Add missing HTML/url encoding (5245-chunk11) (#5257)

* Add missing HTML/url encoding (5245-chunk11)
Was reports that some missing HTML encoding could lead to XSS/javascript injection.

Reviewable chunk of #5245 , which grew too large.

web/templates/pages/edit_user.php

@@ -3,7 +3,7 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<a class="button button-secondary button-back js-button-back" href="/list/user/">
-				<i class="fas fa-arrow-left icon-blue"></i><?= _("Back") ?>
+				<i class="fas fa-arrow-left icon-blue"></i><?= tohtml( _("Back")) ?>
 			</a>
 			<?php
 				if (($_SESSION['userContext'] === 'admin') && ($_SESSION['look'] === '' ) && ($_SESSION['user'] !== $v_username)) {
@@ -16,25 +16,25 @@
 					$keys_url = "/list/access-key/";
 				}
 			?>
-			<a href="<?= $ssh_key_url; ?>" class="button button-secondary js-button-create" title="<?= _("Manage SSH Keys") ?>">
-				<i class="fas fa-key icon-orange"></i><?= _("Manage SSH Keys") ?>
+			<a href="<?= tohtml($ssh_key_url) ?>" class="button button-secondary js-button-create" title="<?= tohtml( _("Manage SSH Keys")) ?>">
+				<i class="fas fa-key icon-orange"></i><?= tohtml( _("Manage SSH Keys")) ?>
 			</a>
 			<?php if ($_SESSION["userContext"] == "admin" || ($_SESSION["userContext"] !== "admin" && $_SESSION["POLICY_USER_VIEW_LOGS"] !== "no")) { ?>
-				<a href="<?= $log_url ?>" class="button button-secondary js-button-create" title="<?= _("Logs") ?>">
-					<i class="fas fa-clock-rotate-left icon-maroon"></i><?= _("Logs") ?>
+				<a href="<?= tohtml($log_url) ?>" class="button button-secondary js-button-create" title="<?= tohtml( _("Logs")) ?>">
+					<i class="fas fa-clock-rotate-left icon-maroon"></i><?= tohtