js-units-container">
 	<div class="units-table-header">
 		<div class="units-table-cell">
-			<input type="checkbox" class="js-toggle-all-checkbox" title="<?= _("Select all") ?>" <?= $display_mode ?>>
+			<input type="checkbox" class="js-toggle-all-checkbox" title="<?= tohtml( _("Select all")) ?>" <?= tohtml($display_mode) ?>>
 		</div>
-		<div class="units-table-cell"><?= _("Snapshot") ?></div>
+		<div class="units-table-cell"><?= tohtml( _("Snapshot")) ?></div>
 		<div class="units-table-cell"></div>
-		<div class="units-table-cell u-text-center"><?= _("Date") ?></div>
-		<div class="units-table-cell u-text-center"><?= _("Type") ?></div>
-		<div class="units-table-cell u-text-center"><?= _("Hostname") ?></div>
+		<div class="units-table-cell u-text-center"><?= tohtml( _("Date")) ?></div>
+		<div class="units-table-cell u-text-center"><?= tohtml( _("Type")) ?></div>
+		<div class="units-table-cell u-text-center"><?= tohtml( _("Hostname")) ?></div>
 	</div>
 	<!-- Begin user backup list item loop -->
 	<?php
@@ -59,17 +59,17 @@
 		<div class="units-table-row js-unit">
 			<div class="units-table-cell">
 				<div>
-					<input id="check<?= $i ?>" class="js-unit-checkbox" type="checkbox" title="<?= _("Select") ?>" name="backup[]" value="<?= $value['short_id'] ?>" <?= $display_mode ?>>					<span class="u-hide-desktop"><label for="check<?= $i ?>" class="u-hide-desktop"><?= _("Select") ?></label></span>
+					<input id="check<?= tohtml($i) ?>" class="js-unit-checkbox" type="checkbox" title="<?= tohtml( _("Select")) ?>" name="backup[]" value="<?= tohtml($value['short_id']) ?>" <?= tohtml($display_mode) ?>>					<span class="u-hide-desktop"><label for="check<?= tohtml($i) ?>" class="u-hide-desktop"><?= tohtml( _("Select")) ?></label></span>
 				</div>
 			</div>
 			<div class="units-table-cell units-table-heading-cell u-text-bold">
 				<b>
 					<?php if ($read_only === "true") { ?>
-							<span class="u-hide-desktop"><?= _("Snapshot") ?>:</span>
-							<?= $value['short_id'] ?>
+							<span class="u-hide-desktop"><?= tohtml( _("Snapshot")) ?>:</span>
+							<?= tohtml($value['short_id']) ?>
 					<?php } else { ?>
-						<span class="u-hide-desktop"><?= _("Snapshot") ?>:</span>
-						<a href="/list/backup/incremental/?snapshot=<?= $value['short_id'] ?>&token=<?= $_SESSION["token"] ?>" title="<?= _("Restore") ?>"><?= $value['short_id'] ?></a>
+						<span class="u-hide-desktop"><?= tohtml( _("Snapshot")) ?>:</span>
+						<a href="/list/backup/incremental/?<?= tohtml(http_build_query(["snapshot" => $value['short_id'], "token" => $_SESSION["token"]])) ?>" title="<?= tohtml( _("Restore")) ?>"><?= tohtml($value['short_id']) ?></a>
 					<?php } ?>
 				</b>
 			</div>
@@ -77,32 +77,32 @@
 				<?php if (!$read_only) { ?>
 					<ul class="units-table-row-actions">
 						<li class="units-table-row-action shortcut-enter" data-key-action="href">
-							<a href="/list/backup/incremental/?snapshot=<?= $value['short_id'] ?>&browse=yes&token=<?= $_SESSION["token"] ?>" title="<?= _("Browse") ?>"><i class="fas fa-folder-open icon-lightblue icon-dim"></i></a>
+							<a href="/list/backup/incremental/?<?= tohtml(http_build_query(["snapshot" => $value['short_id'], "browse" => 'yes', "token" => $_SESSION["token"]])) ?>" title="<?= tohtml( _("Browse")) ?>"><i class="fas fa-folder-open icon-lightblue icon-dim"></i></a>
 						</li>
 						<li class="units-table-row-action shortcut-enter" data-key-action="href">
-							<a href="/list/backup/incremental/?snapshot=<?= $value['short_id'] ?>&token=<?= $_SESSION["token"] ?>" title="<?= _("Restore") ?>"><i class="fas fa-arrow-rotate-left icon-green icon-dim"></i></a>
+							<a href="/list/backup/incremental/?<?= tohtml(http_build_query(["snapshot" => $value['short_id'], "token" => $_SESSION["token"]])) ?>" title="<?= tohtml( _("Restore")) ?>"><i class="fas fa-arrow-rotate-left icon-green icon-dim"></i></a>
 						</li>
 					</ul>
 				<?php } ?>
 			</div>
 			<div class="units-table-cell">
-				<span class="u-hide-desktop u-text-bold"><?= _("Date") ?>:</span>
+				<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Date")) ?>:</span>
 				<span class="u-text-bold">
-					<?= convert_datetime($value['time']) ?>
+					<?= tohtml(convert_datetime($value['time'])) ?>
 				</span>
 			</div>
 			<div class="units-table-cell">
-				<span class="u-hide-desktop u-text-bold"><?= _("Type") ?>:</span>
+				<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Type")) ?>:</span>
 				<span class="u-text-bold">
 					Restic
 				</span>
 			</div>
-			<div class="units-table-cell">
-				<span class="u-hide-desktop u-text-bold"><?= _("Hostname") ?>:</span>
-				<span class="u-text-bold">
-					<?=htmlentities($value['hostname'])?>
-				</span>
-			</div>
+				<div class="units-table-cell">
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Hostname")) ?>:</span>
+					<span class="u-text-bold">
+						<?= tohtml($value['hostname']) ?>
+					</span>
+				</div>
 		</div>
 	<?php
 	}

web/templates/pages/list_cron.php

@@ -4,48 +4,48 @@
 		<div class="toolbar-buttons">
 			<?php if ($read_only !== "true") { ?>
 				<a href="/add/cron/" class="button button-secondary js-button-create">
-					<i class="fas fa-circle-plus icon-green"></i><?= _("Add Cron Job") ?>
+					<i class="fas fa-circle-plus icon-green"></i><?= tohtml( _("Add Cron Job")) ?>
 				</a>
 				<?php if ($panel[$user_plain]["CRON_REPORTS"] == "yes") { ?>
-					<a class="button button-secondary" href="/delete/cron/reports/?token=<?= $_SESSION["token"] ?>">
-						<i class="fas fa-toggle-on icon-green"></i><?= _("Disable Notifications") ?>
+					<a class="button button-secondary" href="/delete/cron/reports/?<?= tohtml(http_build_query(["token" => $_SESSION["token"]])) ?>">
+						<i class="fas fa-toggle-on icon-green"></i><?= tohtml( _("Disable Notifications")) ?>
 					</a>
 				<?php } else { ?>
-					<a class="button button-secondary" href="/add/cron/reports/?token=<?= $_SESSION["token"] ?>">
-						<i class="fas fa-toggle-off"></i><?= _("Enable Notifications") ?>
+					<a class="button button-secondary" href="/add/cron/reports/?<?= tohtml(http_build_query(["token" => $_SESSION["token"]])) ?>">
+						<i class="fas fa-toggle-off"></i><?= tohtml( _("Enable Notifications")) ?>
 					</a>
 				<?php } ?>
 			<?php } ?>
 		</div>
 		<div class="toolbar-right">
 			<div class="toolbar-sorting">
-				<button class="toolbar-sorting-toggle js-toggle-sorting-menu" type="button" title="<?= _("Sort items") ?>">
-					<?= _("Sort by") ?>:
+				<button class="toolbar-sorting-toggle js-toggle-sorting-menu" type="button" title="<?= tohtml( _("Sort items")) ?>">
+					<?= tohtml( _("Sort by")) ?>:
 					<span class="u-text-bold">
 						<?php if ($_SESSION['userSortOrder'] === 'name') { $label = _('Command'); } else { $label = _('Date'); } ?>
-						<?= $label ?> <i class="fas fa-arrow-down-a-z"></i>
+						<?= tohtml($label) ?> <i class="fas fa-arrow-down-a-z"></i>
 					</span>
 				</button>
 				<ul class="toolbar-sorting-menu js-sorting-menu u-hidden">
 					<li data-entity="sort-name">
-						<span class="name <?php if ($_SESSION['userSortOrder'] === 'name') { echo 'active'; } ?>"><?= _("Command") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name <?php if ($_SESSION['userSortOrder'] === 'name') { echo 'active'; } ?>"><?= tohtml( _("Command")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 					<li data-entity="sort-date" data-sort-as-int="1">
-						<span class="name <?php if ($_SESSION['userSortOrder'] === 'date') { echo 'active'; } ?>"><?= _("Date") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name <?php if ($_SESSION['userSortOrder'] === 'date') { echo 'active'; } ?>"><?= tohtml( _("Date")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 				</ul>
 				<?php if ($read_only !== "true") { ?>
 					<form x-data x-bind="BulkEdit" action="/bulk/cron/" method="post">
-						<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+						<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 						<select class="form-select" name="action">
-							<option value=""><?= _("Apply to selected") ?></option>
+							<option value=""><?= tohtml( _("Apply to selected")) ?></option>
 							<?php if ($panel[$user_plain]['CRON_REPORTS'] == 'yes') echo '<option value="delete-cron-reports">' . _('Disable Notifications') . '</option>'; ?>
 							<?php if ($panel[$user_plain]['CRON_REPORTS'] == 'no') echo '<option value="add-cron-reports">' . _('Enable Notifications') . '</option>'; ?>
-							<option value="suspend"><?= _("Suspend") ?></option>
-							<option value="unsuspend"><?= _("Unsuspend") ?></option>
-							<option value="delete"><?= _("Delete") ?></option>
+							<option value="suspend"><?= tohtml( _("Suspend")) ?></option>
+							<option value="unsuspend"><?= tohtml( _("Unsuspend")) ?></option>
+							<option value="delete"><?= tohtml( _("Delete")) ?></option>
 						</select>
-						<button type="submit" class="toolbar-input-submit" title="<?= _("Apply to selected") ?>">
+						<button type="submit" class="toolbar-input-submit" title="<?= tohtml( _("Apply to selected")) ?>">
 							<i class="fas fa-arrow-right"></i>
 						</button>
 					</form>
@@ -53,9 +53,9 @@
 			</div>
 			<div class="toolbar-search">
 				<form action="/search/" method="get">
-					<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
-					<input type="search" class="form-control js-search-input" name="q" value="<? echo isset($_POST['q']) ? htmlspecialchars($_POST['q']) : '' ?>" title="<?= _("Search") ?>">
-					<button type="submit" class="toolbar-input-submit" title="<?= _("Search") ?>">
+					<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
+					<input type="search" class="form-control js-search-input" name="q" value="<?= tohtml($_POST['q'] ?? '') ?>" title="<?= tohtml( _("Search")) ?>">
+					<button type="submit" class="toolbar-input-submit" title="<?= tohtml( _("Search")) ?>">
 						<i class="fas fa-magnifying-glass"></i>
 					</button>
 				</form>
@@ -67,20 +67,20 @@
 
 <div class="container">
 
-	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= _("Cron Jobs") ?></h1>
+	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= tohtml( _("Cron Jobs")) ?></h1>
 
 	<div class="units-table js-units-container">
 		<div class="units-table-header">
 			<div class="units-table-cell">
-				<input type="checkbox" class="js-toggle-all-checkbox" title="<?= _("Select all") ?>" <?= $display_mode ?>>
+				<input type="checkbox" class="js-toggle-all-checkbox" title="<?= tohtml( _("Select all")) ?>" <?= tohtml($display_mode) ?>>
 			</div>
-			<div class="units-table-cell"><?= _("Command") ?></div>
+			<div class="units-table-cell"><?= tohtml( _("Command")) ?></div>
 			<div class="units-table-cell"></div>
-			<div class="units-table-cell u-text-center"><?= _("Minute") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Hour") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Day") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Month") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Day of Week") ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Minute")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Hour")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Day")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Month")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Day of Week")) ?></div>
 		</div>
 
 		<!-- Begin cron job list item loop -->
@@ -104,21 +104,21 @@
 			}
 		?>
 			<div class="units-table-row <?php if ($status == 'suspended') echo 'disabled'; ?> js-unit"
-				data-sort-date="<?= strtotime($data[$key]['DATE'].' '.$data[$key]['TIME']) ?>"
-				data-sort-name="<?= htmlspecialchars($data[$key]['CMD'], ENT_NOQUOTES) ?>">
+				data-sort-date="<?= tohtml(strtotime($data[$key]['DATE'].' '.$data[$key]['TIME'])) ?>"
+				data-sort-name="<?= tohtml($data[$key]['CMD']) ?>">
 				<div class="units-table-cell">
 					<div>
-						<input id="check<?= $i ?>" class="js-unit-checkbox" type="checkbox" title="<?= _("Select") ?>" name="job[]" value="<?= $key ?>" <?= $display_mode ?>>
-						<label for="check<?= $i ?>" class="u-hide-desktop"><?= _("Select") ?></label>
+						<input id="check<?= tohtml($i) ?>" class="js-unit-checkbox" type="checkbox" title="<?= tohtml( _("Select")) ?>" name="job[]" value="<?= tohtml($key) ?>" <?= tohtml($display_mode) ?>>
+						<label for="check<?= tohtml($i) ?>" class="u-hide-desktop"><?= tohtml( _("Select")) ?></label>
 					</div>
 				</div>
 				<div class="units-table-cell units-table-heading-cell u-text-bold">
-					<span class="u-hide-desktop"><?= _("Command") ?>:</span>
+					<span class="u-hide-desktop"><?= tohtml( _("Command")) ?>:</span>
 					<?php if ($read_only === "true" || $data[$key]["SUSPENDED"] == "yes") { ?>
-						<?= htmlspecialchars($data[$key]["CMD"], ENT_NOQUOTES) ?>
+						<?= tohtml($data[$key]["CMD"]) ?>
 					<?php } else { ?>
-						<a href="/edit/cron/?job=<?= $data[$key]["JOB"] ?>&token=<?= $_SESSION["token"] ?>" title="<?= _("Edit Cron Job") ?>: <?= htmlspecialchars($data[$key]["CMD"], ENT_NOQUOTES) ?>">
-							<?= htmlspecialchars($data[$key]["CMD"], ENT_NOQUOTES) ?>
+						<a href="/edit/cron/?<?= tohtml(http_build_query(["job" => $data[$key]["JOB"], "token" => $_SESSION["token"]])) ?>" title="<?= tohtml( _("Edit Cron Job")) ?>: <?= tohtml($data[$key]["CMD"]) ?>">
+							<?= tohtml($data[$key]["CMD"]) ?>
 						</a>
 					<?php } ?>
 				</div>
@@ -129,60 +129,60 @@
 								<li class="units-table-row-action shortcut-enter" data-key-action="href">
 									<a
 										class="units-table-row-action-link"
-										href="/edit/cron/?job=<?= $data[$key]["JOB"] ?>&token=<?= $_SESSION["token"] ?>"
-										title="<?= _("Edit") ?>"
+										href="/edit/cron/?<?= tohtml(http_build_query(["job" => $data[$key]["JOB"], "token" => $_SESSION["token"]])) ?>"
+										title="<?= tohtml( _("Edit")) ?>"
 									>
 										<i class="fas fa-pencil icon-orange"></i>
-										<span class="u-hide-desktop"><?= _("Edit") ?></span>
+										<span class="u-hide-desktop"><?= tohtml( _("Edit")) ?></span>
 									</a>
 								</li>
 							<?php } ?>
 							<li class="units-table-row-action shortcut-s" data-key-action="js">
 								<a
 									class="units-table-row-action-link data-controls js-confirm-action"
-									href="/<?= $spnd_action ?>/cron/?job=<?= $data[$key]["JOB"] ?>&token=<?= $_SESSION["token"] ?>"
-									title="<?= $spnd_action_title ?>"
-									data-confirm-title="<?= $spnd_action_title ?>"
-									data-confirm-message="<?= sprintf($spnd_confirmation, $key) ?>"
+									href="/<?= tohtml($spnd_action) ?>/cron/?<?= tohtml(http_build_query(["job" => $data[$key]["JOB"], "token" => $_SESSION["token"]])) ?>"
+									title="<?= tohtml($spnd_action_title) ?>"
+									data-confirm-title="<?= tohtml($spnd_action_title) ?>"
+									data-confirm-message="<?= tohtml(sprintf($spnd_confirmation, $key)) ?>"
 								>
-									<i class="fas <?= $spnd_icon ?> <?= $spnd_icon_class ?>"></i>
-									<span class="u-hide-desktop"><?= $spnd_action_title ?></span>
+									<i class="fas <?= tohtml($spnd_icon) ?> <?= tohtml($spnd_icon_class) ?>"></i>
+									<span class="u-hide-desktop"><?= tohtml($spnd_action_title) ?></span>
 								</a>
 							</li>
 							<li class="units-table-row-action shortcut-delete" data-key-action="js">
 								<a
 									class="units-table-row-action-link data-controls js-confirm-action"
-									href="/delete/cron/?job=<?= $data[$key]["JOB"] ?>&token=<?= $_SESSION["token"] ?>"
-									title="<?= _("Delete") ?>"
-									data-confirm-title="<?= _("Delete") ?>"
-									data-confirm-message="<?= sprintf(_("Are you sure you want to delete this cron job?"), $key) ?>"
+									href="/delete/cron/?<?= tohtml(http_build_query(["job" => $data[$key]["JOB"], "token" => $_SESSION["token"]])) ?>"
+									title="<?= tohtml( _("Delete")) ?>"
+									data-confirm-title="<?= tohtml( _("Delete")) ?>"
+									data-confirm-message="<?= tohtml(sprintf(_("Are you sure you want to delete this cron job?"), $key)) ?>"
 								>
 									<i class="fas fa-trash icon-red"></i>
-									<span class="u-hide-desktop"><?= _("Delete") ?></span>
+									<span class="u-hide-desktop"><?= tohtml( _("Delete")) ?></span>
 								</a>
 							</li>
 						</ul>
 					<?php } ?>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Minute") ?>:</span>
-					<?= $data[$key]["MIN"] ?>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Minute")) ?>:</span>
+					<?= tohtml($data[$key]["MIN"]) ?>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Hour") ?>:</span>
-					<?= $data[$key]["HOUR"] ?>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Hour")) ?>:</span>
+					<?= tohtml($data[$key]["HOUR"]) ?>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Day") ?>:</span>
-					<?= $data[$key]["DAY"] ?>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Day")) ?>:</span>
+					<?= tohtml($data[$key]["DAY"]) ?>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Month") ?>:</span>
-					<?= $data[$key]["MONTH"] ?>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Month")) ?>:</span>
+					<?= tohtml($data[$key]["MONTH"]) ?>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Day of Week") ?>:</span>
-					<?= $data[$key]["WDAY"] ?>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Day of Week")) ?>:</span>
+					<?= tohtml($data[$key]["WDAY"]) ?>
 				</div>
 			</div>
 		<?php } ?>

web/templates/pages/list_db.php

@@ -17,15 +17,15 @@ if (!empty($_SESSION["DB_PGA_ALIAS"])) {
 		<div class="toolbar-buttons">
 			<?php if ($read_only !== "true") { ?>
 				<a href="/add/db/" class="button button-secondary js-button-create">
-					<i class="fas fa-circle-plus icon-green"></i><?= _("Add Database") ?>
+					<i class="fas fa-circle-plus icon-green"></i><?= tohtml( _("Add Database")) ?>
 				</a>
 				<?php if ($_SESSION["DB_SYSTEM"] === "mysql" || $_SESSION["DB_SYSTEM"] === "mysql,pgsql" || $_SESSION["DB_SYSTEM"] === "pgsql,mysql") { ?>
-					<a class="button button-secondary <?= ipUsed() ? "button-suspended" : "" ?>" href="<?= $db_myadmin_link ?>" target="_blank">
+					<a class="button button-secondary <?= tohtml(ipUsed() ? "button-suspended" : "") ?>" href="<?= tohtml($db_myadmin_link) ?>" target="_blank">
 						<i class="fas fa-database icon-orange"></i>phpMyAdmin
 					</a>
 				<?php } ?>
 				<?php if ($_SESSION["DB_SYSTEM"] === "pgsql" || $_SESSION["DB_SYSTEM"] === "mysql,pgsql" || $_SESSION["DB_SYSTEM"] === "pgsql,mysql") { ?>
-					<a class="button button-secondary <?= ipUsed() ? "button-suspended" : "" ?>" href="<?= $db_pgadmin_link ?>" target="_blank">
+					<a class="button button-secondary <?= tohtml(ipUsed() ? "button-suspended" : "") ?>" href="<?= tohtml($db_pgadmin_link) ?>" target="_blank">
 						<i class="fas fa-database icon-orange"></i>phpPgAdmin
 					</a>
 				<?php } ?>
@@ -38,46 +38,46 @@ if (!empty($_SESSION["DB_PGA_ALIAS"])) {
 		</div>
 		<div class="toolbar-right">
 			<div class="toolbar-sorting">
-				<button class="toolbar-sorting-toggle js-toggle-sorting-menu" type="button" title="<?= _("Sort items") ?>">
-					<?= _("Sort by") ?>:
+				<button class="toolbar-sorting-toggle js-toggle-sorting-menu" type="button" title="<?= tohtml( _("Sort items")) ?>">
+					<?= tohtml( _("Sort by")) ?>:
 					<span class="u-text-bold">
 						<?php if ($_SESSION['userSortOrder'] === 'name') { $label = _('Name'); } else { $label = _('Date'); } ?>
-						<?= $label ?> <i class="fas fa-arrow-down-a-z"></i>
+						<?= tohtml($label) ?> <i class="fas fa-arrow-down-a-z"></i>
 					</span>
 				</button>
 				<ul class="toolbar-sorting-menu js-sorting-menu u-hidden">
 					<li data-entity="sort-charset">
-						<span class="name"><?= _("Charset") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name"><?= tohtml( _("Charset")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 					<li data-entity="sort-date" data-sort-as-int="1">
-						<span class="name <?php if ($_SESSION['userSortOrder'] === 'date') { echo 'active'; } ?>"><?= _("Date") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name <?php if ($_SESSION['userSortOrder'] === 'date') { echo 'active'; } ?>"><?= tohtml( _("Date")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 					<li data-entity="sort-disk" data-sort-as-int="1">
-						<span class="name"><?= _("Disk") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name"><?= tohtml( _("Disk")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 					<li data-entity="sort-name">
-						<span class="name <?php if ($_SESSION['userSortOrder'] === 'name') { echo 'active'; } ?>"><?= _("Name") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name <?php if ($_SESSION['userSortOrder'] === 'name') { echo 'active'; } ?>"><?= tohtml( _("Name")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 					<li data-entity="sort-server">
-						<span class="name"><?= _("Host") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name"><?= tohtml( _("Host")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 					<li data-entity="sort-user">
-						<span class="name"><?= _("Username") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name"><?= tohtml( _("Username")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 				</ul>
 				<?php if ($read_only !== "true") { ?>
 					<form x-data x-bind="BulkEdit" action="/bulk/db/" method="post">
-						<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+						<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 						<select class="form-select" name="action">
-							<option value=""><?= _("Apply to selected") ?></option>
+							<option value=""><?= tohtml( _("Apply to selected")) ?></option>
 							<?php if ($_SESSION["userContext"] === "admin") { ?>
-								<option value="rebuild"><?= _("Rebuild All") ?></option>
-								<option value="suspend"><?= _("Suspend All") ?></option>
-								<option value="unsuspend"><?= _("Unsuspend All") ?></option>
+								<option value="rebuild"><?= tohtml( _("Rebuild All")) ?></option>
+								<option value="suspend"><?= tohtml( _("Suspend All")) ?></option>
+								<option value="unsuspend"><?= tohtml( _("Unsuspend All")) ?></option>
 							<?php } ?>
-							<option value="delete"><?= _("Delete") ?></option>
+							<option value="delete"><?= tohtml( _("Delete")) ?></option>
 						</select>
-						<button type="submit" class="toolbar-input-submit" title="<?= _("Apply to selected") ?>">
+						<button type="submit" class="toolbar-input-submit" title="<?= tohtml( _("Apply to selected")) ?>">
 							<i class="fas fa-arrow-right"></i>
 						</button>
 					</form>
@@ -85,9 +85,9 @@ if (!empty($_SESSION["DB_PGA_ALIAS"])) {
 			</div>
 			<div class="toolbar-search">
 				<form action="/search/" method="get">
-					<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
-					<input type="search" class="form-control js-search-input" name="q" value="<? echo isset($_POST['q']) ? htmlspecialchars($_POST['q']) : '' ?>" title="<?= _("Search") ?>">
-					<button type="submit" class="toolbar-input-submit" title="<?= _("Search") ?>">
+					<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
+					<input type="search" class="form-control js-search-input" name="q" value="<?= tohtml($_POST['q'] ?? '') ?>" title="<?= tohtml( _("Search")) ?>">
+					<button type="submit" class="toolbar-input-submit" title="<?= tohtml( _("Search")) ?>">
 						<i class="fas fa-magnifying-glass"></i>
 					</button>
 				</form>
@@ -99,20 +99,20 @@ if (!empty($_SESSION["DB_PGA_ALIAS"])) {
 
 <div class="container">
 
-	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= _("Databases") ?></h1>
+	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= tohtml( _("Databases")) ?></h1>
 
 	<div class="units-table js-units-container">
 		<div class="units-table-header">
 			<div class="units-table-cell">
-				<input type="checkbox" class="js-toggle-all-checkbox" title="<?= _("Select all") ?>" <?= $display_mode ?>>
+				<input type="checkbox" class="js-toggle-all-checkbox" title="<?= tohtml( _("Select all")) ?>" <?= tohtml($display_mode) ?>>
 			</div>
-			<div class="units-table-cell"><?= _("Name") ?></div>
+			<div class="units-table-cell"><?= tohtml( _("Name")) ?></div>
 			<div class="units-table-cell"></div>
-			<div class="units-table-cell u-text-center"><?= _("Disk") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Type") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Username") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Hostname") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Charset") ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Disk")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Type")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Username")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Hostname")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Charset")) ?></div>
 		</div>
 
 		<!-- Begin database list item loop -->
@@ -144,25 +144,25 @@ if (!empty($_SESSION["DB_PGA_ALIAS"])) {
 				if (($data[$key]['TYPE'] == 'pgsql') && (!empty($_SESSION['DB_PGA_ALIAS']))) $db_admin_link = $_SESSION['DB_PGA_ALIAS'];
 			?>
 			<div class="units-table-row <?php if ($data[$key]['SUSPENDED'] == 'yes') echo 'disabled'; ?> js-unit"
-				data-sort-date="<?= strtotime($data[$key]['DATE'].' '.$data[$key]['TIME']) ?>"
-				data-sort-name="<?= $key ?>"
-				data-sort-disk="<?= $data[$key]["U_DISK"] ?>"
-				data-sort-user="<?= $data[$key]["DBUSER"] ?>"
-				data-sort-server="<?= $data[$key]["HOST"] ?>"
-				data-sort-charset="<?= $data[$key]["CHARSET"] ?>">
+				data-sort-date="<?= tohtml(strtotime($data[$key]['DATE'].' '.$data[$key]['TIME'])) ?>"
+				data-sort-name="<?= tohtml($key) ?>"
+				data-sort-disk="<?= tohtml($data[$key]["U_DISK"]) ?>"
+				data-sort-user="<?= tohtml($data[$key]["DBUSER"]) ?>"
+				data-sort-server="<?= tohtml($data[$key]["HOST"]) ?>"
+				data-sort-charset="<?= tohtml($data[$key]["CHARSET"]) ?>">
 				<div class="units-table-cell">
 					<div>
-						<input id="check<?= $i ?>" class="js-unit-checkbox" type="checkbox" title="<?= _("Select") ?>" name="database[]" value="<?= $key ?>" <?= $display_mode ?>>
-						<label for="check<?= $i ?>" class="u-hide-desktop"><?= _("Select") ?></label>
+						<input id="check<?= tohtml($i) ?>" class="js-unit-checkbox" type="checkbox" title="<?= tohtml( _("Select")) ?>" name="database[]" value="<?= tohtml($key) ?>" <?= tohtml($display_mode) ?>>
+						<label for="check<?= tohtml($i) ?>" class="u-hide-desktop"><?= tohtml( _("Select")) ?></label>
 					</div>
 				</div>
 				<div class="units-table-cell units-table-heading-cell u-text-bold">
-					<span class="u-hide-desktop"><?= _("Name") ?>:</span>
+					<span class="u-hide-desktop"><?= tohtml( _("Name")) ?>:</span>
 					<?php if ($read_only === "true" || $data[$key]["SUSPENDED"] == "yes") { ?>
-						<?= $key ?>
+						<?= tohtml($key) ?>
 					<?php } else { ?>
-						<a href="/edit/db/?database=<?= $key ?>&token=<?= $_SESSION["token"] ?>" title="<?= _("Edit Database") ?>: <?= $key ?>">
-							<?= $key ?>
+						<a href="/edit/db/?<?= tohtml(http_build_query(["database" => $key, "token" => $_SESSION["token"]])) ?>" title="<?= tohtml( _("Edit Database")) ?>: <?= tohtml($key) ?>">
+							<?= tohtml($key) ?>
 						</a>
 					<?php } ?>
 				</div>
@@ -173,21 +173,33 @@ if (!empty($_SESSION["DB_PGA_ALIAS"])) {
 								<li class="units-table-row-action shortcut-enter" data-key-action="href">
 									<a
 										class="units-table-row-action-link"
-										href="/edit/db/?database=<?= $key ?>&token=<?= $_SESSION["token"] ?>"
-										title="<?= _("Edit Database") ?>"
+											href="/edit/db/?<?= tohtml(http_build_query(["database" => $key, "token" => $_SESSION["token"]])) ?>"
+										title="<?= tohtml( _("Edit Database")) ?>"
 									>
 										<i class="fas fa-pencil icon-orange"></i>
-										<span class="u-hide-desktop"><?= _("Edit Database") ?></span>
+										<span class="u-hide-desktop"><?= tohtml( _("Edit Database")) ?></span>
 									</a>
 								</li>
 							<?php } ?>
-							<?php if ($data[$key]['TYPE'] == 'mysql' && isset($_SESSION['PHPMYADMIN_KEY']) && $_SESSION['PHPMYADMIN_KEY'] != '' && !ipUsed()) { $time = time(); ?>
-								<li class="units-table-row-action shortcut-enter" data-key-action="href">
-									<a
-										class="units-table-row-action-link"
-										href="<?= $db_myadmin_link?>hestia-sso.php?database=<?= $key ?>&user=<?= $user_plain?>&exp=<?= $time?>&hestia_token=<?=password_hash($key.$user_plain.$_SESSION['user_combined_ip'].$time.$_SESSION['PHPMYADMIN_KEY'], PASSWORD_DEFAULT) ?>"
-										title="phpMyAdmin" target="_blank"
-									>
+								<?php if ($data[$key]['TYPE'] == 'mysql' && isset($_SESSION['PHPMYADMIN_KEY']) && $_SESSION['PHPMYADMIN_KEY'] != '' && !ipUsed()) { $time = time(); ?>
+									<?php
+										$hestia_sso_token = password_hash(
+											$key . $user_plain . $_SESSION['user_combined_ip'] . $time . $_SESSION['PHPMYADMIN_KEY'],
+											PASSWORD_DEFAULT,
+										);
+										$hestia_sso_url = $db_myadmin_link . "hestia-sso.php?" . http_build_query([
+											"database" => $key,
+											"user" => $user_plain,
+											"exp" => $time,
+											"hestia_token" => $hestia_sso_token,
+										]);
+									?>
+									<li class="units-table-row-action shortcut-enter" data-key-action="href">
+										<a
+											class="units-table-row-action-link"
+											href="<?= tohtml($hestia_sso_url) ?>"
+											title="phpMyAdmin" target="_blank"
+										>
 										<i class="fas fa-right-to-bracket icon-orange"></i>
 										<span class="u-hide-desktop">phpMyAdmin</span>
 									</a>
@@ -196,64 +208,64 @@ if (!empty($_SESSION["DB_PGA_ALIAS"])) {
 							<li class="units-table-row-action shortcut-enter" data-key-action="href">
 								<a
 									class="units-table-row-action-link"
-									href="/download/database/?database=<?= $key ?>&token=<?= $_SESSION["token"] ?>"
-									title="<?= _("Download Database") ?>"
+									href="/download/database/?<?= tohtml(http_build_query(["database" => $key, "token" => $_SESSION["token"]])) ?>"
+									title="<?= tohtml( _("Download Database")) ?>"
 								>
 									<i class="fas fa-download icon-orange"></i>
-									<span class="u-hide-desktop"><?= _("Download Database") ?></span>
+									<span class="u-hide-desktop"><?= tohtml( _("Download Database")) ?></span>
 								</a>
 							</li>
 							<li class="units-table-row-action shortcut-s" data-key-action="js">
 								<a
 									class="units-table-row-action-link data-controls js-confirm-action"
-									href="/<?= $spnd_action ?>/db/?database=<?= $key ?>&token=<?= $_SESSION["token"] ?>"
-									title="<?= $spnd_action_title ?>"
-									data-confirm-title="<?= $spnd_action_title ?>"
-									data-confirm-message="<?= sprintf($spnd_confirmation, $key) ?>"
+									href="/<?= tohtml($spnd_action) ?>/db/?<?= tohtml(http_build_query(["database" => $key, "token" => $_SESSION["token"]])) ?>"
+									title="<?= tohtml($spnd_action_title) ?>"
+									data-confirm-title="<?= tohtml($spnd_action_title) ?>"
+									data-confirm-message="<?= tohtml(sprintf($spnd_confirmation, $key)) ?>"
 								>
-									<i class="fas <?= $spnd_icon ?> <?= $spnd_icon_class ?>"></i>
-									<span class="u-hide-desktop"><?= $spnd_action_title ?></span>
+									<i class="fas <?= tohtml($spnd_icon) ?> <?= tohtml($spnd_icon_class) ?>"></i>
+									<span class="u-hide-desktop"><?= tohtml($spnd_action_title) ?></span>
 								</a>
 							</li>
 							<li class="units-table-row-action shortcut-delete" data-key-action="js">
 								<a
 									class="units-table-row-action-link data-controls js-confirm-action"
-									href="/delete/db/?database=<?= $key ?>&token=<?= $_SESSION["token"] ?>"
-									title="<?= _("Delete") ?>"
-									data-confirm-title="<?= _("Delete") ?>"
-									data-confirm-message="<?= sprintf(_("Are you sure you want to delete database %s?"), $key) ?>"
+									href="/delete/db/?<?= tohtml(http_build_query(["database" => $key, "token" => $_SESSION["token"]])) ?>"
+									title="<?= tohtml( _("Delete")) ?>"
+									data-confirm-title="<?= tohtml( _("Delete")) ?>"
+									data-confirm-message="<?= tohtml(sprintf(_("Are you sure you want to delete database %s?"), $key)) ?>"
 								>
 									<i class="fas fa-trash icon-red"></i>
-									<span class="u-hide-desktop"><?= _("Delete") ?></span>
+									<span class="u-hide-desktop"><?= tohtml( _("Delete")) ?></span>
 								</a>
 							</li>
 						</ul>
 					<?php } ?>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Disk") ?>:</span>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Disk")) ?>:</span>
 					<span class="u-text-bold">
-						<?= humanize_usage_size($data[$key]["U_DISK"]) ?>
+						<?= tohtml(humanize_usage_size($data[$key]["U_DISK"])) ?>
 					</span>
 					<span class="u-text-small">
-						<?= humanize_usage_measure($data[$key]["U_DISK"]) ?>
+						<?= tohtml(humanize_usage_measure($data[$key]["U_DISK"])) ?>
 					</span>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Type") ?>:</span>
-					<?= $data[$key]["TYPE"] ?>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Type")) ?>:</span>
+					<?= tohtml($data[$key]["TYPE"]) ?>
 				</div>
 				<div class="units-table-cell u-text-bold u-text-center-desktop">
-					<span class="u-hide-desktop"><?= _("Username") ?>:</span>
-					<?= $data[$key]["DBUSER"] ?>
+					<span class="u-hide-desktop"><?= tohtml( _("Username")) ?>:</span>
+					<?= tohtml($data[$key]["DBUSER"]) ?>
 				</div>
 				<div class="units-table-cell u-text-bold u-text-center-desktop">
-					<span class="u-hide-desktop"><?= _("Hostname") ?>:</span>
-					<?= $data[$key]["HOST"] ?>
+					<span class="u-hide-desktop"><?= tohtml( _("Hostname")) ?>:</span>
+					<?= tohtml($data[$key]["HOST"]) ?>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Charset") ?>:</span>
-					<?= $data[$key]["CHARSET"] ?>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Charset")) ?>:</span>
+					<?= tohtml($data[$key]["CHARSET"]) ?>
 				</div>
 			</div>
 		<?php } ?>

web/templates/pages/list_dns.php

@@ -4,49 +4,49 @@
 		<div class="toolbar-buttons">
 			<?php if ($read_only !== "true") { ?>
 				<a href="/add/dns/" class="button button-secondary js-button-create">
-					<i class="fas fa-circle-plus icon-green"></i><?= _("Add DNS Domain") ?>
+					<i class="fas fa-circle-plus icon-green"></i><?= tohtml( _("Add DNS Domain")) ?>
 				</a>
 			<?php } ?>
 		</div>
 		<div class="toolbar-right">
 			<div class="toolbar-sorting">
-				<button class="toolbar-sorting-toggle js-toggle-sorting-menu" type="button" title="<?= _("Sort items") ?>">
-					<?= _("Sort by") ?>:
+				<button class="toolbar-sorting-toggle js-toggle-sorting-menu" type="button" title="<?= tohtml( _("Sort items")) ?>">
+					<?= tohtml( _("Sort by")) ?>:
 					<span class="u-text-bold">
 						<?php if ($_SESSION['userSortOrder'] === 'name') { $label = _('Name'); } else { $label = _('Date'); } ?>
-						<?= $label ?> <i class="fas fa-arrow-down-a-z"></i>
+						<?= tohtml($label) ?> <i class="fas fa-arrow-down-a-z"></i>
 					</span>
 				</button>
 				<ul class="toolbar-sorting-menu js-sorting-menu u-hidden">
 					<li data-entity="sort-date" data-sort-as-int="1">
-						<span class="name <?php if ($_SESSION['userSortOrder'] === 'date') { echo 'active'; } ?>"><?= _("Date") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name <?php if ($_SESSION['userSortOrder'] === 'date') { echo 'active'; } ?>"><?= tohtml( _("Date")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 					<li data-entity="sort-expire" data-sort-as-int="1">
-						<span class="name"><?= _("Expire") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name"><?= tohtml( _("Expire")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 					<li data-entity="sort-ip">
-						<span class="name"><?= _("IP Address") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name"><?= tohtml( _("IP Address")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 					<li data-entity="sort-name">
-						<span class="name <?php if ($_SESSION['userSortOrder'] === 'name') { echo 'active'; } ?>"><?= _("Name") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name <?php if ($_SESSION['userSortOrder'] === 'name') { echo 'active'; } ?>"><?= tohtml( _("Name")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 					<li data-entity="sort-records">
-						<span class="name"><?= _("Records") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name"><?= tohtml( _("Records")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 				</ul>
 				<?php if ($read_only !== "true") { ?>
 					<form x-data x-bind="BulkEdit" action="/bulk/dns/" method="post">
-						<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+						<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 						<select class="form-select" name="action">
-							<option value=""><?= _("Apply to selected") ?></option>
+							<option value=""><?= tohtml( _("Apply to selected")) ?></option>
 							<?php if ($_SESSION["userContext"] === "admin") { ?>
-								<option value="rebuild"><?= _("Rebuild") ?></option>
+								<option value="rebuild"><?= tohtml( _("Rebuild")) ?></option>
 							<?php } ?>
-							<option value="suspend"><?= _("Suspend") ?></option>
-							<option value="unsuspend"><?= _("Unsuspend") ?></option>
-							<option value="delete"><?= _("Delete") ?></option>
+							<option value="suspend"><?= tohtml( _("Suspend")) ?></option>
+							<option value="unsuspend"><?= tohtml( _("Unsuspend")) ?></option>
+							<option value="delete"><?= tohtml( _("Delete")) ?></option>
 						</select>
-						<button type="submit" class="toolbar-input-submit" title="<?= _("Apply to selected") ?>">
+						<button type="submit" class="toolbar-input-submit" title="<?= tohtml( _("Apply to selected")) ?>">
 							<i class="fas fa-arrow-right"></i>
 						</button>
 					</form>
@@ -54,9 +54,9 @@
 			</div>
 			<div class="toolbar-search">
 				<form action="/search/" method="get">
-					<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
-					<input type="search" class="form-control js-search-input" name="q" value="<? echo isset($_POST['q']) ? htmlspecialchars($_POST['q']) : '' ?>" title="<?= _("Search") ?>">
-					<button type="submit" class="toolbar-input-submit" title="<?= _("Search") ?>">
+					<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
+						<input type="search" class="form-control js-search-input" name="q" value="<?= tohtml($_GET['q'] ?? '') ?>" title="<?= tohtml( _("Search")) ?>">
+					<button type="submit" class="toolbar-input-submit" title="<?= tohtml( _("Search")) ?>">
 						<i class="fas fa-magnifying-glass"></i>
 					</button>
 				</form>
@@ -68,21 +68,21 @@
 
 <div class="container">
 
-	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= _("DNS Records") ?></h1>
+	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= tohtml( _("DNS Records")) ?></h1>
 
 	<div class="units-table js-units-container">
 		<div class="units-table-header">
 			<div class="units-table-cell">
-				<input type="checkbox" class="js-toggle-all-checkbox" title="<?= _("Select all") ?>" <?= $display_mode ?>>
+				<input type="checkbox" class="js-toggle-all-checkbox" title="<?= tohtml( _("Select all")) ?>" <?= tohtml($display_mode) ?>>
 			</div>
-			<div class="units-table-cell"><?= _("Name") ?></div>
+			<div class="units-table-cell"><?= tohtml( _("Name")) ?></div>
 			<div class="units-table-cell"></div>
-			<div class="units-table-cell u-text-center"><?= _("Records") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Template") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("TTL") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("SOA") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("DNSSEC") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Expiration Date") ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Records")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Template")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("TTL")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("SOA")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("DNSSEC")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Expiration Date")) ?></div>
 		</div>
 
 		<!-- Begin DNS zone list item loop -->
@@ -120,24 +120,24 @@
 				}
 			?>
 			<div class="units-table-row <?php if ($status == 'suspended') echo 'disabled'; ?> js-unit"
-				data-sort-ip="<?= str_replace('.', '', $data[$key]['IP']) ?>"
-				data-sort-date="<?= strtotime($data[$key]['DATE'].' '.$data[$key]['TIME']) ?>"
-				data-sort-name="<?= htmlentities($key);?>"
-				data-sort-expire="<?= strtotime($data[$key]['EXP']) ?>"
-				data-sort-records="<?=(int)$data[$key]['RECORDS'] ?>">
+				data-sort-ip="<?= tohtml(str_replace('.', '', $data[$key]['IP'])) ?>"
+				data-sort-date="<?= tohtml(strtotime($data[$key]['DATE'].' '.$data[$key]['TIME'])) ?>"
+				data-sort-name="<?= tohtml($key) ?>"
+				data-sort-expire="<?= tohtml(strtotime($data[$key]['EXP'])) ?>"
+				data-sort-records="<?= tohtml((int)$data[$key]['RECORDS']) ?>">
 				<div class="units-table-cell">
 					<div>
-						<input id="check<?= $i ?>" class="js-unit-checkbox" type="checkbox" title="<?= _("Select") ?>" name="domain[]" value="<?= $key ?>" <?= $display_mode ?>>
-						<label for="check<?= $i ?>" class="u-hide-desktop"><?= _("Select") ?></label>
+						<input id="check<?= tohtml($i) ?>" class="js-unit-checkbox" type="checkbox" title="<?= tohtml( _("Select")) ?>" name="domain[]" value="<?= tohtml($key) ?>" <?= tohtml($display_mode) ?>>
+						<label for="check<?= tohtml($i) ?>" class="u-hide-desktop"><?= tohtml( _("Select")) ?></label>
 					</div>
 				</div>
-				<div class="units-table-cell units-table-heading-cell u-text-bold">
-					<span class="u-hide-desktop"><?= _("Name") ?>:</span>
-					<a href="/list/dns/?domain=<?= htmlentities($key) ?>&token=<?= $_SESSION["token"] ?>" title="<?= _("DNS Records") ?>: <?= htmlentities($key) ?>">
-						<?= htmlentities($key) ?>
-					</a>
-					<?= empty($data[$key]["SRC"]) ? "" : '<br>⇢ <span class="u-text-small">' . htmlspecialchars($data[$key]["SRC"], ENT_QUOTES) . "</span>" ?>
-				</div>
+					<div class="units-table-cell units-table-heading-cell u-text-bold">
+						<span class="u-hide-desktop"><?= tohtml( _("Name")) ?>:</span>
+						<a href="/list/dns/?<?= tohtml(http_build_query(array("domain" => $key, "token" => $_SESSION["token"]))) ?>" title="<?= tohtml( _("DNS Records")) ?>: <?= tohtml($key) ?>">
+							<?= tohtml($key) ?>
+						</a>
+						<?= empty($data[$key]["SRC"]) ? "" : '<br>⇢ <span class="u-text-small">' . tohtml($data[$key]["SRC"]) . "</span>" ?>
+					</div>
 				<div class="units-table-cell">
 					<?php if (!$read_only) { ?>
 						<ul class="units-table-row-actions">
@@ -145,32 +145,32 @@
 								<li class="units-table-row-action shortcut-n" data-key-action="href">
 									<a
 										class="units-table-row-action-link"
-										href="/add/dns/?domain=<?= htmlentities($key) ?>&token=<?= $_SESSION["token"] ?>"
-										title="<?= _("Add DNS Record") ?>"
+											href="/add/dns/?<?= tohtml(http_build_query(array("domain" => $key, "token" => $_SESSION["token"]))) ?>"
+										title="<?= tohtml( _("Add DNS Record")) ?>"
 									>
 										<i class="fas fa-circle-plus icon-green"></i>
-										<span class="u-hide-desktop"><?= _("Add DNS Record") ?></span>
+										<span class="u-hide-desktop"><?= tohtml( _("Add DNS Record")) ?></span>
 									</a>
 								</li>
 								<li class="units-table-row-action shortcut-enter" data-key-action="href">
 									<a
 										class="units-table-row-action-link"
-										href="/edit/dns/?domain=<?= htmlentities($key) ?>&token=<?= $_SESSION["token"] ?>"
-										title="<?= _("Edit DNS Domain") ?>"
+											href="/edit/dns/?<?= tohtml(http_build_query(array("domain" => $key, "token" => $_SESSION["token"]))) ?>"
+										title="<?= tohtml( _("Edit DNS Domain")) ?>"
 									>
 										<i class="fas fa-pencil icon-orange"></i>
-										<span class="u-hide-desktop"><?= _("Edit DNS Domain") ?></span>
+										<span class="u-hide-desktop"><?= tohtml( _("Edit DNS Domain")) ?></span>
 									</a>
 								</li>
 								<?php if ($data[$key]["DNSSEC"] == "yes") { ?>
 									<li class="units-table-row-action shortcut-enter" data-key-action="href">
 										<a
 											class="units-table-row-action-link"
-											href="/list/dns/?domain=<?= htmlentities($key) ?>&action=dnssec&token=<?= $_SESSION["token"] ?>"
-											title="<?= _("View Public DNSSEC Key") ?>"
+												href="/list/dns/?<?= tohtml(http_build_query(array("domain" => $key, "action" => "dnssec", "token" => $_SESSION["token"]))) ?>"
+											title="<?= tohtml( _("View Public DNSSEC Key")) ?>"
 										>
 											<i class="fas fa-key icon-orange"></i>
-											<span class="u-hide-desktop"><?= _("View Public DNSSEC Key") ?></span>
+											<span class="u-hide-desktop"><?= tohtml( _("View Public DNSSEC Key")) ?></span>
 										</a>
 									</li>
 								<?php } ?>
@@ -178,42 +178,42 @@
 							<li class="units-table-row-action shortcut-l" data-key-action="href">
 								<a
 									class="units-table-row-action-link"
-									href="/list/dns/?domain=<?= htmlentities($key) ?>&token=<?= $_SESSION["token"] ?>"
-									title="<?= _("DNS Records") ?>"
+									href="/list/dns/?<?= tohtml(http_build_query(array("domain" => $key, "token" => $_SESSION["token"]))) ?>"
+									title="<?= tohtml( _("DNS Records")) ?>"
 								>
 									<i class="fas fa-list icon-lightblue"></i>
-									<span class="u-hide-desktop"><?= _("DNS Records") ?></span>
+									<span class="u-hide-desktop"><?= tohtml( _("DNS Records")) ?></span>
 								</a>
 							</li>
 							<li class="units-table-row-action shortcut-s" data-key-action="js">
 								<a
 									class="units-table-row-action-link data-controls js-confirm-action"
-									href="/<?= $spnd_action ?>/dns/?domain=<?= htmlentities($key) ?>&token=<?= $_SESSION["token"] ?>"
-									title="<?= $spnd_action_title ?>"
-									data-confirm-title="<?= $spnd_action_title ?>"
-									data-confirm-message="<?= sprintf($spnd_confirmation, $key) ?>"
+									href="/<?= tohtml($spnd_action) ?>/dns/?<?= tohtml(http_build_query(array("domain" => $key, "token" => $_SESSION["token"]))) ?>"
+									title="<?= tohtml($spnd_action_title) ?>"
+									data-confirm-title="<?= tohtml($spnd_action_title) ?>"
+									data-confirm-message="<?= tohtml(sprintf($spnd_confirmation, $key)) ?>"
 								>
-									<i class="fas <?= $spnd_icon ?> <?= $spnd_icon_class ?>"></i>
-									<span class="u-hide-desktop"><?= $spnd_action_title ?></span>
+									<i class="fas <?= tohtml($spnd_icon) ?> <?= tohtml($spnd_icon_class) ?>"></i>
+									<span class="u-hide-desktop"><?= tohtml($spnd_action_title) ?></span>
 								</a>
 							</li>
 							<li class="units-table-row-action shortcut-delete" data-key-action="js">
 								<a
 									class="units-table-row-action-link data-controls js-confirm-action"
-									href="/delete/dns/?domain=<?= htmlentities($key) ?>&token=<?= $_SESSION["token"] ?>"
-									title="<?= _("Delete") ?>"
-									data-confirm-title="<?= _("Delete") ?>"
-									data-confirm-message="<?= sprintf(_("Are you sure you want to delete domain %s?"), $key) ?>"
+									href="/delete/dns/?<?= tohtml(http_build_query(array("domain" => $key, "token" => $_SESSION["token"]))) ?>"
+									title="<?= tohtml( _("Delete")) ?>"
+									data-confirm-title="<?= tohtml( _("Delete")) ?>"
+									data-confirm-message="<?= tohtml(sprintf(_("Are you sure you want to delete domain %s?"), $key)) ?>"
 								>
 									<i class="fas fa-trash icon-red"></i>
-									<span class="u-hide-desktop"><?= _("Delete") ?></span>
+									<span class="u-hide-desktop"><?= tohtml( _("Delete")) ?></span>
 								</a>
 							</li>
 						</ul>
 					<?php } ?>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Records") ?>:</span>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Records")) ?>:</span>
 					<?php if ($data[$key]['RECORDS']) {
 						echo '<span>'.$data[$key]['RECORDS'].'</span>';
 					} else {
@@ -221,27 +221,27 @@
 					} ?>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Template") ?>:</span>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Template")) ?>:</span>
 					<span class="u-text-bold">
-						<?= $data[$key]["TPL"] ?>
+						<?= tohtml($data[$key]["TPL"]) ?>
 					</span>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("TTL") ?>:</span>
-					<?= $data[$key]["TTL"] ?>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("TTL")) ?>:</span>
+					<?= tohtml($data[$key]["TTL"]) ?>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("SOA") ?>:</span>
-					<?= $data[$key]["SOA"] ?>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("SOA")) ?>:</span>
+					<?= tohtml($data[$key]["SOA"]) ?>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("DNSSEC") ?>:</span>
-					<i class="fas <?= $dnssec_icon ?>" title="<?= $dnssec_title ?>"></i>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("DNSSEC")) ?>:</span>
+					<i class="fas <?= tohtml($dnssec_icon) ?>" title="<?= tohtml($dnssec_title) ?>"></i>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Expiration Date") ?>:</span>
-					<time class="u-text-bold" datetime="<?= $data[$key]["EXP"] ?>">
-						<?= $data[$key]["EXP"] ?>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Expiration Date")) ?>:</span>
+					<time class="u-text-bold" datetime="<?= tohtml($data[$key]["EXP"]) ?>">
+						<?= tohtml($data[$key]["EXP"]) ?>
 					</time>
 				</div>
 			</div>

web/templates/pages/list_dns_public.php

@@ -4,16 +4,16 @@
 		<div class="toolbar-buttons">
 			<?php if ($read_only !== "true") { ?>
 				<a href="/add/dns/" class="button button-secondary js-button-create">
-					<i class="fas fa-circle-plus icon-green"></i><?= _("Add DNS Domain") ?>
+					<i class="fas fa-circle-plus icon-green"></i><?= tohtml( _("Add DNS Domain")) ?>
 				</a>
 			<?php } ?>
 		</div>
 		<div class="toolbar-right">
 			<div class="toolbar-search">
 				<form action="/search/" method="get">
-					<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>" />
-					<input type="search" class="form-control js-search-input" name="q" value="<? echo isset($_POST['q']) ? htmlspecialchars($_POST['q']) : '' ?>" title="<?= _("Search") ?>">
-					<button type="submit" class="toolbar-input-submit" title="<?= _("Search") ?>">
+					<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>" />
+					<input type="search" class="form-control js-search-input" name="q" value="<?= tohtml($_POST['q'] ?? '') ?>" title="<?= tohtml( _("Search")) ?>">
+					<button type="submit" class="toolbar-input-submit" title="<?= tohtml( _("Search")) ?>">
 						<i class="fas fa-magnifying-glass"></i>
 					</button>
 				</form>
@@ -26,33 +26,33 @@
 <div class="container">
 
 	<div class="form-container">
-		<h1 class="u-mb20"><?= _("View Public DNSSEC Key") ?></h1>
+		<h1 class="u-mb20"><?= tohtml( _("View Public DNSSEC Key")) ?></h1>
 		<div class="u-mb10">
-			<label class="form-label"><?= _("DNSKEY Record") ?></label>
+			<label class="form-label"><?= tohtml( _("DNSKEY Record")) ?></label>
 			<input type="text" class="form-control" value="<?php echo $data[$domain]["RECORD"]; ?>" readonly>
 		</div>
 		<div class="u-mb10">
-			<label class="form-label"><?= _("DS Record") ?></label>
+			<label class="form-label"><?= tohtml( _("DS Record")) ?></label>
 			<input type="text" class="form-control" value="<?php echo $data[$domain]["DS"]; ?>" readonly>
 		</div>
 		<div class="u-mb10">
-			<label class="form-label"><?= _("Public Key") ?></label>
+			<label class="form-label"><?= tohtml( _("Public Key")) ?></label>
 			<input type="text" class="form-control" value="<?php echo $data[$domain]["KEY"]; ?>" readonly>
 		</div>
 		<div class="u-mb10">
-			<label class="form-label"><?= _("Key Type / Flag") ?></label>
+			<label class="form-label"><?= tohtml( _("Key Type / Flag")) ?></label>
 			<input type="text" class="form-control" value="<?php echo $flag; ?>" readonly>
 		</div>
 		<div class="u-mb10">
-			<label class="form-label"><?= _("Key Tag") ?></label>
+			<label class="form-label"><?= tohtml( _("Key Tag")) ?></label>
 			<input type="text" class="form-control" value="<?php echo $data[$domain]["KEYTAG"]; ?>" readonly>
 		</div>
 		<div class="u-mb10">
-			<label class="form-label"><?= _("Flag") ?></label>
+			<label class="form-label"><?= tohtml( _("Flag")) ?></label>
 			<input type="text" class="form-control" value="<?php echo $data[$domain]["FLAG"]; ?>" readonly>
 		</div>
 		<div class="u-mb10">
-			<label class="form-label"><?= _("Algorithm") ?></label>
+			<label class="form-label"><?= tohtml( _("Algorithm")) ?></label>
 			<input type="text" class="form-control" value="<?php echo $algorithm; ?>" readonly>
 		</div>
 	</div>

web/templates/pages/list_files_incremental.php

@@ -5,10 +5,10 @@
 			<?php if ($read_only !== "true") { ?>
 			<?php if(str_starts_with($files[0]['path'],'/home/'.$user_plain) && $files[0]['path'] != '/home/'.$user_plain ){
 			?>
-			<a class="button button-secondary" id="btn-back" href="/list/backup/incremental/?snapshot=<?= htmlentities($_GET["snapshot"]) ?>&browse=yes&folder=<?=htmlentities($files[0]['path'])?>/../&token=<?=$_SESSION["token"]?>"><i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?></a>
+			<a class="button button-secondary" id="btn-back" href="/list/backup/incremental/?<?= tohtml(http_build_query(["snapshot" => $_GET["snapshot"], "browse" => "yes", "folder" => $files[0]["path"] . "/../", "token" => $_SESSION["token"]])) ?>"><i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?></a>
 			<?php }else{
 			?>
-			<a class="button button-secondary" id="btn-back" href="/list/backup/incremental/?token=<?=$_SESSION["token"]?>"><i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?></a>
+			<a class="button button-secondary" id="btn-back" href="/list/backup/incremental/?<?= tohtml(http_build_query(["token" => $_SESSION["token"]])) ?>"><i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?></a>
 			<?php
 			}
 			?>
@@ -16,23 +16,23 @@
 		</div>
 		<div class="toolbar-right">
 					<?php if ($read_only !== "true") { ?>
-					<form x-data x-bind="BulkEdit" action="/bulk/restore/" method="post">
-						<input type="hidden" name="backup" value="<?=htmlentities($_GET["snapshot"]);?>"
-						<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+						<form x-data x-bind="BulkEdit" action="/bulk/restore/" method="post">
+							<input type="hidden" name="backup" value="<?= tohtml($_GET["snapshot"]) ?>">
+							<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 						<select class="form-select" name="action">
-							<option value=""><?= _("Apply to selected") ?></option>
-							<option value="delete"><?= _("Restore Files") ?></option>
+							<option value=""><?= tohtml( _("Apply to selected")) ?></option>
+							<option value="delete"><?= tohtml( _("Restore Files")) ?></option>
 						</select>
-						<button type="submit" class="toolbar-input-submit" title="<?= _("Apply to selected") ?>">
+						<button type="submit" class="toolbar-input-submit" title="<?= tohtml( _("Apply to selected")) ?>">
 							<i class="fas fa-arrow-right"></i>
 						</button>
 					</form>
 				<?php } ?>
 				<div class="toolbar-search">
 					<form action="/search/" method="get">
-						<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
-						<input type="search" class="form-control js-search-input" name="q" value="<? echo isset($_POST['q']) ? htmlspecialchars($_POST['q']) : '' ?>" title="<?= _("Search") ?>">
-						<button type="submit" class="toolbar-input-submit" title="<?= _("Search") ?>">
+						<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
+						<input type="search" class="form-control js-search-input" name="q" value="<?= tohtml($_POST['q'] ?? '') ?>" title="<?= tohtml( _("Search")) ?>">
+						<button type="submit" class="toolbar-input-submit" title="<?= tohtml( _("Search")) ?>">
 							<i class="fas fa-magnifying-glass"></i>
 						</button>
 					</form>
@@ -43,16 +43,16 @@
 <!-- End toolbar -->
 
 <div class="container">
-	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= _("Files") ?></h1>
+	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= tohtml( _("Files")) ?></h1>
 	<div class="units-table js-units-container">
 		<div class="units-table-header">
 			<div class="units-table-cell">
-				<input type="checkbox" class="js-toggle-all-checkbox" title="<?= _("Select all") ?>" <?= $display_mode ?>>
+				<input type="checkbox" class="js-toggle-all-checkbox" title="<?= tohtml( _("Select all")) ?>" <?= tohtml($display_mode) ?>>
 			</div>
-			<div class="units-table-cell"><?= _("Name") ?></div>
+			<div class="units-table-cell"><?= tohtml( _("Name")) ?></div>
 			<div class="units-table-cell"></div>
-			<div class="units-table-cell u-text-center"><?= _("Type") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Date") ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Type")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Date")) ?></div>
 		</div>
 		<?php
 		foreach($files as $file){
@@ -63,12 +63,12 @@
 						<div class="units-table-cell">
 						</div>
 						<div class="units-table-cell units-table-heading-cell u-text-bold">
-								<b><a href="/list/backup/incremental/?snapshot=<?= htmlentities($_GET["snapshot"]) ?>&browse=yes&folder=<?=htmlentities($files[0]['path'])?>/../&token=<?=$_SESSION["token"]?>"><i class="fas fa-folder icon-dim u-mr5"></i>..</a></b>
+								<b><a href="/list/backup/incremental/?<?= tohtml(http_build_query(["snapshot" => $_GET["snapshot"], "browse" => "yes", "folder" => $files[0]["path"] . "/../", "token" => $_SESSION["token"]])) ?>"><i class="fas fa-folder icon-dim u-mr5"></i>..</a></b>
 						</div>
 						<div class="units-table-cell">
 						</div>
 						<div class="units-table-cell">
-							<span class="u-hide-desktop u-text-bold"><?= _("Type") ?>:</span>
+							<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Type")) ?>:</span>
 							<span class="u-text-bold">
 								Directory
 							</span>
@@ -82,7 +82,7 @@
 					<div class="units-table-row js-unit">
 						<div class="units-table-cell">
 							<div>
-								<input id="check<?= $i ?>" class="ch-toggle" type="checkbox" name="files[]" value="<?=htmlentities($file['path'])?>">
+								<input id="check<?= tohtml($i) ?>" class="ch-toggle" type="checkbox" name="files[]" value="<?=htmlentities($file['path'])?>">
 							</div>
 						</div>
 						<div class="units-table-cell">
@@ -90,35 +90,35 @@
 								<?php if($file['type'] == 'dir'){
 									if(str_starts_with($file['path'], '/home/'.$user_plain.'/conf')){
 								?>
-								<b><i class="fas fa-folder icon-dim u-mr5"></i><?=$file['name']?></b>
+								<b><i class="fas fa-folder icon-dim u-mr5"></i><?= tohtml($file['name']) ?></b>
 								<?php
 									}else{
 									?>
-										<b><a href="/list/backup/incremental/?snapshot=<?= htmlentities($_GET["snapshot"]) ?>&browse=yes&folder=<?=htmlentities($file['path'])?>&token=<?=$_SESSION["token"]?>"><i class="fas fa-folder icon-dim u-mr5"></i><?=$file['name']?></a></b>
+											<b><a href="/list/backup/incremental/?<?= tohtml(http_build_query(["snapshot" => $_GET["snapshot"], "browse" => "yes", "folder" => $file["path"], "token" => $_SESSION["token"]])) ?>"><i class="fas fa-folder icon-dim u-mr5"></i><?= tohtml($file['name']) ?></a></b>
 									<?php
 									}
 								}else{
 									?>
-										<b><i class="fas fa-file icon-dim u-mr5"></i><?=$file['name']?></b>
+										<b><i class="fas fa-file icon-dim u-mr5"></i><?= tohtml($file['name']) ?></b>
 									<?php
 								}?>
 							</div>
 						</div>
 						<div class="units-table-cell">
-							<a href="/schedule/restore/incremental/?snapshot=<?= htmlentities($_GET["snapshot"]) ?>&type=file&object=<?=htmlentities($file['path'])?>&token=<?= $_SESSION["token"] ?>" title="<?= _("Restore") ?>">
+							<a href="/schedule/restore/incremental/?<?= tohtml(http_build_query(["snapshot" => $_GET["snapshot"], "type" => "file", "object" => $file["path"], "token" => $_SESSION["token"]])) ?>" title="<?= tohtml( _("Restore")) ?>">
 								<i class="fas fa-arrow-rotate-left icon-green icon-dim u-mr5"></i>
 							</a>
 						</div>
 						<div class="units-table-cell">
-							<span class="u-hide-desktop u-text-bold"><?= _("Type") ?>:</span>
+							<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Type")) ?>:</span>
 							<span class="u-text-bold">
-								<?=getTransByType($file['type']);?>
+								<?= tohtml(getTransByType($file['type'])) ?>
 							</span>
 						</div>
 						<div class="units-table-cell">
-							<span class="u-hide-desktop u-text-bold"><?= _("Date / Time") ?>:</span>
+							<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Date / Time")) ?>:</span>
 							<span class="u-text-bold">
-								<?=convert_datetime($file['ctime'], 'Y-m-d  H:i:s');?>
+								<?= tohtml(convert_datetime($file['ctime'], 'Y-m-d  H:i:s')) ?>
 							</span>
 						</div>
 					</div>

web/templates/pages/list_firewall.php

@@ -3,52 +3,52 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/server/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 			<a href="/add/firewall/" class="button button-secondary js-button-create">
-				<i class="fas fa-circle-plus icon-green"></i><?= _("Add Rule") ?>
+				<i class="fas fa-circle-plus icon-green"></i><?= tohtml( _("Add Rule")) ?>
 			</a>
 			<?php if (!empty($_SESSION["FIREWALL_EXTENSION"])): ?>
 				<a class="button button-secondary" href="/list/firewall/banlist/">
-					<i class="fas fa-eye icon-red"></i><?= _("Banned IP Addresses") ?>
+					<i class="fas fa-eye icon-red"></i><?= tohtml( _("Banned IP Addresses")) ?>
 				</a>
 			<?php endif; ?>
 			<a class="button button-secondary" href="/list/firewall/ipset/">
-				<i class="fas fa-list icon-blue"></i><?= _("IPset IP Lists") ?>
+				<i class="fas fa-list icon-blue"></i><?= tohtml( _("IPset IP Lists")) ?>
 			</a>
 		</div>
 		<div class="toolbar-right">
 			<div class="toolbar-sorting">
-				<button class="toolbar-sorting-toggle js-toggle-sorting-menu" type="button" title="<?= _("Sort items") ?>">
-					<?= _("Sort by") ?>:
+				<button class="toolbar-sorting-toggle js-toggle-sorting-menu" type="button" title="<?= tohtml( _("Sort items")) ?>">
+					<?= tohtml( _("Sort by")) ?>:
 					<span class="u-text-bold">
-						<?= _("Action") ?> <i class="fas fa-arrow-up-a-z"></i>
+						<?= tohtml( _("Action")) ?> <i class="fas fa-arrow-up-a-z"></i>
 					</span>
 				</button>
 				<ul class="toolbar-sorting-menu js-sorting-menu u-hidden">
 					<li data-entity="sort-action">
-						<span class="name"><?= _("Action") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up active"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name"><?= tohtml( _("Action")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up active"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 					<li data-entity="sort-protocol">
-						<span class="name"><?= _("Protocol") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name"><?= tohtml( _("Protocol")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 					<li data-entity="sort-port">
-						<span class="name"><?= _("Port") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name"><?= tohtml( _("Port")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 					<li data-entity="sort-ip" data-sort-as-int="1">
-						<span class="name"><?= _("IP Address") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name"><?= tohtml( _("IP Address")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 					<li data-entity="sort-comment">
-						<span class="name"><?= _("Comment") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name"><?= tohtml( _("Comment")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 				</ul>
 				<form x-data x-bind="BulkEdit" action="/bulk/firewall/" method="post">
-					<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+					<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 					<select class="form-select" name="action">
-						<option value=""><?= _("Apply to selected") ?></option>
-						<option value="delete"><?= _("Delete") ?></option>
+						<option value=""><?= tohtml( _("Apply to selected")) ?></option>
+						<option value="delete"><?= tohtml( _("Delete")) ?></option>
 					</select>
-					<button type="submit" class="toolbar-input-submit" title="<?= _("Apply to selected") ?>">
+					<button type="submit" class="toolbar-input-submit" title="<?= tohtml( _("Apply to selected")) ?>">
 						<i class="fas fa-arrow-right"></i>
 					</button>
 				</form>
@@ -60,21 +60,21 @@
 
 <div class="container">
 
-	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= _("Firewall Rules") ?></h1>
+	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= tohtml( _("Firewall Rules")) ?></h1>
 
 	<div class="units-table js-units-container">
 		<div class="units-table-header">
 			<div class="units-table-cell">
-				<input type="checkbox" class="js-toggle-all-checkbox" title="<?= _("Select all") ?>">
+				<input type="checkbox" class="js-toggle-all-checkbox" title="<?= tohtml( _("Select all")) ?>">
 			</div>
-			<div class="units-table-cell"><?= _("Pos") ?></div>
+			<div class="units-table-cell"><?= tohtml( _("Pos")) ?></div>
 			<div class="units-table-cell"></div>
-			<div class="units-table-cell"><?= _("Action") ?></div>
+			<div class="units-table-cell"><?= tohtml( _("Action")) ?></div>
 			<div class="units-table-cell"></div>
-			<div class="units-table-cell"><?= _("Comment") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Protocol") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Port") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("IP Address") ?></div>
+			<div class="units-table-cell"><?= tohtml( _("Comment")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Protocol")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Port")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("IP Address")) ?></div>
 		</div>
 
 		<!-- Begin firewall chain/action list item loop -->
@@ -107,24 +107,24 @@
 				}
 			?>
 			<div class="units-table-row <?php if ($status == 'suspended') echo 'disabled'; ?> js-unit"
-				data-sort-action="<?= $data[$key]['ACTION'] ?>"
-				data-sort-protocol="<?= $data[$key]['PROTOCOL'] ?>"
-				data-sort-port="<?= $data[$key]['PORT'] ?>"
-				data-sort-ip="<?= str_replace('.', '', $data[$key]['IP']) ?>"
-				data-sort-comment="<?= $data[$key]['COMMENT'] ?>">
+				data-sort-action="<?= tohtml($data[$key]['ACTION']) ?>"
+				data-sort-protocol="<?= tohtml($data[$key]['PROTOCOL']) ?>"
+				data-sort-port="<?= tohtml($data[$key]['PORT']) ?>"
+				data-sort-ip="<?= tohtml(str_replace('.', '', $data[$key]['IP'])) ?>"
+				data-sort-comment="<?= tohtml($data[$key]['COMMENT']) ?>">
 				<div class="units-table-cell">
 					<div>
-						<input id="check<?= $i ?>" class="js-unit-checkbox" type="checkbox" title="<?= _("Select") ?>" name="rule[]" value="<?= $key ?>">
-						<label for="check<?= $i ?>" class="u-hide-desktop"><?= _("Select") ?></label>
+						<input id="check<?= tohtml($i) ?>" class="js-unit-checkbox" type="checkbox" title="<?= tohtml( _("Select")) ?>" name="rule[]" value="<?= tohtml($key) ?>">
+						<label for="check<?= tohtml($i) ?>" class="u-hide-desktop"><?= tohtml( _("Select")) ?></label>
 					</div>
 				</div>
 				<div class="units-table-cell units-table-heading-cell u-text-bold">
-					<span class="u-hide-desktop"><?= _("Position") ?>:</span>
-					<a href="/edit/firewall/?rule=<?= $key ?>&token=<?= $_SESSION["token"] ?>" title="<?= _("Edit Firewall Rule") ?>">
+					<span class="u-hide-desktop"><?= tohtml( _("Position")) ?>:</span>
+					<a href="/edit/firewall/?<?= tohtml(http_build_query(["rule" => $key, "token" => $_SESSION["token"]])) ?>" title="<?= tohtml( _("Edit Firewall Rule")) ?>">
 						<?php
 							$rule = $key;
 						?>
-						<?= $rule ?>
+						<?= tohtml($rule) ?>
 					</a>
 				</div>
 				<div class="units-table-cell" style="padding-left: 0;padding-right: 0;">
@@ -132,39 +132,39 @@
 						<li class="units-table-row-action shortcut-up" data-key-action="js">
 							<a
 								class="units-table-row-action-link data-controls js-confirm-action"
-								style="<?= $move_up_enabled ? "display:block!important" : "display:none!important" ?>"
-								href="/move/firewall/?rule=<?= $key ?>&direction=up&token=<?= $_SESSION["token"] ?>"
-								title="<?= _("Move Firewall Rule Up") ?>"
-								data-confirm-title="<?= _("Move Up") ?>"
-								data-confirm-message="<?= sprintf(_("Are you sure you want to move rule #%s up?"), $key) ?>">
+								style="<?= tohtml($move_up_enabled ? "display:block!important" : "display:none!important") ?>"
+								href="/move/firewall/?<?= tohtml(http_build_query(["rule" => $key, "direction" => 'up', "token" => $_SESSION["token"]])) ?>"
+								title="<?= tohtml( _("Move Firewall Rule Up")) ?>"
+								data-confirm-title="<?= tohtml( _("Move Up")) ?>"
+								data-confirm-message="<?= tohtml(sprintf(_("Are you sure you want to move rule #%s up?"), $key)) ?>">
 								<i class="fas fa-arrow-up icon-blue"></i>
-								<span class="u-hide-desktop"><?= _("Move Firewall Rule Up") ?></span>
+								<span class="u-hide-desktop"><?= tohtml( _("Move Firewall Rule Up")) ?></span>
 							</a>
 						</li>
 						<li class="units-table-row-action shortcut-down" data-key-action="js">
 							<a
 								class="units-table-row-action-link data-controls js-confirm-action"
-								style="<?= $move_down_enabled ? "" : "display:block!important" ?>"
-								href="/move/firewall/?rule=<?= $key ?>&direction=down&token=<?= $_SESSION["token"] ?>"
-								title="<?= _("Move Firewall Rule Down") ?>"
-								data-confirm-title="<?= _("Move Down") ?>"
-								data-confirm-message="<?= sprintf(_("Are you sure you want to move rule #%s down?"), $key) ?>">
+								style="<?= tohtml($move_down_enabled ? "" : "display:block!important") ?>"
+								href="/move/firewall/?<?= tohtml(http_build_query(["rule" => $key, "direction" => 'down', "token" => $_SESSION["token"]])) ?>"
+								title="<?= tohtml( _("Move Firewall Rule Down")) ?>"
+								data-confirm-title="<?= tohtml( _("Move Down")) ?>"
+								data-confirm-message="<?= tohtml(sprintf(_("Are you sure you want to move rule #%s down?"), $key)) ?>">
 								<i class="fas fa-arrow-down icon-blue"></i>
-								<span class="u-hide-desktop"><?= _("Move Firewall Rule Down") ?></span>
+								<span class="u-hide-desktop"><?= tohtml( _("Move Firewall Rule Down")) ?></span>
 							</a>
 						</li>
 					</ul>
 				</div>
 				<div class="units-table-cell units-table-heading-cell u-text-bold">
-					<span class="u-hide-desktop"><?= _("Action") ?>:</span>
-					<a href="/edit/firewall/?rule=<?= $key ?>&token=<?= $_SESSION["token"] ?>" title="<?= _("Edit Firewall Rule") ?>">
+					<span class="u-hide-desktop"><?= tohtml( _("Action")) ?>:</span>
+					<a href="/edit/firewall/?<?= tohtml(http_build_query(["rule" => $key, "token" => $_SESSION["token"]])) ?>" title="<?= tohtml( _("Edit Firewall Rule")) ?>">
 						<?php
 							$suspended = $data[$key]["SUSPENDED"] == "no";
 							$action = $data[$key]["ACTION"];
 							$iconClass = $action == "DROP" ? "fa-circle-minus" : "fa-circle-check";
 							$colorClass = $action == "DROP" ? "icon-red" : "icon-green";
 						?>
-						<i class="fas <?= $iconClass ?> u-mr5 <?= $suspended ? $colorClass : "" ?>"></i> <?= $action ?>
+						<i class="fas <?= tohtml($iconClass) ?> u-mr5 <?= tohtml($suspended ? $colorClass : "") ?>"></i> <?= tohtml($action) ?>
 					</a>
 				</div>
 				<div class="units-table-cell">
@@ -172,54 +172,54 @@
 						<li class="units-table-row-action shortcut-enter" data-key-action="href">
 							<a
 								class="units-table-row-action-link"
-								href="/edit/firewall/?rule=<?= $key ?>&token=<?= $_SESSION["token"] ?>"
-								title="<?= _("Edit Firewall Rule") ?>"
+								href="/edit/firewall/?<?= tohtml(http_build_query(["rule" => $key, "token" => $_SESSION["token"]])) ?>"
+								title="<?= tohtml( _("Edit Firewall Rule")) ?>"
 							>
 								<i class="fas fa-pencil icon-orange"></i>
-								<span class="u-hide-desktop"><?= _("Edit Firewall Rule") ?></span>
+								<span class="u-hide-desktop"><?= tohtml( _("Edit Firewall Rule")) ?></span>
 							</a>
 						</li>
 						<li class="units-table-row-action shortcut-s" data-key-action="js">
 							<a
 								class="units-table-row-action-link data-controls js-confirm-action"
-								href="/<?= $spnd_action ?>/firewall/?rule=<?= $key ?>&token=<?= $_SESSION["token"] ?>"
-								title="<?= $spnd_action_title ?>"
-								data-confirm-title="<?= $spnd_action_title ?>"
-								data-confirm-message="<?= sprintf($spnd_confirmation, $key) ?>"
+								href="/<?= tohtml($spnd_action) ?>/firewall/?<?= tohtml(http_build_query(["rule" => $key, "token" => $_SESSION["token"]])) ?>"
+								title="<?= tohtml($spnd_action_title) ?>"
+								data-confirm-title="<?= tohtml($spnd_action_title) ?>"
+								data-confirm-message="<?= tohtml(sprintf($spnd_confirmation, $key)) ?>"
 							>
-								<i class="fas <?= $spnd_icon ?> <?= $spnd_icon_class ?>"></i>
-								<span class="u-hide-desktop"><?= $spnd_action_title ?></span>
+								<i class="fas <?= tohtml($spnd_icon) ?> <?= tohtml($spnd_icon_class) ?>"></i>
+								<span class="u-hide-desktop"><?= tohtml($spnd_action_title) ?></span>
 							</a>
 						</li>
 						<li class="units-table-row-action shortcut-delete" data-key-action="js">
 							<a
 								class="units-table-row-action-link data-controls js-confirm-action"
-								href="/delete/firewall/?rule=<?= $key ?>&token=<?= $_SESSION["token"] ?>"
-								title="<?= _("Delete") ?>"
-								data-confirm-title="<?= _("Delete") ?>"
-								data-confirm-message="<?= sprintf(_("Are you sure you want to delete rule #%s?"), $key) ?>"
+								href="/delete/firewall/?<?= tohtml(http_build_query(["rule" => $key, "token" => $_SESSION["token"]])) ?>"
+								title="<?= tohtml( _("Delete")) ?>"
+								data-confirm-title="<?= tohtml( _("Delete")) ?>"
+								data-confirm-message="<?= tohtml(sprintf(_("Are you sure you want to delete rule #%s?"), $key)) ?>"
 							>
 								<i class="fas fa-trash icon-red"></i>
-								<span class="u-hide-desktop"><?= _("Delete") ?></span>
+								<span class="u-hide-desktop"><?= tohtml( _("Delete")) ?></span>
 							</a>
 						</li>
 					</ul>
 				</div>
 				<div class="units-table-cell u-text-bold">
-					<span class="u-hide-desktop"><?= _("Comment") ?>:</span>
+					<span class="u-hide-desktop"><?= tohtml( _("Comment")) ?>:</span>
 					<?php if (!empty($data[$key]['COMMENT'])) { echo $data[$key]['COMMENT']; } ?>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Protocol") ?>:</span>
-					<?= _($data[$key]["PROTOCOL"]) ?>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Protocol")) ?>:</span>
+					<?= tohtml( _($data[$key]["PROTOCOL"])) ?>
 				</div>
 				<div class="units-table-cell u-text-bold u-text-center-desktop">
-					<span class="u-hide-desktop"><?= _("Port") ?>:</span>
-					<?= $data[$key]["PORT"] ?>
+					<span class="u-hide-desktop"><?= tohtml( _("Port")) ?>:</span>
+					<?= tohtml($data[$key]["PORT"]) ?>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("IP Address") ?>:</span>
-					<?= $data[$key]["IP"] ?>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("IP Address")) ?>:</span>
+					<?= tohtml($data[$key]["IP"]) ?>
 				</div>
 			</div>
 		<?php } ?>

web/templates/pages/list_firewall_banlist.php

@@ -3,20 +3,20 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/firewall/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 			<a href="/add/firewall/banlist/" class="button button-secondary js-button-create">
-				<i class="fas fa-circle-plus icon-green"></i><?= _("Ban IP Address") ?>
+				<i class="fas fa-circle-plus icon-green"></i><?= tohtml( _("Ban IP Address")) ?>
 			</a>
 		</div>
 		<div class="toolbar-right">
 			<form x-data x-bind="BulkEdit" action="/bulk/firewall/banlist/" method="post">
-				<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+				<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 				<select class="form-select" name="action">
-					<option value=""><?= _("Apply to selected") ?></option>
-					<option value="delete"><?= _("Delete") ?></option>
+					<option value=""><?= tohtml( _("Apply to selected")) ?></option>
+					<option value="delete"><?= tohtml( _("Delete")) ?></option>
 				</select>
-				<button type="submit" class="toolbar-input-submit" title="<?= _("Apply to selected") ?>">
+				<button type="submit" class="toolbar-input-submit" title="<?= tohtml( _("Apply to selected")) ?>">
 					<i class="fas fa-arrow-right"></i>
 				</button>
 			</form>
@@ -27,18 +27,18 @@
 
 <div class="container">
 
-	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= _("Banned IP Addresses") ?></h1>
+	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= tohtml( _("Banned IP Addresses")) ?></h1>
 
 	<div class="units-table js-units-container">
 		<div class="units-table-header">
 			<div class="units-table-cell">
-				<input type="checkbox" class="js-toggle-all-checkbox" title="<?= _("Select all") ?>">
+				<input type="checkbox" class="js-toggle-all-checkbox" title="<?= tohtml( _("Select all")) ?>">
 			</div>
-			<div class="units-table-cell"><?= _("IP Address") ?></div>
+			<div class="units-table-cell"><?= tohtml( _("IP Address")) ?></div>
 			<div class="units-table-cell"></div>
-			<div class="units-table-cell u-text-center"><?= _("Date") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Time") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Chain") ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Date")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Time")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Chain")) ?></div>
 		</div>
 
 		<!-- Begin banned IP address list item loop -->
@@ -50,41 +50,41 @@
 			<div class="units-table-row js-unit">
 				<div class="units-table-cell">
 					<div>
-						<input id="check<?= $i ?>" class="js-unit-checkbox" type="checkbox" title="<?= _("Select") ?>" name="ipchain[]" value="<?= $ip . ":" . $value["CHAIN"] ?>">
-						<label for="check<?= $i ?>" class="u-hide-desktop"><?= _("Select") ?></label>
+						<input id="check<?= tohtml($i) ?>" class="js-unit-checkbox" type="checkbox" title="<?= tohtml( _("Select")) ?>" name="ipchain[]" value="<?= tohtml($ip . ":" . $value["CHAIN"]) ?>">
+						<label for="check<?= tohtml($i) ?>" class="u-hide-desktop"><?= tohtml( _("Select")) ?></label>
 					</div>
 				</div>
 				<div class="units-table-cell units-table-heading-cell u-text-bold">
-					<span class="u-hide-desktop"><?= _("IP Address") ?>:</span>
-					<?= $ip ?>
+					<span class="u-hide-desktop"><?= tohtml( _("IP Address")) ?>:</span>
+					<?= tohtml($ip) ?>
 				</div>
 				<div class="units-table-cell">
 					<ul class="units-table-row-actions">
 						<li class="units-table-row-action shortcut-delete" data-key-action="js">
 							<a
 								class="units-table-row-action-link data-controls js-confirm-action"
-								href="/delete/firewall/banlist/?ip=<?= $ip ?>&chain=<?= $value["CHAIN"] ?>&token=<?= $_SESSION["token"] ?>"
-								title="<?= _("Delete") ?>"
-								data-confirm-title="<?= _("Delete") ?>"
-								data-confirm-message="<?= sprintf(_("Are you sure you want to delete IP address %s?"), $key) ?>"
+								href="/delete/firewall/banlist/?<?= tohtml(http_build_query(["ip" => $ip, "chain" => $value["CHAIN"], "token" => $_SESSION["token"]])) ?>"
+								title="<?= tohtml( _("Delete")) ?>"
+								data-confirm-title="<?= tohtml( _("Delete")) ?>"
+								data-confirm-message="<?= tohtml(sprintf(_("Are you sure you want to delete IP address %s?"), $key)) ?>"
 							>
 								<i class="fas fa-trash icon-red"></i>
-								<span class="u-hide-desktop"><?= _("Delete") ?></span>
+								<span class="u-hide-desktop"><?= tohtml( _("Delete")) ?></span>
 							</a>
 						</li>
 					</ul>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Date") ?>:</span>
-					<time datetime="<?= _($data[$key]["DATE"]) ?>"><?= _($data[$key]["DATE"]) ?></time>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Date")) ?>:</span>
+					<time datetime="<?= tohtml( _($data[$key]["DATE"])) ?>"><?= tohtml( _($data[$key]["DATE"])) ?></time>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Time") ?>:</span>
-					<?= $data[$key]["TIME"] ?>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Time")) ?>:</span>
+					<?= tohtml($data[$key]["TIME"]) ?>
 				</div>
 				<div class="units-table-cell u-text-bold u-text-center-desktop">
-					<span class="u-hide-desktop"><?= _("Chain") ?>:</span>
-					<?= _($value["CHAIN"]) ?>
+					<span class="u-hide-desktop"><?= tohtml( _("Chain")) ?>:</span>
+					<?= tohtml( _($value["CHAIN"])) ?>
 				</div>
 			</div>
 		<?php } ?>

web/templates/pages/list_firewall_ipset.php

@@ -3,20 +3,20 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/firewall/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 			<a href="/add/firewall/ipset/" class="button button-secondary js-button-create">
-				<i class="fas fa-circle-plus icon-green"></i><?= _("Add IP list") ?>
+				<i class="fas fa-circle-plus icon-green"></i><?= tohtml( _("Add IP list")) ?>
 			</a>
 		</div>
 		<div class="toolbar-right">
 			<form x-data x-bind="BulkEdit" action="/bulk/firewall/ipset/" method="post">
-				<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+				<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 				<select class="form-select" name="action">
-					<option value=""><?= _("Apply to selected") ?></option>
-					<option value="delete"><?= _("Delete") ?></option>
+					<option value=""><?= tohtml( _("Apply to selected")) ?></option>
+					<option value="delete"><?= tohtml( _("Delete")) ?></option>
 				</select>
-				<button type="submit" class="toolbar-input-submit" title="<?= _("Apply to selected") ?>">
+				<button type="submit" class="toolbar-input-submit" title="<?= tohtml( _("Apply to selected")) ?>">
 					<i class="fas fa-arrow-right"></i>
 				</button>
 			</form>
@@ -27,19 +27,19 @@
 
 <div class="container">
 
-	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= _("IPset IP Lists") ?></h1>
+	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= tohtml( _("IPset IP Lists")) ?></h1>
 
 	<div class="units-table js-units-container">
 		<div class="units-table-header">
 			<div class="units-table-cell">
-				<input type="checkbox" class="js-toggle-all-checkbox" title="<?= _("Select all") ?>">
+				<input type="checkbox" class="js-toggle-all-checkbox" title="<?= tohtml( _("Select all")) ?>">
 			</div>
-			<div class="units-table-cell"><?= _("IP List Name") ?></div>
+			<div class="units-table-cell"><?= tohtml( _("IP List Name")) ?></div>
 			<div class="units-table-cell"></div>
-			<div class="units-table-cell u-text-center"><?= _("Auto Update") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("IP Version") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Date") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Time") ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Auto Update")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("IP Version")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Date")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Time")) ?></div>
 		</div>
 
 		<!-- Begin firewall IP address list item loop -->
@@ -51,49 +51,49 @@
 			<div class="units-table-row js-unit">
 				<div class="units-table-cell">
 					<div>
-						<input id="check<?= $i ?>" class="js-unit-checkbox" type="checkbox" title="<?= _("Select") ?>" name="setname[]" value="<?= $listname ?>">
-						<label for="check<?= $i ?>" class="u-hide-desktop"><?= _("Select") ?></label>
+						<input id="check<?= tohtml($i) ?>" class="js-unit-checkbox" type="checkbox" title="<?= tohtml( _("Select")) ?>" name="setname[]" value="<?= tohtml($listname) ?>">
+						<label for="check<?= tohtml($i) ?>" class="u-hide-desktop"><?= tohtml( _("Select")) ?></label>
 					</div>
 				</div>
 				<div class="units-table-cell units-table-heading-cell u-text-bold">
-					<span class="u-hide-desktop"><?= _("IP List Name") ?>:</span>
-					<?= $listname ?>
+					<span class="u-hide-desktop"><?= tohtml( _("IP List Name")) ?>:</span>
+					<?= tohtml($listname) ?>
 				</div>
 				<div class="units-table-cell">
 					<ul class="units-table-row-actions">
 						<li class="units-table-row-action shortcut-delete" data-key-action="js">
 							<a
 								class="units-table-row-action-link data-controls js-confirm-action"
-								href="/delete/firewall/ipset/?listname=<?= $listname ?>&token=<?= $_SESSION["token"] ?>"
-								title="<?= _("Delete") ?>"
-								data-confirm-title="<?= _("Delete") ?>"
-								data-confirm-message="<?= sprintf(_("Are you sure you want to delete IP list %s?"), $key) ?>"
+								href="/delete/firewall/ipset/?<?= tohtml(http_build_query(["listname" => $listname, "token" => $_SESSION["token"]])) ?>"
+								title="<?= tohtml( _("Delete")) ?>"
+								data-confirm-title="<?= tohtml( _("Delete")) ?>"
+								data-confirm-message="<?= tohtml(sprintf(_("Are you sure you want to delete IP list %s?"), $key)) ?>"
 							>
 								<i class="fas fa-trash icon-red"></i>
-								<span class="u-hide-desktop"><?= _("Delete") ?></span>
+								<span class="u-hide-desktop"><?= tohtml( _("Delete")) ?></span>
 							</a>
 						</li>
 					</ul>
 				</div>
 				<div class="units-table-cell u-text-bold u-text-center-desktop">
-					<span class="u-hide-desktop"><?= _("Auto Update") ?>:</span>
+					<span class="u-hide-desktop"><?= tohtml( _("Auto Update")) ?>:</span>
 					<?php if ($data[$key]["AUTOUPDATE"] == "no") { ?>
-						<i class="fas fa-circle-xmark icon-red" title="<?= _("Disabled") ?>"></i>
+						<i class="fas fa-circle-xmark icon-red" title="<?= tohtml( _("Disabled")) ?>"></i>
 					<?php } else { ?>
-						<i class="fas fa-circle-check icon-green" title="<?= _("Enabled") ?>"></i>
+						<i class="fas fa-circle-check icon-green" title="<?= tohtml( _("Enabled")) ?>"></i>
 					<?php } ?>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("IP Version") ?>:</span>
-					<?= _($data[$key]["IP_VERSION"]) ?>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("IP Version")) ?>:</span>
+					<?= tohtml( _($data[$key]["IP_VERSION"])) ?>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Date") ?>:</span>
-					<time datetime="<?= _($data[$key]["DATE"]) ?>"><?= _($data[$key]["DATE"]) ?></time>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Date")) ?>:</span>
+					<time datetime="<?= tohtml( _($data[$key]["DATE"])) ?>"><?= tohtml( _($data[$key]["DATE"])) ?></time>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Time") ?>:</span>
-					<?= $data[$key]["TIME"] ?>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Time")) ?>:</span>
+					<?= tohtml($data[$key]["TIME"]) ?>
 				</div>
 			</div>
 		<?php } ?>

web/templates/pages/list_ip.php

@@ -3,48 +3,48 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/edit/server/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 			<a href="/add/ip/" class="button button-secondary js-button-create">
-				<i class="fas fa-circle-plus icon-green"></i><?= _("Add IP Address") ?>
+				<i class="fas fa-circle-plus icon-green"></i><?= tohtml( _("Add IP Address")) ?>
 			</a>
 		</div>
 		<div class="toolbar-right">
 			<div class="toolbar-sorting">
-				<button class="toolbar-sorting-toggle js-toggle-sorting-menu" type="button" title="<?= _("Sort items") ?>">
-					<?= _("Sort by") ?>:
+				<button class="toolbar-sorting-toggle js-toggle-sorting-menu" type="button" title="<?= tohtml( _("Sort items")) ?>">
+					<?= tohtml( _("Sort by")) ?>:
 					<span class="u-text-bold">
-						<?= _("Date") ?> <i class="fas fa-arrow-down-a-z"></i>
+						<?= tohtml( _("Date")) ?> <i class="fas fa-arrow-down-a-z"></i>
 					</span>
 				</button>
 				<ul class="toolbar-sorting-menu js-sorting-menu u-hidden">
 					<li data-entity="sort-date" data-sort-as-int="1">
-						<span class="name <?php if ($_SESSION['userSortOrder'] === 'date') { echo 'active'; } ?>"><?= _("Date") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name <?php if ($_SESSION['userSortOrder'] === 'date') { echo 'active'; } ?>"><?= tohtml( _("Date")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 					<li data-entity="sort-ip">
-						<span class="name"><?= _("IP Address") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name"><?= tohtml( _("IP Address")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 					<li data-entity="sort-netmask">
-						<span class="name"><?= _("Netmask") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name"><?= tohtml( _("Netmask")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 					<li data-entity="sort-interface">
-						<span class="name"><?= _("Interface") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name"><?= tohtml( _("Interface")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 					<li data-entity="sort-domains" data-sort-as-int="1">
-						<span class="name"><?= _("Domains") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name"><?= tohtml( _("Domains")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 					<li data-entity="sort-owner">
-						<span class="name"><?= _("Owner") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name"><?= tohtml( _("Owner")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 				</ul>
 				<form x-data x-bind="BulkEdit" action="/bulk/ip/" method="post">
-					<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+					<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 					<select class="form-select" name="action">
-						<option value=""><?= _("Apply to selected") ?></option>
-						<option value="reread IP"><?= _("Refresh IP Addresses") ?></option>
-						<option value="delete"><?= _("Delete") ?></option>
+						<option value=""><?= tohtml( _("Apply to selected")) ?></option>
+						<option value="reread IP"><?= tohtml( _("Refresh IP Addresses")) ?></option>
+						<option value="delete"><?= tohtml( _("Delete")) ?></option>
 					</select>
-					<button type="submit" class="toolbar-input-submit" title="<?= _("Apply to selected") ?>">
+					<button type="submit" class="toolbar-input-submit" title="<?= tohtml( _("Apply to selected")) ?>">
 						<i class="fas fa-arrow-right"></i>
 					</button>
 				</form>
@@ -56,20 +56,20 @@
 
 <div class="container">
 
-	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= _("IP Addresses") ?></h1>
+	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= tohtml( _("IP Addresses")) ?></h1>
 
 	<div class="units-table js-units-container">
 		<div class="units-table-header">
 			<div class="units-table-cell">
-				<input type="checkbox" class="js-toggle-all-checkbox" title="<?= _("Select all") ?>">
+				<input type="checkbox" class="js-toggle-all-checkbox" title="<?= tohtml( _("Select all")) ?>">
 			</div>
-			<div class="units-table-cell"><?= _("IP Address") ?></div>
+			<div class="units-table-cell"><?= tohtml( _("IP Address")) ?></div>
 			<div class="units-table-cell"></div>
-			<div class="units-table-cell u-text-center"><?= _("Netmask") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Interface") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Status") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Domains") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Owner") ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Netmask")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Interface")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Status")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Domains")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Owner")) ?></div>
 		</div>
 
 		<!-- Begin IP address list item loop -->
@@ -78,22 +78,22 @@
 				++$i;
 			?>
 			<div class="units-table-row js-unit"
-				data-sort-ip="<?= str_replace(".", "", $key) ?>"
-				data-sort-date="<?= strtotime($data[$key]["DATE"] . " " . $data[$key]["TIME"]) ?>"
-				data-sort-netmask="<?= str_replace(".", "", $data[$key]["NETMASK"]) ?>"
-				data-sort-interface="<?= $data[$key]["INTERFACE"] ?>"
-				data-sort-domains="<?= $data[$key]["U_WEB_DOMAINS"] ?>"
-				data-sort-owner="<?= $data[$key]["OWNER"] ?>">
+				data-sort-ip="<?= tohtml(str_replace(".", "", $key)) ?>"
+				data-sort-date="<?= tohtml(strtotime($data[$key]["DATE"] . " " . $data[$key]["TIME"])) ?>"
+				data-sort-netmask="<?= tohtml(str_replace(".", "", $data[$key]["NETMASK"])) ?>"
+				data-sort-interface="<?= tohtml($data[$key]["INTERFACE"]) ?>"
+				data-sort-domains="<?= tohtml($data[$key]["U_WEB_DOMAINS"]) ?>"
+				data-sort-owner="<?= tohtml($data[$key]["OWNER"]) ?>">
 				<div class="units-table-cell">
 					<div>
-						<input id="check<?= $i ?>" class="js-unit-checkbox" type="checkbox" title="<?= _("Select") ?>" name="ip[]" value="<?= $key ?>">
-						<label for="check<?= $i ?>" class="u-hide-desktop"><?= _("Select") ?></label>
+						<input id="check<?= tohtml($i) ?>" class="js-unit-checkbox" type="checkbox" title="<?= tohtml( _("Select")) ?>" name="ip[]" value="<?= tohtml($key) ?>">
+						<label for="check<?= tohtml($i) ?>" class="u-hide-desktop"><?= tohtml( _("Select")) ?></label>
 					</div>
 				</div>
 				<div class="units-table-cell units-table-heading-cell u-text-bold">
-					<span class="u-hide-desktop"><?= _("IP Address") ?>:</span>
-					<a href="/edit/ip/?ip=<?= $key ?>&token=<?= $_SESSION['token'] ?>" title="<?= _("Edit IP Address") ?>">
-						<?= $key ?> <?php if (!empty($data[$key]['NAT'])) echo ' → ' . $data[$key]['NAT'] . ''; ?>
+					<span class="u-hide-desktop"><?= tohtml( _("IP Address")) ?>:</span>
+					<a href="/edit/ip/?<?= tohtml(http_build_query(["ip" => $key, "token" => $_SESSION['token']])) ?>" title="<?= tohtml( _("Edit IP Address")) ?>">
+						<?= tohtml($key) ?> <?php if (!empty($data[$key]['NAT'])) echo ' → ' . $data[$key]['NAT'] . ''; ?>
 					</a>
 				</div>
 				<div class="units-table-cell">
@@ -101,46 +101,46 @@
 						<li class="units-table-row-action shortcut-enter" data-key-action="href">
 							<a
 								class="units-table-row-action-link"
-								href="/edit/ip/?ip=<?= $key ?>&token=<?= $_SESSION["token"] ?>"
-								title="<?= _("Edit IP Address") ?>"
+								href="/edit/ip/?<?= tohtml(http_build_query(["ip" => $key, "token" => $_SESSION["token"]])) ?>"
+								title="<?= tohtml( _("Edit IP Address")) ?>"
 							>
 								<i class="fas fa-pencil icon-orange"></i>
-								<span class="u-hide-desktop"><?= _("Edit IP Address") ?></span>
+								<span class="u-hide-desktop"><?= tohtml( _("Edit IP Address")) ?></span>
 							</a>
 						</li>
 						<li class="units-table-row-action shortcut-delete" data-key-action="js">
 							<a
 								class="units-table-row-action-link data-controls js-confirm-action"
-								href="/delete/ip/?ip=<?= $key ?>&token=<?= $_SESSION["token"] ?>"
-								title="<?= _("Delete") ?>"
-								data-confirm-title="<?= _("Delete") ?>"
-								data-confirm-message="<?= sprintf(_("Are you sure you want to delete IP address %s?"), $key) ?>"
+								href="/delete/ip/?<?= tohtml(http_build_query(["ip" => $key, "token" => $_SESSION["token"]])) ?>"
+								title="<?= tohtml( _("Delete")) ?>"
+								data-confirm-title="<?= tohtml( _("Delete")) ?>"
+								data-confirm-message="<?= tohtml(sprintf(_("Are you sure you want to delete IP address %s?"), $key)) ?>"
 							>
 								<i class="fas fa-trash icon-red"></i>
-								<span class="u-hide-desktop"><?= _("Delete") ?></span>
+								<span class="u-hide-desktop"><?= tohtml( _("Delete")) ?></span>
 							</a>
 						</li>
 					</ul>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Netmask") ?>:</span>
-					<?= $data[$key]["NETMASK"] ?>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Netmask")) ?>:</span>
+					<?= tohtml($data[$key]["NETMASK"]) ?>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Interface") ?>:</span>
-					<?= $data[$key]["INTERFACE"] ?>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Interface")) ?>:</span>
+					<?= tohtml($data[$key]["INTERFACE"]) ?>
 				</div>
 				<div class="units-table-cell u-text-bold u-text-center-desktop">
-					<span class="u-hide-desktop"><?= _("Status") ?>:</span>
-					<?= _($data[$key]["STATUS"]) ?>
+					<span class="u-hide-desktop"><?= tohtml( _("Status")) ?>:</span>
+					<?= tohtml( _($data[$key]["STATUS"])) ?>
 				</div>
 				<div class="units-table-cell u-text-bold u-text-center-desktop">
-					<span class="u-hide-desktop"><?= _("Domains") ?>:</span>
-					<?= $data[$key]["U_WEB_DOMAINS"] ?>
+					<span class="u-hide-desktop"><?= tohtml( _("Domains")) ?>:</span>
+					<?= tohtml($data[$key]["U_WEB_DOMAINS"]) ?>
 				</div>
 				<div class="units-table-cell u-text-bold u-text-center-desktop">
-					<span class="u-hide-desktop"><?= _("Owner") ?>:</span>
-					<?= $data[$key]["OWNER"] ?>
+					<span class="u-hide-desktop"><?= tohtml( _("Owner")) ?>:</span>
+					<?= tohtml($data[$key]["OWNER"]) ?>
 				</div>
 			</div>
 		<?php } ?>

web/templates/pages/list_key.php

@@ -3,22 +3,22 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<?php if ($_SESSION["userContext"] === "admin" && $_SESSION['look'] !== '' && $_GET["user"] !== $_SESSION['ROOT_USER']) { ?>
-				<a href="/edit/user/?user=<?= htmlentities($_SESSION["look"]) ?>&token=<?= $_SESSION["token"] ?>" class="button button-secondary button-back js-button-back">
-					<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<a href="/edit/user/?<?= tohtml(http_build_query(["user" => $_SESSION["look"], "token" => $_SESSION["token"]])) ?>" class="button button-secondary button-back js-button-back">
+					<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 				</a>
 			<?php } else { ?>
-				<a href="/edit/user/?user=<?= htmlentities($_SESSION["user"]) ?>&token=<?= $_SESSION["token"] ?>" class="button button-secondary button-back js-button-back">
-					<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<a href="/edit/user/?<?= tohtml(http_build_query(["user" => $_SESSION["user"], "token" => $_SESSION["token"]])) ?>" class="button button-secondary button-back js-button-back">
+					<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 				</a>
 			<?php } ?>
 
 			<?php if ($_SESSION["userContext"] === "admin" && isset($_GET["user"]) && $_GET["user"] !== "admin") { ?>
-				<a href="/add/key/?user=<?= htmlentities($_GET["user"]) ?>" class="button button-secondary js-button-create">
-					<i class="fas fa-circle-plus icon-green"></i><?= _("Add SSH Key") ?>
+				<a href="/add/key/?<?= tohtml(http_build_query(["user" => $_GET["user"]])) ?>" class="button button-secondary js-button-create">
+					<i class="fas fa-circle-plus icon-green"></i><?= tohtml( _("Add SSH Key")) ?>
 				</a>
 			<?php } else { ?>
 				<a href="/add/key/" class="button button-secondary js-button-create">
-					<i class="fas fa-circle-plus icon-green"></i><?= _("Add SSH Key") ?>
+					<i class="fas fa-circle-plus icon-green"></i><?= tohtml( _("Add SSH Key")) ?>
 				</a>
 			<?php } ?>
 		</div>
@@ -28,13 +28,13 @@
 
 <div class="container">
 
-	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= _("SSH Keys") ?></h1>
+	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= tohtml( _("SSH Keys")) ?></h1>
 
 	<div class="units-table js-units-container">
 		<div class="units-table-header">
-			<div class="units-table-cell"><?= _("SSH ID") ?></div>
+			<div class="units-table-cell"><?= tohtml( _("SSH ID")) ?></div>
 			<div class="units-table-cell"></div>
-			<div class="units-table-cell"><?= _("SSH Key") ?></div>
+			<div class="units-table-cell"><?= tohtml( _("SSH Key")) ?></div>
 		</div>
 
 		<!-- Begin SSH key list item loop -->
@@ -45,9 +45,9 @@
 			?>
 			<div class="units-table-row js-unit" style="<?php if ($data[$key]['ID'] === 'filemanager.ssh.key') { echo 'display: none;'; } ?>">
 				<div class="units-table-cell units-table-heading-cell u-text-bold">
-					<span class="u-hide-desktop"><?= _("SSH ID") ?>:</span>
+					<span class="u-hide-desktop"><?= tohtml( _("SSH ID")) ?>:</span>
 					<span class="u-text-break">
-						<?= htmlspecialchars($data[$key]["ID"]) ?>
+						<?= tohtml($data[$key]["ID"]) ?>
 					</span>
 				</div>
 				<div class="units-table-cell">
@@ -56,24 +56,24 @@
 							<a
 								class="units-table-row-action-link data-controls js-confirm-action"
 								<?php if ($_SESSION["userContext"] === "admin" && isset($_GET["user"]) && $_GET["user"] !== "admin") { ?>
-									href="/delete/key/?user=<?= htmlentities($_GET["user"]) ?>&key=<?= $key ?>&token=<?= $_SESSION["token"] ?>"
+									href="/delete/key/?<?= tohtml(http_build_query(["user" => $_GET["user"], "key" => $key, "token" => $_SESSION["token"]])) ?>"
 								<?php } else { ?>
-									href="/delete/key/?key=<?= $key ?>&token=<?= $_SESSION["token"] ?>"
+									href="/delete/key/?<?= tohtml(http_build_query(["key" => $key, "token" => $_SESSION["token"]])) ?>"
 								<?php } ?>
-								title="<?= _("Delete") ?>"
-								data-confirm-title="<?= _("Delete") ?>"
-								data-confirm-message="<?= sprintf(_("Are you sure you want to delete SSH key %s?"), $key) ?>"
+								title="<?= tohtml( _("Delete")) ?>"
+								data-confirm-title="<?= tohtml( _("Delete")) ?>"
+								data-confirm-message="<?= tohtml(sprintf(_("Are you sure you want to delete SSH key %s?"), $key)) ?>"
 							>
 								<i class="fas fa-trash icon-red"></i>
-								<span class="u-hide-desktop"><?= _("Delete") ?></span>
+								<span class="u-hide-desktop"><?= tohtml( _("Delete")) ?></span>
 							</a>
 						</li>
 					</ul>
 				</div>
 				<div class="units-table-cell u-text-bold">
-					<span class="u-hide-desktop"><?= _("SSH Key") ?>:</span>
+					<span class="u-hide-desktop"><?= tohtml( _("SSH Key")) ?>:</span>
 					<span class="u-text-break">
-						<?= htmlspecialchars($data[$key]["KEY"], ENT_QUOTES) ?>
+						<?= tohtml($data[$key]["KEY"]) ?>
 					</span>
 				</div>
 			</div>

web/templates/pages/list_log.php

@@ -4,20 +4,20 @@
 		<div class="toolbar-buttons">
 			<?php if ($_SESSION["userContext"] === "admin" && $_SESSION["look"] === "admin") { ?>
 				<a href="/list/user/" class="button button-secondary button-back js-button-back">
-					<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+					<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 				</a>
 			<?php } elseif ($_SESSION["userContext"] === "admin" && htmlentities($_GET["user"]) === "system") { ?>
 				<a href="/list/server/" class="button button-secondary button-back js-button-back">
-					<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+					<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 				</a>
 			<?php } else { ?>
 				<?php if ($_SESSION["userContext"] === "admin" && $_SESSION['look'] !== '' && $_GET["user"] !== "admin") { ?>
-					<a href="/edit/user/?user=<?= htmlentities($_SESSION["look"]) ?>&token=<?= $_SESSION["token"] ?>" class="button button-secondary button-back js-button-back">
-						<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+					<a href="/edit/user/?<?= tohtml(http_build_query(["user" => $_SESSION["look"], "token" => $_SESSION["token"]])) ?>" class="button button-secondary button-back js-button-back">
+						<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 					</a>
 				<?php } else { ?>
-					<a href="/edit/user/?user=<?= htmlentities($_SESSION["user"]) ?>&token=<?= $_SESSION["token"] ?>" class="button button-secondary button-back js-button-back">
-						<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+					<a href="/edit/user/?<?= tohtml(http_build_query(["user" => $_SESSION["user"], "token" => $_SESSION["token"]])) ?>" class="button button-secondary button-back js-button-back">
+						<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 					</a>
 				<?php } ?>
 			<?php } ?>
@@ -25,25 +25,25 @@
 			if (($_SESSION['userContext'] === 'admin') && (htmlentities($_GET['user']) !== 'admin')) { ?>
 				<?php if (($_SESSION['userContext'] === 'admin') && ($_GET['user'] != '') && (htmlentities($_GET['user']) !== 'admin')) { ?>
 					<?php if (htmlentities($_GET['user']) !== 'system') { ?>
-						<a href="/list/log/auth/?user=<?= htmlentities($_GET['user']); ?>&token=<?= $_SESSION['token'] ?>" class="button button-secondary button-back js-button-back" title="<?= _("Login History") ?>">
-							<i class="fas fa-binoculars icon-green"></i><?= _("Login History") ?>
+						<a href="/list/log/auth/?<?= tohtml(http_build_query(["user" => $_GET['user'], "token" => $_SESSION['token']])) ?>" class="button button-secondary button-back js-button-back" title="<?= tohtml( _("Login History")) ?>">
+							<i class="fas fa-binoculars icon-green"></i><?= tohtml( _("Login History")) ?>
 						</a>
 					<?php } ?>
 				<?php } else { ?>
-					<a href="/list/log/auth/" class="button button-secondary button-back js-button-back" title="<?= _("Login History") ?>">
-						<i class="fas fa-binoculars icon-green"></i><?= _("Login History") ?>
+					<a href="/list/log/auth/" class="button button-secondary button-back js-button-back" title="<?= tohtml( _("Login History")) ?>">
+						<i class="fas fa-binoculars icon-green"></i><?= tohtml( _("Login History")) ?>
 					</a>
 				<?php } ?>
 			<?php } ?>
 			<?php if ($_SESSION["userContext"] === "user") { ?>
-				<a href="/list/log/auth/" class="button button-secondary button-back js-button-back" title="<?= _("Login History") ?>">
-					<i class="fas fa-binoculars icon-green"></i><?= _("Login History") ?>
+				<a href="/list/log/auth/" class="button button-secondary button-back js-button-back" title="<?= tohtml( _("Login History")) ?>">
+					<i class="fas fa-binoculars icon-green"></i><?= tohtml( _("Login History")) ?>
 				</a>
 			<?php }
 			} ?>
 		</div>
 		<div class="toolbar-buttons">
-			<a href="javascript:location.reload();" class="button button-secondary"><i class="fas fa-arrow-rotate-right icon-green"></i><?= _("Refresh") ?></a>
+			<a href="javascript:location.reload();" class="button button-secondary"><i class="fas fa-arrow-rotate-right icon-green"></i><?= tohtml( _("Refresh")) ?></a>
 			<?php if ($_SESSION["userContext"] === "admin" && $_SESSION["look"] === "admin" && $_SESSION["POLICY_SYSTEM_PROTECTED_ADMIN"] === "yes") { ?>
 				<!-- Hide delete buttons-->
 			<?php } else { ?>
@@ -51,14 +51,14 @@
 					<a
 						class="button button-secondary button-danger data-controls js-confirm-action"
 						<?php if ($_SESSION["userContext"] === "admin" && isset($_GET["user"])) { ?>
-							href="/delete/log/?user=<?= htmlentities($_GET["user"]) ?>&token=<?= $_SESSION["token"] ?>"
+							href="/delete/log/?<?= tohtml(http_build_query(["user" => $_GET["user"], "token" => $_SESSION["token"]])) ?>"
 						<?php } else { ?>
-							href="/delete/log/?token=<?= $_SESSION["token"] ?>"
+							href="/delete/log/?<?= tohtml(http_build_query(["token" => $_SESSION["token"]])) ?>"
 						<?php } ?>
-						data-confirm-title="<?= _("Delete") ?>"
-						data-confirm-message="<?= _("Are you sure you want to delete the logs?") ?>"
+						data-confirm-title="<?= tohtml( _("Delete")) ?>"
+						data-confirm-message="<?= tohtml( _("Are you sure you want to delete the logs?")) ?>"
 					>
-						<i class="fas fa-circle-xmark icon-red"></i><?= _("Delete") ?>
+						<i class="fas fa-circle-xmark icon-red"></i><?= tohtml( _("Delete")) ?>
 					</a>
 				<?php } ?>
 			<?php } ?>
@@ -69,15 +69,15 @@
 
 <div class="container">
 
-	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= _("Logs") ?></h1>
+	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= tohtml( _("Logs")) ?></h1>
 
 	<div class="units-table js-units-container">
 		<div class="units-table-header">
 			<div class="units-table-cell"></div>
-			<div class="units-table-cell"><?= _("Date") ?></div>
-			<div class="units-table-cell"><?= _("Time") ?></div>
-			<div class="units-table-cell"><?= _("Category") ?></div>
-			<div class="units-table-cell"><?= _("Message") ?></div>
+			<div class="units-table-cell"><?= tohtml( _("Date")) ?></div>
+			<div class="units-table-cell"><?= tohtml( _("Time")) ?></div>
+			<div class="units-table-cell"><?= tohtml( _("Category")) ?></div>
+			<div class="units-table-cell"><?= tohtml( _("Message")) ?></div>
 		</div>
 
 		<!-- Begin log history entry loop -->
@@ -100,29 +100,29 @@
 			?>
 			<div class="units-table-row js-unit">
 				<div class="units-table-cell u-text-center-desktop">
-					<i class="fas <?= $level_icon ?>" title="<?= $level_title ?>"></i>
+					<i class="fas <?= tohtml($level_icon) ?>" title="<?= tohtml($level_title) ?>"></i>
 				</div>
 				<div class="units-table-cell units-table-heading-cell u-text-bold">
-					<span class="u-hide-desktop"><?= _("Date") ?>:</span>
-					<time datetime="<?= htmlspecialchars($data[$key]["DATE"]) ?>" class="u-text-no-wrap">
-						<?= translate_date($data[$key]["DATE"]) ?>
+					<span class="u-hide-desktop"><?= tohtml( _("Date")) ?>:</span>
+					<time datetime="<?= tohtml($data[$key]["DATE"]) ?>" class="u-text-no-wrap">
+						<?= tohtml(translate_date($data[$key]["DATE"])) ?>
 					</time>
 				</div>
 				<div class="units-table-cell u-text-bold">
-					<span class="u-hide-desktop"><?= _("Time") ?>:</span>
-					<time datetime="<?= htmlspecialchars($data[$key]["TIME"]) ?>">
-						<?= htmlspecialchars($data[$key]["TIME"]) ?>
+					<span class="u-hide-desktop"><?= tohtml( _("Time")) ?>:</span>
+					<time datetime="<?= tohtml($data[$key]["TIME"]) ?>">
+						<?= tohtml($data[$key]["TIME"]) ?>
 					</time>
 				</div>
 				<div class="units-table-cell u-text-bold">
-					<span class="u-hide-desktop"><?= _("Category") ?>:</span>
+					<span class="u-hide-desktop"><?= tohtml( _("Category")) ?>:</span>
 					<span class="u-text-no-wrap">
-						<?= htmlspecialchars($data[$key]["CATEGORY"]) ?>
+						<?= tohtml($data[$key]["CATEGORY"]) ?>
 					</span>
 				</div>
 				<div class="units-table-cell">
-					<span class="u-hide-desktop u-text-bold"><?= _("Message") ?>:</span>
-					<?= htmlspecialchars($data[$key]["MESSAGE"], ENT_QUOTES) ?>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Message")) ?>:</span>
+					<?= tohtml($data[$key]["MESSAGE"]) ?>
 				</div>
 			</div>
 		<?php } ?>

web/templates/pages/list_log_auth.php

@@ -3,17 +3,17 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<?php if ($_SESSION["userContext"] === "admin" && isset($_GET["user"]) && htmlentities($_GET["user"]) !== "admin") { ?>
-				<a href="/list/log/?user=<?= htmlentities($_GET["user"]) ?>&token=<?= $_SESSION["token"] ?>" class="button button-secondary button-back js-button-back">
-					<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<a href="/list/log/?<?= tohtml(http_build_query(["user" => $_GET["user"], "token" => $_SESSION["token"]])) ?>" class="button button-secondary button-back js-button-back">
+					<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 				</a>
 			<?php } else { ?>
 				<a href="/list/log/" class="button button-secondary button-back js-button-back">
-					<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+					<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 				</a>
 			<?php } ?>
 		</div>
 		<div class="toolbar-buttons">
-			<a href="javascript:location.reload();" class="button button-secondary"><i class="fas fa-arrow-rotate-right icon-green"></i><?= _("Refresh") ?></a>
+			<a href="javascript:location.reload();" class="button button-secondary"><i class="fas fa-arrow-rotate-right icon-green"></i><?= tohtml( _("Refresh")) ?></a>
 			<?php if ($_SESSION["userContext"] === "admin" && $_SESSION["look"] === "admin" && $_SESSION["POLICY_SYSTEM_PROTECTED_ADMIN"] === "yes") { ?>
 				<!-- Hide delete buttons-->
 			<?php } else { ?>
@@ -21,14 +21,14 @@
 					<a
 						class="button button-secondary button-danger data-controls js-confirm-action"
 						<?php if ($_SESSION["userContext"] === "admin" && isset($_GET["user"])) { ?>
-							href="/delete/log/auth/?user=<?= htmlentities($_GET["user"]) ?>&token=<?= $_SESSION["token"] ?>"
+							href="/delete/log/auth/?<?= tohtml(http_build_query(["user" => $_GET["user"], "token" => $_SESSION["token"]])) ?>"
 						<?php } else { ?>
-							href="/delete/log/auth/?token=<?= $_SESSION["token"] ?>"
+							href="/delete/log/auth/?<?= tohtml(http_build_query(["token" => $_SESSION["token"]])) ?>"
 						<?php } ?>
-						data-confirm-title="<?= _("Delete") ?>"
-						data-confirm-message="<?= _("Are you sure you want to delete the logs?") ?>"
+						data-confirm-title="<?= tohtml( _("Delete")) ?>"
+						data-confirm-message="<?= tohtml( _("Are you sure you want to delete the logs?")) ?>"
 					>
-						<i class="fas fa-circle-xmark icon-red"></i><?= _("Delete") ?>
+						<i class="fas fa-circle-xmark icon-red"></i><?= tohtml( _("Delete")) ?>
 					</a>
 				<?php } ?>
 			<?php } ?>
@@ -39,15 +39,15 @@
 
 <div class="container">
 
-	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= _("Auth Log") ?></h1>
+	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= tohtml( _("Auth Log")) ?></h1>
 
 	<div class="units-table js-units-container">
 		<div class="units-table-header">
-			<div class="units-table-cell"><?= _("Status") ?></div>
-			<div class="units-table-cell"><?= _("Date") ?></div>
-			<div class="units-table-cell"><?= _("Time") ?></div>
-			<div class="units-table-cell"><?= _("IP Address") ?></div>
-			<div class="units-table-cell"><?= _("Browser") ?></div>
+			<div class="units-table-cell"><?= tohtml( _("Status")) ?></div>
+			<div class="units-table-cell"><?= tohtml( _("Date")) ?></div>
+			<div class="units-table-cell"><?= tohtml( _("Time")) ?></div>
+			<div class="units-table-cell"><?= tohtml( _("IP Address")) ?></div>
+			<div class="units-table-cell"><?= tohtml( _("Browser")) ?></div>
 		</div>
 
 		<!-- Begin log history entry loop -->
@@ -72,27 +72,27 @@
 			?>
 			<div class="units-table-row js-unit">
 				<div class="units-table-cell u-text-center-desktop">
-					<i class="fas <?= $status_icon ?> u-mr5" title="<?= $status_title ?>"></i>
+					<i class="fas <?= tohtml($status_icon) ?> u-mr5" title="<?= tohtml($status_title) ?>"></i>
 				</div>
 				<div class="units-table-cell units-table-heading-cell u-text-bold">
-					<span class="u-hide-desktop"><?= _("Date") ?>:</span>
-					<time class="u-text-no-wrap" datetime="<?= htmlspecialchars($data[$key]["DATE"]) ?>">
-						<?= translate_date($data[$key]["DATE"]) ?>
+					<span class="u-hide-desktop"><?= tohtml( _("Date")) ?>:</span>
+					<time class="u-text-no-wrap" datetime="<?= tohtml($data[$key]["DATE"]) ?>">
+						<?= tohtml(translate_date($data[$key]["DATE"])) ?>
 					</time>
 				</div>
 				<div class="units-table-cell u-text-bold">
-					<span class="u-hide-desktop"><?= _("Time") ?>:</span>
-					<time datetime="<?= htmlspecialchars($data[$key]["TIME"]) ?>">
-						<?= htmlspecialchars($data[$key]["TIME"]) ?>
+					<span class="u-hide-desktop"><?= tohtml( _("Time")) ?>:</span>
+					<time datetime="<?= tohtml($data[$key]["TIME"]) ?>">
+						<?= tohtml($data[$key]["TIME"]) ?>
 					</time>
 				</div>
 				<div class="units-table-cell">
-					<span class="u-hide-desktop u-text-bold"><?= _("IP Address") ?>:</span>
-					<?= htmlspecialchars($data[$key]["IP"]) ?>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("IP Address")) ?>:</span>
+					<?= tohtml($data[$key]["IP"]) ?>
 				</div>
 				<div class="units-table-cell">
-					<span class="u-hide-desktop u-text-bold"><?= _("Browser") ?>:</span>
-					<?= htmlspecialchars($data[$key]["USER_AGENT"]) ?>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Browser")) ?>:</span>
+					<?= tohtml($data[$key]["USER_AGENT"]) ?>
 				</div>
 			</div>
 		<?php } ?>

web/templates/pages/list_mail_acc.php

@@ -9,51 +9,51 @@ if (!empty($_SESSION["WEBMAIL_ALIAS"])) {
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/mail/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 			<?php if ($read_only !== "true") { ?>
-				<a href="/add/mail/?domain=<?= htmlentities($_GET["domain"]) ?>" class="button button-secondary js-button-create">
-					<i class="fas fa-circle-plus icon-green"></i><?= _("Add Mail Account") ?>
+				<a href="/add/mail/?<?= tohtml(http_build_query(["domain" => $_GET["domain"]])) ?>" class="button button-secondary js-button-create">
+					<i class="fas fa-circle-plus icon-green"></i><?= tohtml( _("Add Mail Account")) ?>
 				</a>
-				<a href="/edit/mail/?domain=<?= htmlentities($_GET["domain"]) ?>" class="button button-secondary js-button-create">
-					<i class="fas fa-pencil icon-blue"></i><?= _("Edit Mail Domain") ?>
+				<a href="/edit/mail/?<?= tohtml(http_build_query(["domain" => $_GET["domain"]])) ?>" class="button button-secondary js-button-create">
+					<i class="fas fa-pencil icon-blue"></i><?= tohtml( _("Edit Mail Domain")) ?>
 				</a>
 			<?php } ?>
 		</div>
 		<div class="toolbar-right">
 			<div class="toolbar-sorting">
-				<button class="toolbar-sorting-toggle js-toggle-sorting-menu" type="button" title="<?= _("Sort items") ?>">
-					<?= _("Sort by") ?>:
+				<button class="toolbar-sorting-toggle js-toggle-sorting-menu" type="button" title="<?= tohtml( _("Sort items")) ?>">
+					<?= tohtml( _("Sort by")) ?>:
 					<span class="u-text-bold">
 						<?php if ($_SESSION['userSortOrder'] === 'name') { $label = _('Name'); } else { $label = _('Date'); } ?>
-						<?= $label ?> <i class="fas fa-arrow-down-a-z"></i>
+						<?= tohtml($label) ?> <i class="fas fa-arrow-down-a-z"></i>
 					</span>
 				</button>
 				<ul class="toolbar-sorting-menu js-sorting-menu u-hidden">
 					<li data-entity="sort-date" data-sort-as-int="1">
-						<span class="name <?php if ($_SESSION['userSortOrder'] === 'date') { echo 'active'; } ?>"><?= _("Date") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name <?php if ($_SESSION['userSortOrder'] === 'date') { echo 'active'; } ?>"><?= tohtml( _("Date")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 					<li data-entity="sort-disk" data-sort-as-int="1">
-						<span class="name"><?= _("Disk") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name"><?= tohtml( _("Disk")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 					<li data-entity="sort-name">
-						<span class="name <?php if ($_SESSION['userSortOrder'] === 'name') { echo 'active'; } ?>"><?= _("Name") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name <?php if ($_SESSION['userSortOrder'] === 'name') { echo 'active'; } ?>"><?= tohtml( _("Name")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 					<li data-entity="sort-quota" data-sort-as-int="1">
-						<span class="name"><?= _("Quota") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name"><?= tohtml( _("Quota")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 				</ul>
 				<?php if ($read_only !== "true") { ?>
 					<form x-data x-bind="BulkEdit" action="/bulk/mail/" method="post">
-						<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
-						<input type="hidden" value="<?= htmlspecialchars($_GET["domain"]) ?>" name="domain">
+						<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
+						<input type="hidden" value="<?= tohtml($_GET["domain"]) ?>" name="domain">
 						<select class="form-select" name="action">
-							<option value=""><?= _("Apply to selected") ?></option>
-							<option value="suspend"><?= _("Suspend") ?></option>
-							<option value="unsuspend"><?= _("Unsuspend") ?></option>
-							<option value="delete"><?= _("Delete") ?></option>
+							<option value=""><?= tohtml( _("Apply to selected")) ?></option>
+							<option value="suspend"><?= tohtml( _("Suspend")) ?></option>
+							<option value="unsuspend"><?= tohtml( _("Unsuspend")) ?></option>
+							<option value="delete"><?= tohtml( _("Delete")) ?></option>
 						</select>
-						<button type="submit" class="toolbar-input-submit" title="<?= _("Apply to selected") ?>">
+						<button type="submit" class="toolbar-input-submit" title="<?= tohtml( _("Apply to selected")) ?>">
 							<i class="fas fa-arrow-right"></i>
 						</button>
 					</form>
@@ -61,9 +61,9 @@ if (!empty($_SESSION["WEBMAIL_ALIAS"])) {
 			</div>
 			<div class="toolbar-search">
 				<form action="/search/" method="get">
-					<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
-					<input type="search" class="form-control js-search-input" name="q" value="<? echo isset($_POST['q']) ? htmlspecialchars($_POST['q']) : '' ?>" title="<?= _("Search") ?>">
-					<button type="submit" class="toolbar-input-submit" title="<?= _("Search") ?>">
+					<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
+					<input type="search" class="form-control js-search-input" name="q" value="<?= tohtml($_POST['q'] ?? '') ?>" title="<?= tohtml( _("Search")) ?>">
+					<button type="submit" class="toolbar-input-submit" title="<?= tohtml( _("Search")) ?>">
 						<i class="fas fa-magnifying-glass"></i>
 					</button>
 				</form>
@@ -75,20 +75,20 @@ if (!empty($_SESSION["WEBMAIL_ALIAS"])) {
 
 <div class="container">
 
-	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= _("Mail Accounts") ?></h1>
+	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= tohtml( _("Mail Accounts")) ?></h1>
 
 	<div class="units-table js-units-container">
 		<div class="units-table-header">
 			<div class="units-table-cell">
-				<input type="checkbox" class="js-toggle-all-checkbox" title="<?= _("Select all") ?>" <?= $display_mode ?>>
+				<input type="checkbox" class="js-toggle-all-checkbox" title="<?= tohtml( _("Select all")) ?>" <?= tohtml($display_mode) ?>>
 			</div>
-			<div class="units-table-cell"><?= _("Name") ?></div>
+			<div class="units-table-cell"><?= tohtml( _("Name")) ?></div>
 			<div class="units-table-cell"></div>
-			<div class="units-table-cell u-text-center"><?= _("Disk") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Quota") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Aliases") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Forwarding") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Auto Reply") ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Disk")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Quota")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Aliases")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Forwarding")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Auto Reply")) ?></div>
 		</div>
 
 		<!-- Begin mail account list item loop -->
@@ -154,23 +154,23 @@ if (!empty($_SESSION["WEBMAIL_ALIAS"])) {
 				}
 			?>
 			<div class="units-table-row <?php if ($status == 'suspended') echo 'disabled'; ?> js-unit"
-				data-sort-date="<?= strtotime($data[$key]['DATE'].' '.$data[$key]['TIME']) ?>"
-				data-sort-name="<?= $key ?>"
-				data-sort-disk="<?= $data[$key]["U_DISK"] ?>"
-				data-sort-quota="<?= $data[$key]["QUOTA"] ?>">
+				data-sort-date="<?= tohtml(strtotime($data[$key]['DATE'].' '.$data[$key]['TIME'])) ?>"
+				data-sort-name="<?= tohtml($key) ?>"
+				data-sort-disk="<?= tohtml($data[$key]["U_DISK"]) ?>"
+				data-sort-quota="<?= tohtml($data[$key]["QUOTA"]) ?>">
 				<div class="units-table-cell">
 					<div>
-						<input id="check<?= $i ?>" class="js-unit-checkbox" type="checkbox" title="<?= _("Select") ?>" name="account[]" value="<?= $key ?>" <?= $display_mode ?>>
-						<label for="check<?= $i ?>" class="u-hide-desktop"><?= _("Select") ?></label>
+						<input id="check<?= tohtml($i) ?>" class="js-unit-checkbox" type="checkbox" title="<?= tohtml( _("Select")) ?>" name="account[]" value="<?= tohtml($key) ?>" <?= tohtml($display_mode) ?>>
+						<label for="check<?= tohtml($i) ?>" class="u-hide-desktop"><?= tohtml( _("Select")) ?></label>
 					</div>
 				</div>
 				<div class="units-table-cell units-table-heading-cell u-text-bold">
-					<span class="u-hide-desktop"><?= _("Name") ?>:</span>
+					<span class="u-hide-desktop"><?= tohtml( _("Name")) ?>:</span>
 					<?php if ($read_only === "true" || $data[$key]["SUSPENDED"] == "yes") { ?>
-						<?= $key . "@" . htmlentities($_GET["domain"]) ?>
+						<?= tohtml($key . "@" . $_GET["domain"]) ?>
 					<?php } else { ?>
-						<a href="/edit/mail/?domain=<?= htmlspecialchars($_GET['domain']) ?>&account=<?= $key ?>&token=<?= $_SESSION['token'] ?>" title="<?= _("Edit Mail Account") ?>: <?= $key ?>@<?= htmlspecialchars($_GET['domain']) ?>">
-							<?= $key."@".htmlentities($_GET['domain']); ?>
+						<a href="/edit/mail/?<?= tohtml(http_build_query(["domain" => $_GET['domain'], "account" => $key, "token" => $_SESSION['token']])) ?>" title="<?= tohtml( _("Edit Mail Account")) ?>: <?= tohtml($key) ?>@<?= tohtml($_GET['domain']) ?>">
+							<?= tohtml($key . "@" . $_GET['domain']) ?>
 						</a>
 					<?php } ?>
 				</div>
@@ -182,12 +182,12 @@ if (!empty($_SESSION["WEBMAIL_ALIAS"])) {
 								<li class="units-table-row-action" data-key-action="href">
 									<a
 										class="units-table-row-action-link"
-										href="http://<?= $v_webmail_alias ?>.<?= htmlspecialchars($_GET["domain"]) ?>/?_user=<?= $key ?>@<?= htmlspecialchars($_GET["domain"]) ?>"
+										href="http://<?= tohtml($v_webmail_alias) ?>.<?= tohtml($_GET["domain"]) ?>/?<?= tohtml(http_build_query(["_user" => $key . '@' . $_GET["domain"]])) ?>"
 										target="_blank"
-										title="<?= _("Open Webmail") ?>"
+										title="<?= tohtml( _("Open Webmail")) ?>"
 									>
 										<i class="fas fa-envelope-open-text icon-maroon"></i>
-										<span class="u-hide-desktop"><?= _("Open Webmail") ?></span>
+										<span class="u-hide-desktop"><?= tohtml( _("Open Webmail")) ?></span>
 									</a>
 								</li>
 							<?php } ?>
@@ -198,12 +198,12 @@ if (!empty($_SESSION["WEBMAIL_ALIAS"])) {
 										<li class="units-table-row-action" data-key-action="href">
 											<a
 												class="units-table-row-action-link"
-												href="http://<?= $v_webmail_alias ?>.<?= htmlspecialchars($_GET["domain"]) ?>/?_user=<?= $key ?>@<?= htmlspecialchars($_GET["domain"]) ?>"
+												href="http://<?= tohtml($v_webmail_alias) ?>.<?= tohtml($_GET["domain"]) ?>/?<?= tohtml(http_build_query(["_user" => $key . '@' . $_GET["domain"]])) ?>"
 												target="_blank"
-												title="<?= _("Open Webmail") ?>"
+												title="<?= tohtml( _("Open Webmail")) ?>"
 											>
 												<i class="fas fa-envelope-open-text icon-maroon"></i>
-												<span class="u-hide-desktop"><?= _("Open Webmail") ?></span>
+												<span class="u-hide-desktop"><?= tohtml( _("Open Webmail")) ?></span>
 											</a>
 										</li>
 									<?php } ?>
@@ -211,70 +211,70 @@ if (!empty($_SESSION["WEBMAIL_ALIAS"])) {
 								<li class="units-table-row-action shortcut-enter" data-key-action="href">
 									<a
 										class="units-table-row-action-link"
-										href="/edit/mail/?domain=<?= htmlspecialchars($_GET["domain"]) ?>&account=<?= $key ?>&token=<?= $_SESSION["token"] ?>"
-										title="<?= _("Edit Mail Account") ?>"
+										href="/edit/mail/?<?= tohtml(http_build_query(["domain" => $_GET["domain"], "account" => $key, "token" => $_SESSION["token"]])) ?>"
+										title="<?= tohtml( _("Edit Mail Account")) ?>"
 									>
 										<i class="fas fa-pencil icon-orange"></i>
-										<span class="u-hide-desktop"><?= _("Edit Mail Account") ?></span>
+										<span class="u-hide-desktop"><?= tohtml( _("Edit Mail Account")) ?></span>
 									</a>
 								</li>
 							<?php } ?>
 							<li class="units-table-row-action shortcut-s" data-key-action="js">
 								<a
 									class="units-table-row-action-link data-controls js-confirm-action"
-									href="/<?= $spnd_action ?>/mail/?domain=<?= htmlspecialchars($_GET["domain"]) ?>&account=<?= $key ?>&token=<?= $_SESSION["token"] ?>"
-									title="<?= $spnd_action_title ?>"
-									data-confirm-title="<?= $spnd_action_title ?>"
-									data-confirm-message="<?= sprintf($spnd_confirmation, $key) ?>"
+									href="/<?= tohtml($spnd_action) ?>/mail/?<?= tohtml(http_build_query(["domain" => $_GET["domain"], "account" => $key, "token" => $_SESSION["token"]])) ?>"
+									title="<?= tohtml($spnd_action_title) ?>"
+									data-confirm-title="<?= tohtml($spnd_action_title) ?>"
+									data-confirm-message="<?= tohtml(sprintf($spnd_confirmation, $key)) ?>"
 								>
-									<i class="fas <?= $spnd_icon ?> <?= $spnd_icon_class ?>"></i>
-									<span class="u-hide-desktop"><?= $spnd_action_title ?></span>
+									<i class="fas <?= tohtml($spnd_icon) ?> <?= tohtml($spnd_icon_class) ?>"></i>
+									<span class="u-hide-desktop"><?= tohtml($spnd_action_title) ?></span>
 								</a>
 							</li>
 							<li class="units-table-row-action shortcut-delete" data-key-action="js">
 								<a
 									class="units-table-row-action-link data-controls js-confirm-action"
-									href="/delete/mail/?domain=<?= htmlspecialchars($_GET["domain"]) ?>&account=<?= $key ?>&token=<?= $_SESSION["token"] ?>"
-									title="<?= _("Delete") ?>"
-									data-confirm-title="<?= _("Delete") ?>"
-									data-confirm-message="<?= sprintf(_("Are you sure you want to delete %s?"), $key) ?>"
+									href="/delete/mail/?<?= tohtml(http_build_query(["domain" => $_GET["domain"], "account" => $key, "token" => $_SESSION["token"]])) ?>"
+									title="<?= tohtml( _("Delete")) ?>"
+									data-confirm-title="<?= tohtml( _("Delete")) ?>"
+									data-confirm-message="<?= tohtml(sprintf(_("Are you sure you want to delete %s?"), $key)) ?>"
 								>
 									<i class="fas fa-trash icon-red"></i>
-									<span class="u-hide-desktop"><?= _("Delete") ?></span>
+									<span class="u-hide-desktop"><?= tohtml( _("Delete")) ?></span>
 								</a>
 							</li>
 						<?php } ?>
 					</ul>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Disk") ?>:</span>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Disk")) ?>:</span>
 					<span class="u-text-bold">
-						<?= humanize_usage_size($data[$key]["U_DISK"]) ?>
+						<?= tohtml(humanize_usage_size($data[$key]["U_DISK"])) ?>
 					</span>
 					<span class="u-text-small">
-						<?= humanize_usage_measure($data[$key]["U_DISK"]) ?>
+						<?= tohtml(humanize_usage_measure($data[$key]["U_DISK"])) ?>
 					</span>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Quota") ?>:</span>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Quota")) ?>:</span>
 					<span class="u-text-bold">
-						<?= humanize_usage_size($data[$key]["QUOTA"]) ?>
+						<?= tohtml(humanize_usage_size($data[$key]["QUOTA"])) ?>
 					</span>
 					<span class="u-text-small">
-						<?= humanize_usage_measure($data[$key]["QUOTA"]) ?>
+						<?= tohtml(humanize_usage_measure($data[$key]["QUOTA"])) ?>
 					</span>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Aliases") ?>:</span>
-					<i class="fas <?= $alias_icon ?>" title="<?= $alias_title ?>"></i>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Aliases")) ?>:</span>
+					<i class="fas <?= tohtml($alias_icon) ?>" title="<?= tohtml($alias_title) ?>"></i>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Forwarding") ?>:</span>
-					<i class="fas <?= $fwd_icon ?>" title="<?= $fwd_title ?>"></i>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Forwarding")) ?>:</span>
+					<i class="fas <?= tohtml($fwd_icon) ?>" title="<?= tohtml($fwd_title) ?>"></i>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Auto Reply") ?>:</span>
-					<i class="fas <?= $autoreply_icon ?>" title="<?= $autoreply_title ?>"></i>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Auto Reply")) ?>:</span>
+					<i class="fas <?= tohtml($autoreply_icon) ?>" title="<?= tohtml($autoreply_title) ?>"></i>
 				</div>
 			</div>
 		<?php } ?>

web/templates/pages/list_mail_dns.php

@@ -8,7 +8,7 @@ if (!empty($_SESSION["WEBMAIL_ALIAS"])) {
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/mail/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 		<div class="toolbar-right"></div>
@@ -17,146 +17,146 @@ if (!empty($_SESSION["WEBMAIL_ALIAS"])) {
 
 <div class="container">
 
-	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= _("DNS Records") ?></h1>
+	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= tohtml( _("DNS Records")) ?></h1>
 
 	<div class="units-table js-units-container">
 		<div class="units-table-header">
-			<div class="units-table-cell"><?= _("Record") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Type") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Priority") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("TTL") ?></div>
-			<div class="units-table-cell"><?= _("IP or Value") ?></div>
+			<div class="units-table-cell"><?= tohtml( _("Record")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Type")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Priority")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("TTL")) ?></div>
+			<div class="units-table-cell"><?= tohtml( _("IP or Value")) ?></div>
 		</div>
 
 		<div class="units-table-row js-unit">
 			<div class="units-table-cell">
-				<label class="u-hide-desktop u-text-bold"><?= _("Record") ?>:</label>
-				<input type="text" class="form-control" value="mail.<?= htmlspecialchars($_GET["domain"]) ?>">
+				<label class="u-hide-desktop u-text-bold"><?= tohtml( _("Record")) ?>:</label>
+				<input type="text" class="form-control" value="mail.<?= tohtml($_GET["domain"]) ?>">
 			</div>
 			<div class="units-table-cell u-text-bold u-text-center-desktop">
-				<span class="u-hide-desktop"><?= _("Type") ?>:</span>
+				<span class="u-hide-desktop"><?= tohtml( _("Type")) ?>:</span>
 				A
 			</div>
 			<div class="units-table-cell u-text-bold u-text-center-desktop">
-				<span class="u-hide-desktop"><?= _("Priority") ?>:</span>
+				<span class="u-hide-desktop"><?= tohtml( _("Priority")) ?>:</span>
 			</div>
 			<div class="units-table-cell u-text-bold u-text-center-desktop">
-				<span class="u-hide-desktop"><?= _("TTL") ?>:</span>
+				<span class="u-hide-desktop"><?= tohtml( _("TTL")) ?>:</span>
 				14400
 			</div>
 			<div class="units-table-cell u-text-center-desktop">
-				<label class="u-hide-desktop u-text-bold"><?= _("IP or Value") ?>:</label>
-				<input type="text" class="form-control" value="<?= empty($ips[array_key_first($ips)]["NAT"]) ? array_key_first($ips) : $ips[array_key_first($ips)]["NAT"] ?>">
+				<label class="u-hide-desktop u-text-bold"><?= tohtml( _("IP or Value")) ?>:</label>
+				<input type="text" class="form-control" value="<?= tohtml(empty($ips[array_key_first($ips)]["NAT"]) ? array_key_first($ips) : $ips[array_key_first($ips)]["NAT"]) ?>">
 			</div>
 		</div>
 		<?php if ($_SESSION["WEBMAIL_SYSTEM"]) { ?>
 			<div class="units-table-row js-unit">
 				<div class="units-table-cell">
-					<label class="u-hide-desktop u-text-bold"><?= _("Record") ?>:</label>
-					<input type="text" class="form-control" value="<?= $v_webmail_alias ?>.<?= htmlspecialchars($_GET["domain"]) ?>">
+					<label class="u-hide-desktop u-text-bold"><?= tohtml( _("Record")) ?>:</label>
+					<input type="text" class="form-control" value="<?= tohtml($v_webmail_alias) ?>.<?= tohtml($_GET["domain"]) ?>">
 				</div>
 				<div class="units-table-cell u-text-bold u-text-center-desktop">
-					<span class="u-hide-desktop"><?= _("Type") ?>:</span>
+					<span class="u-hide-desktop"><?= tohtml( _("Type")) ?>:</span>
 					A
 				</div>
 				<div class="units-table-cell u-text-bold u-text-center-desktop">
-					<span class="u-hide-desktop"><?= _("Priority") ?>:</span>
+					<span class="u-hide-desktop"><?= tohtml( _("Priority")) ?>:</span>
 				</div>
 				<div class="units-table-cell u-text-bold u-text-center-desktop">
-					<span class="u-hide-desktop"><?= _("TTL") ?>:</span>
+					<span class="u-hide-desktop"><?= tohtml( _("TTL")) ?>:</span>
 					14400
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<label class="u-hide-desktop u-text-bold"><?= _("IP or Value") ?>:</label>
-					<input type="text" class="form-control" value="<?= empty($ips[array_key_first($ips)]["NAT"]) ? array_key_first($ips) : $ips[array_key_first($ips)]["NAT"] ?>">
+					<label class="u-hide-desktop u-text-bold"><?= tohtml( _("IP or Value")) ?>:</label>
+					<input type="text" class="form-control" value="<?= tohtml(empty($ips[array_key_first($ips)]["NAT"]) ? array_key_first($ips) : $ips[array_key_first($ips)]["NAT"]) ?>">
 				</div>
 			</div>
 		<?php } ?>
 		<div class="units-table-row js-unit">
 			<div class="units-table-cell">
-				<label class="u-hide-desktop u-text-bold"><?= _("Record") ?>:</label>
-				<input type="text" class="form-control" value="<?= htmlspecialchars($_GET["domain"]) ?>">
+				<label class="u-hide-desktop u-text-bold"><?= tohtml( _("Record")) ?>:</label>
+				<input type="text" class="form-control" value="<?= tohtml($_GET["domain"]) ?>">
 			</div>
 			<div class="units-table-cell u-text-bold u-text-center-desktop">
-				<span class="u-hide-desktop"><?= _("Type") ?>:</span>
+				<span class="u-hide-desktop"><?= tohtml( _("Type")) ?>:</span>
 				MX
 			</div>
 			<div class="units-table-cell u-text-bold u-text-center-desktop">
-				<span class="u-hide-desktop"><?= _("Priority") ?>:</span>
+				<span class="u-hide-desktop"><?= tohtml( _("Priority")) ?>:</span>
 				10
 			</div>
 			<div class="units-table-cell u-text-bold u-text-center-desktop">
-				<span class="u-hide-desktop"><?= _("TTL") ?>:</span>
+				<span class="u-hide-desktop"><?= tohtml( _("TTL")) ?>:</span>
 				14400
 			</div>
 			<div class="units-table-cell u-text-center-desktop">
-				<label class="u-hide-desktop u-text-bold"><?= _("IP or Value") ?>:</label>
-				<input type="text" class="form-control" value="mail.<?= htmlspecialchars($_GET["domain"]) ?>.">
+				<label class="u-hide-desktop u-text-bold"><?= tohtml( _("IP or Value")) ?>:</label>
+				<input type="text" class="form-control" value="mail.<?= tohtml($_GET["domain"]) ?>.">
 			</div>
 		</div>
 		<div class="units-table-row js-unit">
 			<div class="units-table-cell">
-				<label class="u-hide-desktop u-text-bold"><?= _("Record") ?>:</label>
-				<input type="text" class="form-control" value="<?= htmlspecialchars($_GET["domain"]) ?>">
+				<label class="u-hide-desktop u-text-bold"><?= tohtml( _("Record")) ?>:</label>
+				<input type="text" class="form-control" value="<?= tohtml($_GET["domain"]) ?>">
 			</div>
 			<div class="units-table-cell u-text-bold u-text-center-desktop">
-				<span class="u-hide-desktop"><?= _("Type") ?>:</span>
+				<span class="u-hide-desktop"><?= tohtml( _("Type")) ?>:</span>
 				TXT
 			</div>
 			<div class="units-table-cell u-text-bold u-text-center-desktop">
-				<span class="u-hide-desktop"><?= _("Priority") ?>:</span>
+				<span class="u-hide-desktop"><?= tohtml( _("Priority")) ?>:</span>
 			</div>
 			<div class="units-table-cell u-text-bold u-text-center-desktop">
-				<span class="u-hide-desktop"><?= _("TTL") ?>:</span>
+				<span class="u-hide-desktop"><?= tohtml( _("TTL")) ?>:</span>
 				14400
 			</div>
 			<div class="units-table-cell u-text-center-desktop">
-				<label class="u-hide-desktop u-text-bold"><?= _("IP or Value") ?>:</label>
+				<label class="u-hide-desktop u-text-bold"><?= tohtml( _("IP or Value")) ?>:</label>
 				<?php $ip = empty($ips[array_key_first($ips)]["NAT"]) ? array_key_first($ips) : $ips[array_key_first($ips)]["NAT"]; ?>
-				<input type="text" class="form-control" value="<?= htmlspecialchars("v=spf1 a mx ip4:" . $ip . " -all") ?>">
+				<input type="text" class="form-control" value="<?= tohtml("v=spf1 a mx ip4:" . $ip . " -all") ?>">
 			</div>
 		</div>
 		<div class="units-table-row js-unit">
 			<div class="units-table-cell">
-				<label class="u-hide-desktop u-text-bold"><?= _("Record") ?>:</label>
+				<label class="u-hide-desktop u-text-bold"><?= tohtml( _("Record")) ?>:</label>
 				<input type="text" class="form-control" value="_dmarc">
 			</div>
 			<div class="units-table-cell u-text-bold u-text-center-desktop">
-				<span class="u-hide-desktop"><?= _("Type") ?>:</span>
+				<span class="u-hide-desktop"><?= tohtml( _("Type")) ?>:</span>
 				TXT
 			</div>
 			<div class="units-table-cell u-text-bold u-text-center-desktop">
-				<span class="u-hide-desktop"><?= _("Priority") ?>:</span>
+				<span class="u-hide-desktop"><?= tohtml( _("Priority")) ?>:</span>
 			</div>
 			<div class="units-table-cell u-text-bold u-text-center-desktop">
-				<span class="u-hide-desktop"><?= _("TTL") ?>:</span>
+				<span class="u-hide-desktop"><?= tohtml( _("TTL")) ?>:</span>
 				14400
 			</div>
 			<div class="units-table-cell u-text-center-desktop">
-				<label class="u-hide-desktop u-text-bold"><?= _("IP or Value") ?>:</label>
-				<input type="text" class="form-control" value="<?= htmlspecialchars("v=DMARC1; p=quarantine; pct=100") ?>">
+				<label class="u-hide-desktop u-text-bold"><?= tohtml( _("IP or Value")) ?>:</label>
+				<input type="text" class="form-control" value="<?= tohtml("v=DMARC1; p=quarantine; pct=100") ?>">
 			</div>
 		</div>
 		<?php foreach ($dkim as $key => $value) { ?>
 			<div class="units-table-row js-unit">
 				<div class="units-table-cell">
-					<label class="u-hide-desktop u-text-bold"><?= _("Record") ?>:</label>
-					<input type="text" class="form-control" value="<?= htmlspecialchars($key) ?>">
+					<label class="u-hide-desktop u-text-bold"><?= tohtml( _("Record")) ?>:</label>
+					<input type="text" class="form-control" value="<?= tohtml($key) ?>">
 				</div>
 				<div class="units-table-cell u-text-bold u-text-center-desktop">
-					<span class="u-hide-desktop"><?= _("Type") ?>:</span>
+					<span class="u-hide-desktop"><?= tohtml( _("Type")) ?>:</span>
 					TXT
 				</div>
 				<div class="units-table-cell u-text-bold u-text-center-desktop">
-					<span class="u-hide-desktop"><?= _("Priority") ?>:</span>
+					<span class="u-hide-desktop"><?= tohtml( _("Priority")) ?>:</span>
 				</div>
 				<div class="units-table-cell u-text-bold u-text-center-desktop">
-					<span class="u-hide-desktop"><?= _("TTL") ?>:</span>
+					<span class="u-hide-desktop"><?= tohtml( _("TTL")) ?>:</span>
 					3600
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<label class="u-hide-desktop u-text-bold"><?= _("IP or Value") ?>:</label>
-					<input type="text" class="form-control" value="<?= htmlspecialchars(str_replace(['"', "'"], "", $dkim[$key]["TXT"])) ?>">
+					<label class="u-hide-desktop u-text-bold"><?= tohtml( _("IP or Value")) ?>:</label>
+					<input type="text" class="form-control" value="<?= tohtml(str_replace(['"', "'"], "", $dkim[$key]["TXT"])) ?>">
 				</div>
 			</div>
 		<?php } ?>

web/templates/pages/list_rrd.php

@@ -3,19 +3,19 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/server/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 			<a href="/list/server/?cpu" class="button button-secondary">
-				<i class="fas fa-chart-pie icon-green"></i><?= _("Advanced Details") ?>
+				<i class="fas fa-chart-pie icon-green"></i><?= tohtml( _("Advanced Details")) ?>
 			</a>
 		</div>
 		<div class="toolbar-right">
-			<a class="toolbar-link<?php if ((empty($period)) || ($period == 'daily')) echo " selected" ?>" href="?period=daily"><?= _("Daily") ?></a>
-			<a class="toolbar-link<?php if ((!empty($period)) && ($period == 'weekly')) echo " selected" ?>" href="?period=weekly"><?= _("Weekly") ?></a>
-			<a class="toolbar-link<?php if ((!empty($period)) && ($period == 'monthly')) echo " selected" ?>" href="?period=monthly"><?= _("Monthly") ?></a>
-			<a class="toolbar-link<?php if ((!empty($period)) && ($period == 'yearly')) echo " selected" ?>" href="?period=yearly"><?= _("Yearly") ?></a>
-                        <a class="toolbar-link<?php if ((!empty($period)) && ($period == 'biennially')) echo " selected" ?>" href="?period=biennially"><?= _("Biennially") ?></a>
-                        <a class="toolbar-link<?php if ((!empty($period)) && ($period == 'triennially')) echo " selected" ?>" href="?period=triennially"><?= _("Triennially") ?></a>
+			<a class="toolbar-link<?php if ((empty($period)) || ($period == 'daily')) echo " selected" ?>" href="?<?= tohtml(http_build_query(["period" => 'daily'])) ?>"><?= tohtml( _("Daily")) ?></a>
+			<a class="toolbar-link<?php if ((!empty($period)) && ($period == 'weekly')) echo " selected" ?>" href="?<?= tohtml(http_build_query(["period" => 'weekly'])) ?>"><?= tohtml( _("Weekly")) ?></a>
+			<a class="toolbar-link<?php if ((!empty($period)) && ($period == 'monthly')) echo " selected" ?>" href="?<?= tohtml(http_build_query(["period" => 'monthly'])) ?>"><?= tohtml( _("Monthly")) ?></a>
+			<a class="toolbar-link<?php if ((!empty($period)) && ($period == 'yearly')) echo " selected" ?>" href="?<?= tohtml(http_build_query(["period" => 'yearly'])) ?>"><?= tohtml( _("Yearly")) ?></a>
+                        <a class="toolbar-link<?php if ((!empty($period)) && ($period == 'biennially')) echo " selected" ?>" href="?<?= tohtml(http_build_query(["period" => 'biennially'])) ?>"><?= tohtml( _("Biennially")) ?></a>
+                        <a class="toolbar-link<?php if ((!empty($period)) && ($period == 'triennially')) echo " selected" ?>" href="?<?= tohtml(http_build_query(["period" => 'triennially'])) ?>"><?= tohtml( _("Triennially")) ?></a>
 		</div>
 	</div>
 </div>
@@ -26,11 +26,11 @@
 		<!-- Begin graph list item loop -->
 		<?php foreach ($data as $key => $value) { ?>
 			<div class="u-mb40">
-				<h2 class="u-mb20"><?= htmlspecialchars($data[$key]["TITLE"]) ?></h2>
+				<h2 class="u-mb20"><?= tohtml($data[$key]["TITLE"]) ?></h2>
 				<canvas
 					class="u-max-height300 js-rrd-chart"
-					data-service="<?= $data[$key]["TYPE"] !== "net" ? htmlspecialchars($data[$key]["RRD"]) : "net_" . htmlspecialchars($data[$key]["RRD"]) ?>"
-					data-period="<?= htmlspecialchars($period) ?>"
+					data-service="<?= tohtml($data[$key]["TYPE"] !== "net" ? $data[$key]["RRD"] : "net_" . $data[$key]["RRD"]) ?>"
+					data-period="<?= tohtml($period) ?>"
 				></canvas>
 			</div>
 		<?php } ?>

web/templates/pages/list_search.php

@@ -3,33 +3,33 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a href="javascript:window.history.back();" class="button button-secondary button-back js-button-back">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 			<a href="javascript:location.reload();" class="button button-secondary">
-				<i class="fas fa-arrows-rotate icon-green"></i><?= _("Refresh") ?>
+				<i class="fas fa-arrows-rotate icon-green"></i><?= tohtml( _("Refresh")) ?>
 			</a>
 		</div>
 		<div class="toolbar-right">
 			<div class="toolbar-sorting">
-				<button class="toolbar-sorting-toggle js-toggle-sorting-menu" type="button" title="<?= _("Sort items") ?>">
-					<?= _("Sort by") ?>:
+				<button class="toolbar-sorting-toggle js-toggle-sorting-menu" type="button" title="<?= tohtml( _("Sort items")) ?>">
+					<?= tohtml( _("Sort by")) ?>:
 					<span class="u-text-bold">
-						<?= _("Date") ?> <i class="fas fa-arrow-down-a-z"></i>
+						<?= tohtml( _("Date")) ?> <i class="fas fa-arrow-down-a-z"></i>
 					</span>
 				</button>
 				<ul class="toolbar-sorting-menu js-sorting-menu u-hidden">
 					<li data-entity="sort-date" data-sort-as-int="1">
-						<span class="name <?php if ($_SESSION['userSortOrder'] === 'date') { echo 'active'; } ?>"><?= _("Date") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name <?php if ($_SESSION['userSortOrder'] === 'date') { echo 'active'; } ?>"><?= tohtml( _("Date")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 					<li data-entity="sort-name">
-						<span class="name <?php if ($_SESSION['userSortOrder'] === 'name') { echo 'active'; } ?>"><?= _("Name") ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
+						<span class="name <?php if ($_SESSION['userSortOrder'] === 'name') { echo 'active'; } ?>"><?= tohtml( _("Name")) ?> <i class="fas fa-arrow-down-a-z"></i></span><span class="up"><i class="fas fa-arrow-up-a-z"></i></span>
 					</li>
 				</ul>
 				<div class="toolbar-search">
 					<form action="/search/" method="get">
-						<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
-						<input type="search" class="form-control js-search-input" name="q" value="<? echo isset($_GET['q']) ? htmlspecialchars($_GET['q']) : '' ?>" title="<?= _("Search") ?>">
-						<button type="submit" class="toolbar-input-submit" title="<?= _("Search") ?>">
+						<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
+						<input type="search" class="form-control js-search-input" name="q" value="<?= tohtml($_GET['q'] ?? '') ?>" title="<?= tohtml( _("Search")) ?>">
+						<button type="submit" class="toolbar-input-submit" title="<?= tohtml( _("Search")) ?>">
 							<i class="fas fa-magnifying-glass"></i>
 						</button>
 					</form>
@@ -42,16 +42,16 @@
 
 <div class="container">
 
-	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= _("Search Results") ?></h1>
+	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= tohtml( _("Search Results")) ?></h1>
 
 	<div class="units-table js-units-container">
 		<div class="units-table-header">
 			<div class="units-table-cell"></div>
-			<div class="units-table-cell u-text-center"><?= _("Status") ?></div>
-			<div class="units-table-cell"><?= _("Search Results") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Date") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Owner") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Type") ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Status")) ?></div>
+			<div class="units-table-cell"><?= tohtml( _("Search Results")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Date")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Owner")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Type")) ?></div>
 		</div>
 
 		<!-- Begin search result item loop -->
@@ -80,12 +80,12 @@
 				$uniq_id .= sha1($value['RESULT']);
 			?>
 			<div class="units-table-row <?php if ($status == 'suspended') echo 'disabled'; ?> js-unit"
-				data-uniq-id="<?= $uniq_id?>"
-				data-sort-date="<?= strtotime($value['DATE'].' '.$value['TIME']) ?>"
-				data-sort-name="<?= $value['RESULT'] ?>"
-				data-sort-type="<?= _($object) ?>"
-				data-sort-owner="<?= $value["USER"] ?>"
-				data-sort-status="<?= $status ?>"
+				data-uniq-id="<?= tohtml($uniq_id) ?>"
+				data-sort-date="<?= tohtml(strtotime($value['DATE'].' '.$value['TIME'])) ?>"
+				data-sort-name="<?= tohtml($value['RESULT']) ?>"
+				data-sort-type="<?= tohtml( _($object)) ?>"
+				data-sort-owner="<?= tohtml($value["USER"]) ?>"
+				data-sort-status="<?= tohtml($status) ?>"
 				style="<?php if (($_SESSION['POLICY_SYSTEM_HIDE_ADMIN'] === 'yes') && ($value['USER']) === 'admin') { echo 'display: none;'; } ?>">
 				<div class="units-table-cell u-text-center-desktop">
 					<?php
@@ -108,10 +108,10 @@
 							$icon = 'fa-clock';
 						}
 					?>
-					<i class="fa <?= $icon ?> icon-dim"></i>
+					<i class="fa <?= tohtml($icon) ?> icon-dim"></i>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Status") ?>:</span>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Status")) ?>:</span>
 					<?php if ($status === "active") { ?>
 						<i class="fas fa-circle-check icon-green"></i>
 					<?php } ?>
@@ -120,7 +120,7 @@
 					<?php } ?>
 				</div>
 				<div class="units-table-cell units-table-heading-cell u-text-bold">
-					<span class="u-hide-desktop"><?= _("Search Results") ?>:</span>
+					<span class="u-hide-desktop"><?= tohtml( _("Search Results")) ?>:</span>
 					<?php
 						if ($value['KEY'] == 'RECORD') {
 							$edit_lnk = '/edit/'.$value['TYPE'].'/?domain='.$value['PARENT'].'&record_id='.$value['LINK'].'&user='.$value['USER'];
@@ -152,26 +152,26 @@
 					?>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Date") ?>:</span>
-					<time datetime="<?= htmlspecialchars($value["DATE"]) ?>">
-						<?= translate_date($value["DATE"]) ?>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Date")) ?>:</span>
+					<time datetime="<?= tohtml($value["DATE"]) ?>">
+						<?= tohtml(translate_date($value["DATE"])) ?>
 					</time>
 				</div>
 				<div class="units-table-cell u-text-bold u-text-center-desktop">
-					<span class="u-hide-desktop"><?= _("Owner") ?>:</span>
-					<a href="/search/?q=<?= htmlentities($_GET["q"]) ?>&u=<?= $value["USER"] ?>&token=<?= $_SESSION["token"] ?>">
-						<?= $value["USER"] ?>
+					<span class="u-hide-desktop"><?= tohtml( _("Owner")) ?>:</span>
+					<a href="/search/?<?= tohtml(http_build_query(["q" => $_GET["q"], "u" => $value["USER"], "token" => $_SESSION["token"]])) ?>">
+						<?= tohtml($value["USER"]) ?>
 					</a>
 					<?php if (!($_SESSION["POLICY_SYSTEM_HIDE_ADMIN"] === "yes" && $value["USER"] !== "admin") && $_SESSION["userContext"] === "admin") { ?>
-						<a href="/login/?loginas=<?= $value["USER"] ?>&token=<?= $_SESSION["token"] ?>" title="<?= _("Log in as") ?> <?= $value["USER"] ?>" class="u-ml5">
+						<a href="/login/?<?= tohtml(http_build_query(["loginas" => $value["USER"], "token" => $_SESSION["token"]])) ?>" title="<?= tohtml( _("Log in as")) ?> <?= tohtml($value["USER"]) ?>" class="u-ml5">
 							<i class="fas fa-right-to-bracket icon-green icon-dim"></i>
-							<span class="u-hidden-visually"><?= _("Log in as") ?> <?= $value["USER"] ?></span>
+							<span class="u-hidden-visually"><?= tohtml( _("Log in as")) ?> <?= tohtml($value["USER"]) ?></span>
 						</a>
 					<?php } ?>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Type") ?>:</span>
-					<?= _($object) ?>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Type")) ?>:</span>
+					<?= tohtml( _($object)) ?>
 				</div>
 			</div>
 		<?php } ?>

web/templates/pages/list_server_info.php

@@ -16,8 +16,8 @@
 			<div class="top-bar">
 				<div class="container top-bar-inner">
 					<div class="top-bar-left">
-						<a href="/" class="top-bar-logo" title="<?= _("Hestia Control Panel") ?>">
-							<img src="/images/logo-header.svg" alt="<?= _("Hestia Control Panel") ?>" width="54" height="29">
+						<a href="/" class="top-bar-logo" title="<?= tohtml( _("Hestia Control Panel")) ?>">
+							<img src="/images/logo-header.svg" alt="<?= tohtml( _("Hestia Control Panel")) ?>" width="54" height="29">
 						</a>
 					</div>
 					<div class="top-bar-right">
@@ -27,47 +27,47 @@
 								class="top-bar-menu-link u-hide-tablet"
 								x-on:click="open = !open">
 								<i class="fas fa-bars"></i>
-								<span class="u-hidden" x-text="open ? '<?= _("Close menu") ?>' : '<?= _("Open menu") ?>'">
-									<?= _("Open menu") ?>
-								</span>
+									<span class="u-hidden" x-text="open ? <?= tohtml(json_encode(_("Close menu"), JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT | JSON_THROW_ON_ERROR)) ?> : <?= tohtml(json_encode(_("Open menu"), JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT | JSON_THROW_ON_ERROR)) ?>">
+										<?= tohtml( _("Open menu")) ?>
+									</span>
 							</button>
 							<div x-cloak x-show="open" x-on:click.outside="open = false" class="top-bar-menu-panel">
 								<ul class="top-bar-menu-list">
 									<li class="top-bar-menu-item">
-										<a class="top-bar-menu-link" href="/list/rrd/" title="<?= _("Back") ?>">
+										<a class="top-bar-menu-link" href="/list/rrd/" title="<?= tohtml( _("Back")) ?>">
 											<i class="fas fa-circle-left"></i>
-											<span class="top-bar-menu-link-label"><?= _("Back") ?></span>
+											<span class="top-bar-menu-link-label"><?= tohtml( _("Back")) ?></span>
 										</a>
 									</li>
 									<li class="top-bar-menu-item">
 										<a class="top-bar-menu-link <?php if (isset($_GET['cpu'])) echo 'active' ?>" href="/list/server/?cpu">
 											<i class="fas fa-microchip"></i>
-											<span class="top-bar-menu-link-label"><?= _("CPU") ?></span>
+											<span class="top-bar-menu-link-label"><?= tohtml( _("CPU")) ?></span>
 										</a>
 									</li>
 									<li class="top-bar-menu-item">
 										<a class="top-bar-menu-link <?php if (isset($_GET['mem'])) echo 'active' ?>" href="/list/server/?mem">
 											<i class="fas fa-memory"></i>
-											<span class="top-bar-menu-link-label"><?= _("RAM") ?></span>
+											<span class="top-bar-menu-link-label"><?= tohtml( _("RAM")) ?></span>
 										</a>
 									</li>
 									<li class="top-bar-menu-item">
 										<a class="top-bar-menu-link <?php if (isset($_GET['disk'])) echo 'active' ?>" href="/list/server/?disk">
 											<i class="fas fa-hard-drive"></i>
-											<span class="top-bar-menu-link-label"><?= _("Disk") ?></span>
+											<span class="top-bar-menu-link-label"><?= tohtml( _("Disk")) ?></span>
 										</a>
 									</li>
 									<li class="top-bar-menu-item">
 										<a class="top-bar-menu-link <?php if (isset($_GET['net'])) echo 'active' ?>" href="/list/server/?net">
 											<i class="fas fa-hard-drive"></i>
-											<span class="top-bar-menu-link-label"><?= _("Network") ?></span>
+											<span class="top-bar-menu-link-label"><?= tohtml( _("Network")) ?></span>
 										</a>
 									</li>
 									<?php if ((isset($_SESSION['WEB_SYSTEM'])) && (!empty($_SESSION['WEB_SYSTEM']))) { ?>
 										<li class="top-bar-menu-item">
 											<a class="top-bar-menu-link <?php if (isset($_GET['web'])) echo 'active' ?>" href="/list/server/?web">
 												<i class="fas fa-earth-europe"></i>
-												<span class="top-bar-menu-link-label"><?= _("Web") ?></span>
+												<span class="top-bar-menu-link-label"><?= tohtml( _("Web")) ?></span>
 											</a>
 										</li>
 									<?php } ?>
@@ -75,7 +75,7 @@
 										<li class="top-bar-menu-item">
 											<a class="top-bar-menu-link <?php if (isset($_GET['dns'])) echo 'active' ?>" href="/list/server/?dns">
 												<i class="fas fa-book-atlas"></i>
-												<span class="top-bar-menu-link-label"><?= _("DNS") ?></span>
+												<span class="top-bar-menu-link-label"><?= tohtml( _("DNS")) ?></span>
 											</a>
 										</li>
 									<?php } ?>
@@ -83,7 +83,7 @@
 										<li class="top-bar-menu-item">
 											<a class="top-bar-menu-link <?php if (isset($_GET['mail'])) echo 'active' ?>" href="/list/server/?mail">
 												<i class="fas fa-envelopes-bulk"></i>
-												<span class="top-bar-menu-link-label"><?= _("Mail") ?></span>
+												<span class="top-bar-menu-link-label"><?= tohtml( _("Mail")) ?></span>
 											</a>
 										</li>
 									<?php } ?>
@@ -91,20 +91,20 @@
 										<li class="top-bar-menu-item">
 											<a class="top-bar-menu-link <?php if (isset($_GET['db'])) echo 'active' ?>" href="/list/server/?db">
 												<i class="fas fa-database"></i>
-												<span class="top-bar-menu-link-label"><?= _("DB") ?></span>
+												<span class="top-bar-menu-link-label"><?= tohtml( _("DB")) ?></span>
 											</a>
 										</li>
 									<?php } ?>
 									<li class="top-bar-menu-item">
-										<a class="top-bar-menu-link" href="javascript:location.reload();" title="<?= _("Refresh") ?>">
+										<a class="top-bar-menu-link" href="javascript:location.reload();" title="<?= tohtml( _("Refresh")) ?>">
 											<i class="fas fa-arrow-rotate-right"></i>
-											<span class="u-hidden"><?= _("Refresh") ?></span>
+											<span class="u-hidden"><?= tohtml( _("Refresh")) ?></span>
 										</a>
 									</li>
 									<li class="top-bar-menu-item">
-										<a class="top-bar-menu-link top-bar-menu-link-logout" href="/logout/?token=<?= $_SESSION["token"] ?>" title="<?= _("Log out") ?>">
+										<a class="top-bar-menu-link top-bar-menu-link-logout" href="/logout/?<?= tohtml(http_build_query(["token" => $_SESSION["token"]])) ?>" title="<?= tohtml( _("Log out")) ?>">
 											<i class="fas fa-right-from-bracket"></i>
-											<span class="u-hidden"><?= _("Log out") ?></span>
+											<span class="u-hidden"><?= tohtml( _("Log out")) ?></span>
 										</a>
 									</li>
 								</ul>

web/templates/pages/list_server_preview.php

@@ -3,7 +3,7 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a href="/edit/server/" class="button button-secondary button-back js-button-back">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 	</div>
@@ -12,14 +12,14 @@
 
 <div class="container">
 
-	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= _("Preview Features") ?></h1>
+	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= tohtml( _("Preview Features")) ?></h1>
 
 	<div class="units-table js-units-container">
 		<div class="units-table-header">
 			<div class="units-table-cell"></div>
-			<div class="units-table-cell"><?= _("Category") ?></div>
-			<div class="units-table-cell"><?= _("Name") ?></div>
-			<div class="units-table-cell"><?= _("Status") ?></div>
+			<div class="units-table-cell"><?= tohtml( _("Category")) ?></div>
+			<div class="units-table-cell"><?= tohtml( _("Name")) ?></div>
+			<div class="units-table-cell"><?= tohtml( _("Status")) ?></div>
 		</div>
 
 		<div class="units-table-row js-unit">
@@ -27,16 +27,16 @@
 				<i class="fas fa-gear icon-blue"></i>
 			</div>
 			<div class="units-table-cell units-table-heading-cell u-text-bold">
-				<span class="u-hide-desktop"><?= _("Category") ?>:</span>
-				<?= _("System") ?>
+				<span class="u-hide-desktop"><?= tohtml( _("Category")) ?>:</span>
+				<?= tohtml( _("System")) ?>
 			</div>
 			<div class="units-table-cell u-text-bold">
-				<span class="u-hide-desktop"><?= _("Name") ?>:</span>
-				<?= _("Policy") ?>: <?= _("Allow suspended users to log in with read-only access") ?>
+				<span class="u-hide-desktop"><?= tohtml( _("Name")) ?>:</span>
+				<?= tohtml( _("Policy")) ?>: <?= tohtml( _("Allow suspended users to log in with read-only access")) ?>
 			</div>
 			<div class="units-table-cell">
-				<span class="u-hide-desktop u-text-bold"><?= _("Status") ?>:</span>
-				<?= _("Partially implemented") ?>
+				<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Status")) ?>:</span>
+				<?= tohtml( _("Partially implemented")) ?>
 			</div>
 		</div>
 	</div>

web/templates/pages/list_services.php

@@ -3,41 +3,41 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a href="/edit/server/" class="button button-secondary">
-				<i class="fas fa-gear icon-maroon"></i><?= _("Configure") ?>
+				<i class="fas fa-gear icon-maroon"></i><?= tohtml( _("Configure")) ?>
 			</a>
 			<a href="/list/rrd/" class="button button-secondary">
-				<i class="fas fa-chart-area icon-blue"></i><?= _("Task Monitor") ?>
+				<i class="fas fa-chart-area icon-blue"></i><?= tohtml( _("Task Monitor")) ?>
 			</a>
 			<a href="/list/updates/" class="button button-secondary">
-				<i class="fas fa-arrows-rotate icon-green"></i><?= _("Updates") ?>
+				<i class="fas fa-arrows-rotate icon-green"></i><?= tohtml( _("Updates")) ?>
 			</a>
 			<?php if (!empty($_SESSION["FIREWALL_SYSTEM"]) && $_SESSION["FIREWALL_SYSTEM"] == "iptables") { ?>
 				<a href="/list/firewall/" class="button button-secondary">
-					<i class="fas fa-shield-halved icon-red"></i><?= _("Firewall") ?>
+					<i class="fas fa-shield-halved icon-red"></i><?= tohtml( _("Firewall")) ?>
 				</a>
 			<?php } ?>
-			<a href="/list/log/?user=system&token=<?= $_SESSION["token"] ?>" class="button button-secondary">
-				<i class="fas fa-binoculars icon-orange"></i><?= _("Logs") ?>
+			<a href="/list/log/?<?= tohtml(http_build_query(["user" => 'system', "token" => $_SESSION["token"]])) ?>" class="button button-secondary">
+				<i class="fas fa-binoculars icon-orange"></i><?= tohtml( _("Logs")) ?>
 			</a>
 			<a
 				class="button button-secondary button-danger data-controls js-confirm-action"
-				href="/restart/system/?hostname=<?= $sys["sysinfo"]["HOSTNAME"] ?>&token=<?= $_SESSION["token"] ?>&system_reset_token=<?= time() ?>"
-				data-confirm-title="<?= _("Restart") ?>"
-				data-confirm-message="<?= _("Are you sure you want to restart the server?") ?>"
+				href="/restart/system/?<?= tohtml(http_build_query(["hostname" => $sys["sysinfo"]["HOSTNAME"], "token" => $_SESSION["token"], "system_reset_token" => time()])) ?>"
+				data-confirm-title="<?= tohtml( _("Restart")) ?>"
+				data-confirm-message="<?= tohtml( _("Are you sure you want to restart the server?")) ?>"
 			>
-				<i class="fas fa-arrow-rotate-left icon-red"></i><?= _("Restart") ?>
+				<i class="fas fa-arrow-rotate-left icon-red"></i><?= tohtml( _("Restart")) ?>
 			</a>
 		</div>
 		<div class="toolbar-right">
 			<form x-data x-bind="BulkEdit" action="/bulk/service/" method="post">
-				<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+				<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 				<select class="form-select" name="action">
-					<option value=""><?= _("Apply to selected") ?></option>
-					<option value="stop"><?= _("Stop") ?></option>
-					<option value="start"><?= _("Start") ?></option>
-					<option value="restart"><?= _("Restart") ?></option>
+					<option value=""><?= tohtml( _("Apply to selected")) ?></option>
+					<option value="stop"><?= tohtml( _("Stop")) ?></option>
+					<option value="start"><?= tohtml( _("Start")) ?></option>
+					<option value="restart"><?= tohtml( _("Restart")) ?></option>
 				</select>
-				<button type="submit" class="toolbar-input-submit" title="<?= _("Apply to selected") ?>">
+				<button type="submit" class="toolbar-input-submit" title="<?= tohtml( _("Apply to selected")) ?>">
 					<i class="fas fa-arrow-right"></i>
 				</button>
 			</form>
@@ -53,54 +53,54 @@
 			<i class="fas fa-server"></i>
 		</div>
 		<div class="server-summary-content">
-			<h1 class="server-summary-title"><?= $sys["sysinfo"]["HOSTNAME"] ?></h1>
+			<h1 class="server-summary-title"><?= tohtml($sys["sysinfo"]["HOSTNAME"]) ?></h1>
 			<ul class="server-summary-list">
 				<li class="server-summary-item">
 					<span class="server-summary-list-label">Hestia Control Panel</span>
 					<span class="server-summary-list-value">
 						<?php if ($sys["sysinfo"]["RELEASE"] == "release") { ?>
-							<i class="fas fa-cube" title="<?= _("Production Release") ?>"></i>
+							<i class="fas fa-cube" title="<?= tohtml( _("Production Release")) ?>"></i>
 						<?php } else { ?>
-							<i class="fas fa-flask icon-red" title="<?= $sys["sysinfo"]["RELEASE"] ?>"></i>
+							<i class="fas fa-flask icon-red" title="<?= tohtml($sys["sysinfo"]["RELEASE"]) ?>"></i>
 						<?php } ?>
-						v<?= $sys["sysinfo"]["HESTIA"] ?>
+						v<?= tohtml($sys["sysinfo"]["HESTIA"]) ?>
 					</span>
 				</li>
 				<li class="server-summary-item">
-					<span class="server-summary-list-label"><?= _("Operating System") ?></span>
+					<span class="server-summary-list-label"><?= tohtml( _("Operating System")) ?></span>
 					<span class="server-summary-list-value">
-						<?= $sys["sysinfo"]["OS"] ?> <?= $sys["sysinfo"]["VERSION"] ?> (<?= $sys["sysinfo"]["ARCH"] ?>)
+						<?= tohtml($sys["sysinfo"]["OS"]) ?> <?= tohtml($sys["sysinfo"]["VERSION"]) ?> (<?= tohtml($sys["sysinfo"]["ARCH"]) ?>)
 					</span>
 				</li>
 				<li class="server-summary-item">
-					<span class="server-summary-list-label"><?= _("Load Average") ?> <span class="hint">(1m / 5m / 15m)</span></span>
+					<span class="server-summary-list-label"><?= tohtml( _("Load Average")) ?> <span class="hint">(1m / 5m / 15m)</span></span>
 					<span class="server-summary-list-value">
-						<?= $sys["sysinfo"]["LOADAVERAGE"] ?>
+						<?= tohtml($sys["sysinfo"]["LOADAVERAGE"]) ?>
 					</span>
 				</li>
 				<li class="server-summary-item">
-					<span class="server-summary-list-label"><?= _("Uptime") ?></span>
+					<span class="server-summary-list-label"><?= tohtml( _("Uptime")) ?></span>
 					<span class="server-summary-list-value">
-						<?= humanize_time($sys["sysinfo"]["UPTIME"]) ?>
+						<?= tohtml(humanize_time($sys["sysinfo"]["UPTIME"])) ?>
 					</span>
 				</li>
 			</ul>
 		</div>
 	</div>
 
-	<h1 class="u-text-center u-hide-desktop u-pr30 u-mb20 u-pl30"><?= _("Services") ?></h1>
+	<h1 class="u-text-center u-hide-desktop u-pr30 u-mb20 u-pl30"><?= tohtml( _("Services")) ?></h1>
 
 	<div class="units-table js-units-container">
 		<div class="units-table-header">
 			<div class="units-table-cell">
-				<input type="checkbox" class="js-toggle-all-checkbox" title="<?= _("Select all") ?>">
+				<input type="checkbox" class="js-toggle-all-checkbox" title="<?= tohtml( _("Select all")) ?>">
 			</div>
-			<div class="units-table-cell"><?= _("Service") ?></div>
+			<div class="units-table-cell"><?= tohtml( _("Service")) ?></div>
 			<div class="units-table-cell"></div>
-			<div class="units-table-cell"><?= _("Description") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Uptime") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("CPU") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Memory") ?></div>
+			<div class="units-table-cell"><?= tohtml( _("Description")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Uptime")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("CPU")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Memory")) ?></div>
 		</div>
 
 		<!-- Begin services status list item loop -->
@@ -133,21 +133,21 @@
 				if ($cpu == '0.0')	$cpu = 0;
 			?>
 			<div class="units-table-row <?php if ($status == 'suspended') echo 'disabled'; ?> js-unit"
-				data-sort-name="<?= strtolower($key) ?>"
-				data-sort-memory="<?= $data[$key]["MEM"] ?>"
-				data-sort-cpu="<?= $cpu ?>"
-				data-sort-uptime="<?= $data[$key]["RTIME"] ?>">
+				data-sort-name="<?= tohtml(strtolower($key)) ?>"
+				data-sort-memory="<?= tohtml($data[$key]["MEM"]) ?>"
+				data-sort-cpu="<?= tohtml($cpu) ?>"
+				data-sort-uptime="<?= tohtml($data[$key]["RTIME"]) ?>">
 				<div class="units-table-cell">
 					<div>
-						<input id="check<?= $i ?>" class="js-unit-checkbox" type="checkbox" title="<?= _("Select") ?>" name="service[]" value="<?= $key ?>">
-						<label for="check<?= $i ?>" class="u-hide-desktop"><?= _("Select") ?></label>
+						<input id="check<?= tohtml($i) ?>" class="js-unit-checkbox" type="checkbox" title="<?= tohtml( _("Select")) ?>" name="service[]" value="<?= tohtml($key) ?>">
+						<label for="check<?= tohtml($i) ?>" class="u-hide-desktop"><?= tohtml( _("Select")) ?></label>
 					</div>
 				</div>
 				<div class="units-table-cell units-table-heading-cell u-text-bold">
-					<span class="u-hide-desktop"><?= _("Service") ?>:</span>
-					<i class="fas <?= $state_icon ?> u-mr5"></i>
-					<a href="/edit/server/<? echo $edit_url ?>/" title="<?= _("Edit") ?>: <?= $key ?>">
-						<?= $key ?>
+					<span class="u-hide-desktop"><?= tohtml( _("Service")) ?>:</span>
+					<i class="fas <?= tohtml($state_icon) ?> u-mr5"></i>
+					<a href="/edit/server/<? echo $edit_url ?>/" title="<?= tohtml( _("Edit")) ?>: <?= tohtml($key) ?>">
+						<?= tohtml($key) ?>
 					</a>
 				</div>
 				<div class="units-table-cell">
@@ -156,53 +156,53 @@
 							<a
 								class="units-table-row-action-link"
 								href="/edit/server/<? echo $edit_url ?>/"
-								title="<?= _("Edit") ?>"
+								title="<?= tohtml( _("Edit")) ?>"
 							>
 								<i class="fas fa-pencil icon-orange"></i>
-								<span class="u-hide-desktop"><?= _("Edit") ?></span>
+								<span class="u-hide-desktop"><?= tohtml( _("Edit")) ?></span>
 							</a>
 						</li>
 						<li class="units-table-row-action shortcut-s" data-key-action="js">
 							<a
 								class="units-table-row-action-link data-controls js-confirm-action"
-								href="/restart/service/?srv=<?= $key ?>&token=<?= $_SESSION["token"] ?>"
-								title="<?= _("Restart") ?>"
-								data-confirm-title="<?= _("Restart") ?>"
-								data-confirm-message="<?= sprintf(_("Are you sure you want to restart the %s service?"), $key) ?>"
+								href="/restart/service/?<?= tohtml(http_build_query(["srv" => $key, "token" => $_SESSION["token"]])) ?>"
+								title="<?= tohtml( _("Restart")) ?>"
+								data-confirm-title="<?= tohtml( _("Restart")) ?>"
+								data-confirm-message="<?= tohtml(sprintf(_("Are you sure you want to restart the %s service?"), $key)) ?>"
 							>
 								<i class="fas fa-arrow-rotate-left icon-highlight"></i>
-								<span class="u-hide-desktop"><?= _("Restart") ?></span>
+								<span class="u-hide-desktop"><?= tohtml( _("Restart")) ?></span>
 							</a>
 						</li>
 						<li class="units-table-row-action shortcut-delete" data-key-action="js">
 							<a
 								class="units-table-row-action-link data-controls js-confirm-action"
-								href="/<?= $action ?>/service/?srv=<?= $key ?>&token=<?= $_SESSION["token"] ?>"
-								title="<?= $action_text ?>"
-								data-confirm-title="<?= $action_text ?>"
+								href="/<?= tohtml($action) ?>/service/?<?= tohtml(http_build_query(["srv" => $key, "token" => $_SESSION["token"]])) ?>"
+								title="<?= tohtml($action_text) ?>"
+								data-confirm-title="<?= tohtml($action_text) ?>"
 								data-confirm-message="<?php if ($action == 'stop') { echo sprintf(_('Are you sure you want to stop the %s service?'), $key); } else { echo sprintf(_('Are you sure you want to start the %s service?'), $key); }?>"
 							>
-								<i class="fas <?= $spnd_icon ?> <?= $spnd_icon_class ?>"></i>
-								<span class="u-hide-desktop"><?= $action_text ?></span>
+								<i class="fas <?= tohtml($spnd_icon) ?> <?= tohtml($spnd_icon_class) ?>"></i>
+								<span class="u-hide-desktop"><?= tohtml($action_text) ?></span>
 							</a>
 						</li>
 					</ul>
 				</div>
 				<div class="units-table-cell">
-					<span class="u-hide-desktop u-text-bold"><?= _("Description") ?>:</span>
-					<?= _($data[$key]["SYSTEM"]) ?>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Description")) ?>:</span>
+					<?= tohtml( _($data[$key]["SYSTEM"])) ?>
 				</div>
 				<div class="units-table-cell u-text-bold u-text-center-desktop">
-					<span class="u-hide-desktop"><?= _("Uptime") ?>:</span>
-					<?= humanize_time($data[$key]["RTIME"]) ?>
+					<span class="u-hide-desktop"><?= tohtml( _("Uptime")) ?>:</span>
+					<?= tohtml(humanize_time($data[$key]["RTIME"])) ?>
 				</div>
 				<div class="units-table-cell u-text-bold u-text-center-desktop">
-					<span class="u-hide-desktop"><?= _("CPU") ?>:</span>
-					<?= $cpu ?>
+					<span class="u-hide-desktop"><?= tohtml( _("CPU")) ?>:</span>
+					<?= tohtml($cpu) ?>
 				</div>
 				<div class="units-table-cell u-text-bold u-text-center-desktop">
-					<span class="u-hide-desktop"><?= _("Memory") ?>:</span>
-					<?= $data[$key]["MEM"] ?> <?= _("MB") ?>
+					<span class="u-hide-desktop"><?= tohtml( _("Memory")) ?>:</span>
+					<?= tohtml($data[$key]["MEM"]) ?> <?= tohtml( _("MB")) ?>
 				</div>
 			</div>
 		<?php } ?>

web/templates/pages/list_ssl.php

@@ -1,14 +1,14 @@
 <!-- Begin form -->
 <div class="container">
 	<form id="main-form" name="v_generate_csr" method="post">
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 
 		<div class="form-container">
-			<h1 class="u-mb20"><?= _("Generate Self-Signed SSL Certificate") ?></h1>
+			<h1 class="u-mb20"><?= tohtml( _("Generate Self-Signed SSL Certificate")) ?></h1>
 			<?php show_alert_message($_SESSION); ?>
 			<div
 				x-data="{
-					text: '<?= base64_encode($v_crt) ?>',
+					text: '<?= tohtml(base64_encode($v_crt)) ?>',
 					blob() {
 						return window.URL.createObjectURL(new Blob([atob(this.text)], { type: 'text/plain' }))
 					}
@@ -16,14 +16,14 @@
 				class="u-mb20"
 			>
 				<label for="v_crt" class="form-label u-side-by-side">
-					<?= _("SSL Certificate") ?>
+					<?= tohtml( _("SSL Certificate")) ?>
 					<a
 						x-bind:href="blob()"
-						download="<?= htmlentities($v_domain) ?>.crt"
-						title="<?= _("Download") ?>"
+						download="<?= tohtml($v_domain) ?>.crt"
+						title="<?= tohtml( _("Download")) ?>"
 					>
 						<i class="fas fa-download"></i>
-						<span class="u-hidden"><?= _("Download") ?></span>
+						<span class="u-hidden"><?= tohtml( _("Download")) ?></span>
 					</a>
 				</label>
 				<textarea
@@ -35,7 +35,7 @@
 			</div>
 			<div
 				x-data="{
-					text: '<?= base64_encode($v_key) ?>',
+					text: '<?= tohtml(base64_encode($v_key)) ?>',
 					blob() {
 						return window.URL.createObjectURL(new Blob([atob(this.text)], { type: 'text/plain' }))
 					}
@@ -43,14 +43,14 @@
 				class="u-mb20"
 			>
 				<label for="v_key" class="form-label u-side-by-side">
-					<?= _("SSL Private Key") ?>
+					<?= tohtml( _("SSL Private Key")) ?>
 					<a
 						x-bind:href="blob()"
-						download="<?= htmlentities($v_domain) ?>.key"
-						title="<?= _("Download") ?>"
+						download="<?= tohtml($v_domain) ?>.key"
+						title="<?= tohtml( _("Download")) ?>"
 					>
 						<i class="fas fa-download"></i>
-						<span class="u-hidden"><?= _("Download") ?></span>
+						<span class="u-hidden"><?= tohtml( _("Download")) ?></span>
 					</a>
 				</label>
 				<textarea
@@ -62,7 +62,7 @@
 			</div>
 			<div
 				x-data="{
-					text: '<?= base64_encode($v_csr) ?>',
+					text: '<?= tohtml(base64_encode($v_csr)) ?>',
 					blob() {
 						return window.URL.createObjectURL(new Blob([atob(this.text)], { type: 'text/plain' }))
 					}
@@ -70,14 +70,14 @@
 				class="u-mb20"
 			>
 				<label for="v_csr" class="form-label u-side-by-side">
-					<?= _("SSL CSR") ?>
+					<?= tohtml( _("SSL CSR")) ?>
 					<a
 						x-bind:href="blob()"
-						download="<?= htmlentities($v_domain) ?>.csr"
-						title="<?= _("Download") ?>"
+						download="<?= tohtml($v_domain) ?>.csr"
+						title="<?= tohtml( _("Download")) ?>"
 					>
 						<i class="fas fa-download"></i>
-						<span class="u-hidden"><?= _("Download") ?></span>
+						<span class="u-hidden"><?= tohtml( _("Download")) ?></span>
 					</a>
 				</label>
 				<textarea

web/templates/pages/list_updates.php

@@ -3,7 +3,7 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/server/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 			<?php
 				if ($autoupdate == 'Enabled') {
@@ -16,8 +16,8 @@
 					$btn_label = _('Enable Automatic Updates');
 				}
 			?>
-			<a class="button button-secondary" href="<?= $btn_url ?>">
-				<i class="fas <?= $btn_icon ?>"></i><?= $btn_label ?>
+			<a class="button button-secondary" href="<?= tohtml($btn_url) ?>">
+				<i class="fas <?= tohtml($btn_icon) ?>"></i><?= tohtml($btn_label) ?>
 			</a>
 		</div>
 	</div>
@@ -26,14 +26,14 @@
 
 <div class="container">
 
-	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= _("Updates") ?></h1>
+	<h1 class="u-text-center u-hide-desktop u-mt20 u-pr30 u-mb20 u-pl30"><?= tohtml( _("Updates")) ?></h1>
 
 	<div class="units-table js-units-container">
 		<div class="units-table-header">
-			<div class="units-table-cell"><?= _("Package Name") ?></div>
-			<div class="units-table-cell"><?= _("Description") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Version") ?></div>
-			<div class="units-table-cell u-text-center"><?= _("Status") ?></div>
+			<div class="units-table-cell"><?= tohtml( _("Package Name")) ?></div>
+			<div class="units-table-cell"><?= tohtml( _("Description")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Version")) ?></div>
+			<div class="units-table-cell u-text-center"><?= tohtml( _("Status")) ?></div>
 		</div>
 
 		<!-- Begin update list item loop -->
@@ -51,23 +51,23 @@
 			?>
 			<div class="units-table-row <?php if ($status == 'suspended') echo 'disabled'; ?> js-unit">
 				<div class="units-table-cell units-table-heading-cell u-text-bold">
-					<span class="u-hide-desktop"><?= _("Package Names") ?>:</span>
-					<?= $key ?>
+					<span class="u-hide-desktop"><?= tohtml( _("Package Names")) ?>:</span>
+					<?= tohtml($key) ?>
 				</div>
 				<div class="units-table-cell">
-					<span class="u-hide-desktop u-text-bold"><?= _("Description") ?>:</span>
-					<?= _($data[$key]["DESCR"]) ?>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Description")) ?>:</span>
+					<?= tohtml( _($data[$key]["DESCR"])) ?>
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Version") ?>:</span>
-					<?= $data[$key]["VERSION"] ?> (<?= $data[$key]["ARCH"] ?>)
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Version")) ?>:</span>
+					<?= tohtml($data[$key]["VERSION"]) ?> (<?= tohtml($data[$key]["ARCH"]) ?>)
 				</div>
 				<div class="units-table-cell u-text-center-desktop">
-					<span class="u-hide-desktop u-text-bold"><?= _("Status") ?>:</span>
+					<span class="u-hide-desktop u-text-bold"><?= tohtml( _("Status")) ?>:</span>
 					<?php if ($data[$key]['UPDATED'] == 'no'): ?>
-						<i class="fas fa-triangle-exclamation icon-orange" title="<?= _("Update available") ?>"></i>
+						<i class="fas fa-triangle-exclamation icon-orange" title="<?= tohtml( _("Update available")) ?>"></i>
 					<?php elseif ($data[$key]['UPDATED'] == 'yes'): ?>
-						<i class="fas fa-circle-check icon-green" title="<?= _("Package up-to-date") ?>"></i>
+						<i class="fas fa-circle-check icon-green" title="<?= tohtml( _("Package up-to-date")) ?>"></i>
 					<?php endif; ?>
 				</div>
 			</div>

web/templates/pages/list_webapps.php

@@ -2,8 +2,8 @@
 <div class="toolbar">
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
-			<a class="button button-secondary button-back js-button-back" href="/edit/web/?domain=<?= htmlentities($v_domain) ?>">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+			<a class="button button-secondary button-back js-button-back" href="/edit/web/?<?= tohtml(http_build_query(["domain" => $v_domain])) ?>">
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 	</div>
@@ -13,20 +13,20 @@
 <div class="container">
 
 	<div class="form-container form-container-wide">
-		<h1 class="u-mb20"><?= _("Quick Install App") ?></h1>
+		<h1 class="u-mb20"><?= tohtml( _("Quick Install App")) ?></h1>
 		<?php show_alert_message($_SESSION); ?>
 		<div class="cards">
 			<!-- List available web apps -->
 			<?php foreach ($v_web_apps as $webapp): ?>
-				<div class="card <?= $webapp->isInstallable() ? "" : "disabled" ?>">
+				<div class="card <?= tohtml($webapp->isInstallable() ? "" : "disabled") ?>">
 					<div class="card-thumb">
-						<img src="/src/app/WebApp/Installers/<?= $webapp->name ?>/<?= $webapp->thumbnail ?>" alt="<?= $webapp->name ?>">
+						<img src="/src/app/WebApp/Installers/<?= tohtml($webapp->name) ?>/<?= tohtml($webapp->thumbnail) ?>" alt="<?= tohtml($webapp->name) ?>">
 					</div>
 					<div class="card-content">
-						<p class="card-title"><?= $webapp->name ?></p>
-						<p class="u-mb10"><?= _("Version") ?>: <?= $webapp->version ?></p>
-						<a class="button" href="/add/webapp/?app=<?= $webapp->name ?>&domain=<?= htmlentities($v_domain) ?>">
-							<?= _("Setup") ?>
+						<p class="card-title"><?= tohtml($webapp->name) ?></p>
+						<p class="u-mb10"><?= tohtml( _("Version")) ?>: <?= tohtml($webapp->version) ?></p>
+						<a class="button" href="/add/webapp/?<?= tohtml(http_build_query(["app" => $webapp->name, "domain" => $v_domain])) ?>">
+							<?= tohtml( _("Setup")) ?>
 						</a>
 					</div>
 				</div>

web/templates/pages/list_weblog.php

@@ -15,11 +15,12 @@
 		<header class="app-header">
 			<div class="top-bar">
 				<div class="container top-bar-inner">
-					<div class="top-bar-left">
-						<a href="/" class="top-bar-logo" title="<?= htmlentities($_SESSION['APP_NAME']);?>">
-							<img src="<?php if ( !empty($_SESSION['LOGO_HEADER'])){ echo $_SESSION['LOGO_HEADER']; } else{ echo "/images/logo-header.svg"; } ?>" alt="<?= htmlentities($_SESSION['APP_NAME']);?>" width="54" height="29">
-						</a>
-					</div>
+						<div class="top-bar-left">
+							<?php $logo_header = !empty($_SESSION['LOGO_HEADER']) ? $_SESSION['LOGO_HEADER'] : "/images/logo-header.svg"; ?>
+							<a href="/" class="top-bar-logo" title="<?= tohtml($_SESSION['APP_NAME']) ?>">
+								<img src="<?= tohtml($logo_header) ?>" alt="<?= tohtml($_SESSION['APP_NAME']) ?>" width="54" height="29">
+							</a>
+						</div>
 					<div class="top-bar-right">
 						<nav x-data="{ open: false }" class="top-bar-menu">
 							<button
@@ -27,58 +28,58 @@
 								class="top-bar-menu-link u-hide-tablet"
 								x-on:click="open = !open">
 								<i class="fas fa-bars"></i>
-								<span class="u-hidden" x-text="open ? '<?= _("Close menu") ?>' : '<?= _("Open menu") ?>'">
-									<?= _("Open menu") ?>
-								</span>
+									<span class="u-hidden" x-text="open ? <?= tohtml(json_encode(_("Close menu"), JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT | JSON_THROW_ON_ERROR)) ?> : <?= tohtml(json_encode(_("Open menu"), JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT | JSON_THROW_ON_ERROR)) ?>">
+										<?= tohtml( _("Open menu")) ?>
+									</span>
 							</button>
 							<div x-cloak x-show="open" x-on:click.outside="open = false" class="top-bar-menu-panel">
 								<ul class="top-bar-menu-list">
 									<li class="top-bar-menu-item">
-										<a class="top-bar-menu-link" href="/list/web/" title="<?= _("Back") ?>">
+										<a class="top-bar-menu-link" href="/list/web/" title="<?= tohtml( _("Back")) ?>">
 											<i class="fas fa-circle-left"></i>
-											<span class="top-bar-menu-link-label"><?= _("Back") ?></span>
+											<span class="top-bar-menu-link-label"><?= tohtml( _("Back")) ?></span>
 										</a>
 									</li>
 									<li class="top-bar-menu-item">
-										<a class="top-bar-menu-link <?php if ($_GET['type'] == 'access') echo 'active' ?>" href="/list/web-log/?domain=<?= htmlentities($_GET['domain']) ?>&type=access&token=<?= $_SESSION['token'] ?>" title="<?= _("View Logs") ?>">
+										<a class="top-bar-menu-link <?php if ($_GET['type'] == 'access') echo 'active' ?>" href="/list/web-log/?<?= tohtml(http_build_query(["domain" => $_GET['domain'], "type" => 'access', "token" => $_SESSION['token']])) ?>" title="<?= tohtml( _("View Logs")) ?>">
 											<i class="fas fa-eye"></i>
-											<span class="top-bar-menu-link-label"><?= _("View Logs") ?></span>
+											<span class="top-bar-menu-link-label"><?= tohtml( _("View Logs")) ?></span>
 										</a>
 									</li>
 									<li class="top-bar-menu-item">
-										<a class="top-bar-menu-link <?php if ($_GET['type'] == 'access') echo 'active' ?>" href="/download/web-log/?domain=<?= htmlentities($_GET['domain']) ?>&type=access&&token=<?= $_SESSION['token'] ?>" title="<?= _("Download") ?>">
+										<a class="top-bar-menu-link <?php if ($_GET['type'] == 'access') echo 'active' ?>" href="/download/web-log/?<?= tohtml(http_build_query(["domain" => $_GET['domain'], "type" => 'access', "token" => $_SESSION['token']])) ?>" title="<?= tohtml( _("Download")) ?>">
 											<i class="fas fa-download"></i>
-											<span class="u-hidden"><?= _("Download") ?></span>
+											<span class="u-hidden"><?= tohtml( _("Download")) ?></span>
 										</a>
 									</li>
 									<li class="top-bar-menu-item">
-										<a class="top-bar-menu-link <?php if ($_GET['type'] == 'error') echo 'active' ?>" href="/list/web-log/?domain=<?= htmlentities($_GET['domain']) ?>&type=error&token=<?= $_SESSION['token'] ?>" title="<?= _("Error Log") ?>">
+										<a class="top-bar-menu-link <?php if ($_GET['type'] == 'error') echo 'active' ?>" href="/list/web-log/?<?= tohtml(http_build_query(["domain" => $_GET['domain'], "type" => 'error', "token" => $_SESSION['token']])) ?>" title="<?= tohtml( _("Error Log")) ?>">
 											<i class="fas fa-circle-exclamation"></i>
-											<span class="top-bar-menu-link-label"><?= _("Error Log") ?></span>
+											<span class="top-bar-menu-link-label"><?= tohtml( _("Error Log")) ?></span>
 										</a>
 									</li>
 									<li class="top-bar-menu-item">
-										<a class="top-bar-menu-link <?php if ($_GET['type'] == 'error') echo 'active' ?>" href="/download/web-log/?domain=<?= htmlentities($_GET['domain']) ?>&type=error&token=<?= $_SESSION['token'] ?>" title="<?= _("Download") ?>">
+										<a class="top-bar-menu-link <?php if ($_GET['type'] == 'error') echo 'active' ?>" href="/download/web-log/?<?= tohtml(http_build_query(["domain" => $_GET['domain'], "type" => 'error', "token" => $_SESSION['token']])) ?>" title="<?= tohtml( _("Download")) ?>">
 											<i class="fas fa-download"></i>
-											<span class="u-hidden"><?= _("Download") ?></span>
+											<span class="u-hidden"><?= tohtml( _("Download")) ?></span>
 										</a>
 									</li>
 									<li class="top-bar-menu-item">
-										<a class="top-bar-menu-link" href="javascript:location.reload();" title="<?= _("Refresh") ?>">
+										<a class="top-bar-menu-link" href="javascript:location.reload();" title="<?= tohtml( _("Refresh")) ?>">
 											<i class="fas fa-arrow-rotate-right"></i>
-											<span class="u-hidden"><?= _("Refresh") ?></span>
+											<span class="u-hidden"><?= tohtml( _("Refresh")) ?></span>
 										</a>
 									</li>
 									<li class="top-bar-menu-item">
-										<a class="top-bar-menu-link" href="/list/user/" title="<?= htmlentities($user) ?>">
+										<a class="top-bar-menu-link" href="/list/user/" title="<?= tohtml($user) ?>">
 											<i class="fas fa-circle-user"></i>
-											<span class="u-hidden"><?= htmlentities($user) ?></span>
+											<span class="u-hidden"><?= tohtml($user) ?></span>
 										</a>
 									</li>
 									<li class="top-bar-menu-item">
-										<a class="top-bar-menu-link top-bar-menu-link-logout" href="/logout/?token=<?= $_SESSION["token"] ?>" title="<?= _("Log out") ?>">
+										<a class="top-bar-menu-link top-bar-menu-link-logout" href="/logout/?<?= tohtml(http_build_query(["token" => $_SESSION["token"]])) ?>" title="<?= tohtml( _("Log out")) ?>">
 											<i class="fas fa-right-from-bracket"></i>
-											<span class="u-hidden"><?= _("Log out") ?></span>
+											<span class="u-hidden"><?= tohtml( _("Log out")) ?></span>
 										</a>
 									</li>
 								</ul>
@@ -94,6 +95,6 @@
 			<div class="logs-container">
 
 				<p class="u-text-center u-mb20">
-					<?= sprintf(_("Last 70 lines of %s.%s.log"), htmlentities($_GET["domain"]), htmlentities($type)) ?>
+					<?= tohtml(sprintf(_("Last 70 lines of %s.%s.log"), $_GET["domain"], $type)) ?>
 				</p>
 				<pre class="console-output">

web/templates/pages/login/login_1.php

@@ -1,18 +1,18 @@
 <div class="login">
 	<a href="/" class="u-block u-mb40">
-		<img src="/images/logo.svg" alt="<?= htmlentities($_SESSION["APP_NAME"]) ?>" width="100" height="120">
+		<img src="/images/logo.svg" alt="<?= tohtml($_SESSION["APP_NAME"]) ?>" width="100" height="120">
 	</a>
 	<form id="login-form" method="post" action="/login/">
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<h1 class="login-title">
-			<?= _("Welcome") ?> <?= htmlspecialchars($_SESSION["login"]["username"]) ?>!
+			<?= tohtml( _("Welcome")) ?> <?= tohtml($_SESSION["login"]["username"]) ?>!
 		</h1>
 		<div class="u-mb20">
 			<label for="password" class="form-label u-side-by-side">
-				<?= _("Password") ?>
+				<?= tohtml( _("Password")) ?>
 				<?php if ($_SESSION["POLICY_SYSTEM_PASSWORD_RESET"] !== "no") { ?>
 					<a class="login-form-link" href="/reset/">
-						<?= _("Forgot Password") ?>
+						<?= tohtml( _("Forgot Password")) ?>
 					</a>
 				<?php } ?>
 			</label>
@@ -20,10 +20,10 @@
 		</div>
 		<div class="u-side-by-side">
 			<button type="submit" class="button">
-				<i class="fas fa-right-to-bracket"></i><?= _("Login") ?>
+				<i class="fas fa-right-to-bracket"></i><?= tohtml( _("Login")) ?>
 			</button>
-			<a href="/login/?logout=true" class="button button-secondary">
-				<?= _("Back") ?>
+			<a href="/login/?<?= tohtml(http_build_query(["logout" => 'true'])) ?>" class="button button-secondary">
+				<?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 	</form>

web/templates/pages/login/login_2.php

@@ -1,30 +1,30 @@
 <div class="login">
 	<a href="/" class="u-block u-mb40">
-		<img src="/images/logo.svg" alt="<?= htmlentities($_SESSION["APP_NAME"]) ?>" width="100" height="120">
+		<img src="/images/logo.svg" alt="<?= tohtml($_SESSION["APP_NAME"]) ?>" width="100" height="120">
 	</a>
 	<form id="login-form" method="post" action="/login/">
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<h1 class="login-title">
-			<?= _("Two-factor Authentication") ?>
+			<?= tohtml( _("Two-factor Authentication")) ?>
 		</h1>
 		<?php if (!empty($error)) { ?>
-			<p class="error"><?= $error ?></p>
+			<p class="error"><?= tohtml($error) ?></p>
 		<?php } ?>
 		<div class="u-mb20">
 			<label for="twofa" class="form-label u-side-by-side">
-				<?= _("2FA Token") ?>
+				<?= tohtml( _("2FA Token")) ?>
 				<a class="login-form-link" href="/reset2fa/">
-					<?= _("Forgot Token") ?>
+					<?= tohtml( _("Forgot Token")) ?>
 				</a>
 			</label>
 			<input type="text" class="form-control" name="twofa" id="twofa" autocomplete="one-time-code" required autofocus>
 		</div>
 		<div class="u-side-by-side">
 			<button type="submit" class="button">
-				<i class="fas fa-right-to-bracket"></i><?= _("Login") ?>
+				<i class="fas fa-right-to-bracket"></i><?= tohtml( _("Login")) ?>
 			</button>
 			<a href="/login/?logout" class="button button-secondary">
-				<?= _("Back") ?>
+				<?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 	</form>

web/templates/pages/login/login_a.php

@@ -1,32 +1,32 @@
 <div class="login">
 	<a href="/" class="u-block u-mb40">
-		<img src="/images/logo.svg" alt="<?= htmlentities($_SESSION["APP_NAME"]) ?>" width="100" height="120">
+		<img src="/images/logo.svg" alt="<?= tohtml($_SESSION["APP_NAME"]) ?>" width="100" height="120">
 	</a>
 	<form id="login-form" method="post" action="/login/">
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<h1 class="login-title">
-			<?= sprintf(_("Welcome to %s"), htmlentities($_SESSION["APP_NAME"])) ?>
+			<?= tohtml(sprintf(_("Welcome to %s"), $_SESSION["APP_NAME"])) ?>
 		</h1>
 		<?php if (!empty($error)) { ?>
-			<p class="error"><?= $error ?></p>
+			<p class="error"><?= tohtml($error) ?></p>
 		<?php } ?>
 		<div class="u-mb10">
-			<label for="username" class="form-label"><?= _("Username") ?></label>
+			<label for="username" class="form-label"><?= tohtml( _("Username")) ?></label>
 			<input type="text" class="form-control" name="user" id="username" autocomplete="username" required autofocus>
 		</div>
 		<div class="u-mb20">
 			<label for="password" class="form-label u-side-by-side">
-				<?= _("Password") ?>
+				<?= tohtml( _("Password")) ?>
 				<?php if ($_SESSION["POLICY_SYSTEM_PASSWORD_RESET"] !== "no") { ?>
 					<a class="login-form-link" href="/reset/">
-						<?= _("Forgot Password") ?>
+						<?= tohtml( _("Forgot Password")) ?>
 					</a>
 				<?php } ?>
 			</label>
 			<input type="password" class="form-control" name="password" id="password" autocomplete="current-password" required>
 		</div>
 		<button type="submit" class="button">
-			<i class="fas fa-right-to-bracket"></i><?= _("Next") ?>
+			<i class="fas fa-right-to-bracket"></i><?= tohtml( _("Next")) ?>
 		</button>
 	</form>
 </div>

web/templates/pages/login/reset2fa.php

@@ -1,42 +1,42 @@
 <div class="login">
 	<a href="/" class="u-block u-mb40">
-		<img src="/images/logo.svg" alt="<?= htmlentities($_SESSION["APP_NAME"]) ?>" width="100" height="120">
+		<img src="/images/logo.svg" alt="<?= tohtml($_SESSION["APP_NAME"]) ?>" width="100" height="120">
 	</a>
 	<?php if ($success) { ?>
 		<div>
 			<h1 class="login-title">
-				<?= _("Account Unlocked") ?>
+				<?= tohtml( _("Account Unlocked")) ?>
 			</h1>
 			<div class="u-mt20">
 				<p><?_("Two-factor authentication is now turned off for your account.<br><br>You may now proceed to log in.");?></p>
 				<a href="/login/" class="button button-secondary">
-					<?= _("Log in") ?>
+					<?= tohtml( _("Log in")) ?>
 				</a>
 			</div>
 		</div>
 	<?php } else { ?>
 		<form method="post" action="/reset2fa/">
-			<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+			<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 			<h1 class="login-title">
-				<?= _("Unlock Account") ?>
+				<?= tohtml( _("Unlock Account")) ?>
 			</h1>
 			<?php if (!empty($error)) { ?>
-				<p class="error"><?= $error ?></p>
+				<p class="error"><?= tohtml($error) ?></p>
 			<?php } ?>
 			<div class="u-mb10">
-				<label for="user" class="form-label"><?= _("Username") ?></label>
+				<label for="user" class="form-label"><?= tohtml( _("Username")) ?></label>
 				<input type="text" class="form-control" name="user" id="user" autocomplete="username" required autofocus>
 			</div>
 			<div class="u-mb20">
-				<label for="twofa" class="form-label"><?= _("2FA Reset Code") ?></label>
+				<label for="twofa" class="form-label"><?= tohtml( _("2FA Reset Code")) ?></label>
 				<input type="text" class="form-control" name="twofa" id="twofa" autocomplete="off" required>
 			</div>
 			<div class="u-side-by-side">
 				<button type="submit" class="button">
-					<?= _("Submit") ?>
+					<?= tohtml( _("Submit")) ?>
 				</button>
 				<a href="/login/?logout" class="button button-secondary">
-					<?= _("Back") ?>
+					<?= tohtml( _("Back")) ?>
 				</a>
 			</div>
 		</form>

web/templates/pages/login/reset_1.php

@@ -1,29 +1,29 @@
 <div class="login">
 	<a href="/" class="u-block u-mb40">
-		<img src="/images/logo.svg" alt="<?= htmlentities($_SESSION["APP_NAME"]) ?>" width="100" height="120">
+		<img src="/images/logo.svg" alt="<?= tohtml($_SESSION["APP_NAME"]) ?>" width="100" height="120">
 	</a>
 	<form method="post" action="/reset/">
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<h1 class="login-title">
-			<?= _("Forgot Password") ?>
+			<?= tohtml( _("Forgot Password")) ?>
 		</h1>
 		<?php if (!empty($error)) { ?>
-			<p class="error"><?= $error ?></p>
+			<p class="error"><?= tohtml($error) ?></p>
 		<?php } ?>
 		<div class="u-mb10">
-			<label for="username" class="form-label"><?= _("Username") ?></label>
+			<label for="username" class="form-label"><?= tohtml( _("Username")) ?></label>
 			<input type="text" class="form-control" name="user" id="username" autocomplete="username" required autofocus>
 		</div>
 		<div class="u-mb20">
-			<label for="email" class="form-label"><?= _("Email") ?></label>
+			<label for="email" class="form-label"><?= tohtml( _("Email")) ?></label>
 			<input type="email" class="form-control" name="email" id="email" autocomplete="email" required>
 		</div>
 		<div class="u-side-by-side">
 			<button type="submit" class="button">
-				<?= _("Submit") ?>
+				<?= tohtml( _("Submit")) ?>
 			</button>
 			<a href="/login/?logout" class="button button-secondary">
-				<?= _("Back") ?>
+				<?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 	</form>

web/templates/pages/login/reset_2.php

@@ -1,30 +1,30 @@
 <div class="login">
 	<a href="/" class="u-block u-mb40">
-		<img src="/images/logo.svg" alt="<?= htmlentities($_SESSION["APP_NAME"]) ?>" width="100" height="120">
+		<img src="/images/logo.svg" alt="<?= tohtml($_SESSION["APP_NAME"]) ?>" width="100" height="120">
 	</a>
 	<form method="get" action="/reset/">
 		<h1 class="login-title">
-			<?= _("Forgot Password") ?>
+			<?= tohtml( _("Forgot Password")) ?>
 		</h1>
 		<?php if (!empty($error)) { ?>
-			<p class="error"><?= $error ?></p>
+			<p class="error"><?= tohtml($error) ?></p>
 		<?php } ?>
 		<p class="inline-success u-mb10">
-			<?= _("Password reset code has been sent to your email address") ?>
+			<?= tohtml( _("Password reset code has been sent to your email address")) ?>
 		</p>
 		<div class="u-mb20">
 			<input type="hidden" name="action" value="confirm">
-			<input type="hidden" name="token" value="<?= htmlentities($_SESSION["token"]) ?>">
-			<input type="hidden" name="user" value="<?= htmlentities($_GET["user"]) ?>">
-			<label for="code" class="form-label"><?= _("Reset Code") ?></label>
+			<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
+			<input type="hidden" name="user" value="<?= tohtml($_GET["user"]) ?>">
+			<label for="code" class="form-label"><?= tohtml( _("Reset Code")) ?></label>
 			<input type="text" class="form-control" name="code" id="code" required autofocus>
 		</div>
 		<div class="u-side-by-side">
 			<button type="submit" class="button">
-				<?= _("Confirm") ?>
+				<?= tohtml( _("Confirm")) ?>
 			</button>
 			<a href="/reset/" class="button button-secondary">
-				<?= _("Back") ?>
+				<?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 	</form>

web/templates/pages/login/reset_3.php

@@ -1,32 +1,32 @@
 <div class="login">
 	<a href="/" class="u-block u-mb40">
-		<img src="/images/logo.svg" alt="<?= htmlentities($_SESSION["APP_NAME"]) ?>" width="100" height="120">
+		<img src="/images/logo.svg" alt="<?= tohtml($_SESSION["APP_NAME"]) ?>" width="100" height="120">
 	</a>
 	<form method="post">
 		<h1 class="login-title">
-			<?= _("Forgot Password") ?>
+			<?= tohtml( _("Forgot Password")) ?>
 		</h1>
 		<?php if (!empty($error)) { ?>
-			<p class="error"><?= $error ?></p>
+			<p class="error"><?= tohtml($error) ?></p>
 		<?php } ?>
 		<div class="u-mb10">
 			<input type="hidden" name="action" value="confirm">
-			<input type="hidden" name="token" value="<?= htmlentities($_SESSION["token"]) ?>">
-			<input type="hidden" name="user" value="<?= htmlentities($_GET["user"]) ?>">
-			<input type="hidden" name="code" value="<?= htmlentities($_GET["code"]) ?>">
-			<label for="password" class="form-label"><?= _("New Password") ?></label>
+			<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
+			<input type="hidden" name="user" value="<?= tohtml($_GET["user"]) ?>">
+			<input type="hidden" name="code" value="<?= tohtml($_GET["code"]) ?>">
+			<label for="password" class="form-label"><?= tohtml( _("New Password")) ?></label>
 			<input type="password" class="form-control" name="password" id="password" autocomplete="new-password" required autofocus>
 		</div>
 		<div class="u-mb20">
-			<label for="password_confirm" class="form-label"><?= _("Confirm Password") ?></label>
+			<label for="password_confirm" class="form-label"><?= tohtml( _("Confirm Password")) ?></label>
 			<input type="password" class="form-control" name="password_confirm" id="password_confirm" autocomplete="new-password" required>
 		</div>
 		<div class="u-side-by-side">
 			<button type="submit" class="button">
-				<?= _("Reset") ?>
+				<?= tohtml( _("Reset")) ?>
 			</button>
 			<a href="/login/" class="button button-secondary">
-				<?= _("Back") ?>
+				<?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 	</form>

web/templates/pages/setup_webapp.php

@@ -2,13 +2,13 @@
 <div class="toolbar">
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
-			<a class="button button-secondary button-back js-button-back" href="/add/webapp/?domain=<?= htmlentities($v_domain) ?>">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+			<a class="button button-secondary button-back js-button-back" href="/add/webapp/?<?= tohtml(http_build_query(["domain" => $v_domain])) ?>">
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 		</div>
 		<div class="toolbar-buttons">
 			<button type="submit" class="button" form="main-form">
-				<i class="fas fa-floppy-disk icon-purple"></i><?= _("Save") ?>
+				<i class="fas fa-floppy-disk icon-purple"></i><?= tohtml( _("Save")) ?>
 			</button>
 		</div>
 	</div>
@@ -20,18 +20,18 @@
 
 	<?php if (!empty($WebappInstaller->getOptions())) { ?>
 		<form id="main-form" method="POST" name="v_setup_webapp">
-			<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+			<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 			<input type="hidden" name="ok" value="true">
 
 			<div class="form-container">
-				<h1 class="u-mb20"><?= sprintf(_("Install %s"), $WebappInstaller->applicationName()) ?></h1>
+				<h1 class="u-mb20"><?= tohtml(sprintf(_("Install %s"), $WebappInstaller->applicationName())) ?></h1>
 				<?php show_alert_message($_SESSION); ?>
 				<?php if (!$WebappInstaller->isDomainRootClean()) { ?>
 					<div class="alert alert-info u-mb10" role="alert">
 						<i class="fas fa-info"></i>
 						<div>
-							<p class="u-mb10"><?= _("Data Loss Warning!") ?></p>
-							<p class="u-mb10"><?= _("Your web folder already has files uploaded to it. The installer will overwrite your files and/or the installation might fail.") ?></p>
+							<p class="u-mb10"><?= tohtml( _("Data Loss Warning!")) ?></p>
+							<p class="u-mb10"><?= tohtml( _("Your web folder already has files uploaded to it. The installer will overwrite your files and/or the installation might fail.")) ?></p>
 							<p><?php echo sprintf(_("Please make sure ~/web/%s/public_html is empty!"), $v_domain); ?></p>
 						</div>
 					</div>
@@ -57,10 +57,10 @@
 				?>
 					<div class="u-mb10">
 						<?php if ($field_type != "boolean"): ?>
-							<label for="<?= $field_name ?>" class="form-label">
-								<?= $field_label ?>
+							<label for="<?= tohtml($field_name) ?>" class="form-label">
+								<?= tohtml($field_label) ?>
 								<?php if ($field_type == "password"): ?>
-									<button type="button" title="<?= _("Generate") ?>" class="u-unstyled-button u-ml5 js-generate-password">
+									<button type="button" title="<?= tohtml( _("Generate")) ?>" class="u-unstyled-button u-ml5 js-generate-password">
 										<i class="fas fa-arrows-rotate icon-green"></i>
 									</button>
 								<?php endif; ?>
@@ -68,12 +68,12 @@
 						<?php endif; ?>
 
 						<?php if ($field_type == "select" && count($form_control["options"])): ?>
-							<select class="form-select" name="<?= $field_name ?>" id="<?= $field_name ?>">
+							<select class="form-select" name="<?= tohtml($field_name) ?>" id="<?= tohtml($field_name) ?>">
 								<?php foreach ($form_control["options"] as $key => $option):
 									$key = !is_numeric($key) ? $key : $option;
 									$selected = (!empty($form_control["value"]) && $key == $form_control["value"]) ? "selected" : ""; ?>
-									<option value="<?= $key ?>" <?= $selected ?>>
-										<?= htmlentities($option) ?>
+									<option value="<?= tohtml($key) ?>" <?= tohtml($selected) ?>>
+										<?= tohtml($option) ?>
 									</option>
 								<?php endforeach; ?>
 							</select>
@@ -83,13 +83,13 @@
 								<input
 									class="form-check-input"
 									type="checkbox"
-									name="<?= $field_name ?>"
-									id="<?= $field_name ?>"
+									name="<?= tohtml($field_name) ?>"
+									id="<?= tohtml($field_name) ?>"
 									value="true"
-									<?= $checked ?>
+									<?= tohtml($checked) ?>
 								>
-								<label for="<?= $field_name ?>">
-									<?= $field_label ?>
+								<label for="<?= tohtml($field_name) ?>">
+									<?= tohtml($field_label) ?>
 								</label>
 							</div>
 						<?php else: ?>
@@ -98,9 +98,9 @@
 									<input
 										type="text"
 										class="form-control js-password-input"
-										name="<?= $field_name ?>"
-										id="<?= $field_name ?>"
-										placeholder="<?= $field_placeholder ?>"
+										name="<?= tohtml($field_name) ?>"
+										id="<?= tohtml($field_name) ?>"
+										placeholder="<?= tohtml($field_placeholder) ?>"
 									>
 									<div class="password-meter">
 										<meter max="4" class="password-meter-input js-password-meter"></meter>
@@ -110,10 +110,10 @@
 								<input
 									type="text"
 									class="form-control"
-									name="<?= $field_name ?>"
-									id="<?= $field_name ?>"
-									placeholder="<?= $field_placeholder ?>"
-									value="<?= $field_value ?>"
+									name="<?= tohtml($field_name) ?>"
+									id="<?= tohtml($field_name) ?>"
+									placeholder="<?= tohtml($field_placeholder) ?>"
+									value="<?= tohtml($field_value) ?>"
 								>
 							<?php endif; ?>
 						<?php endif; ?>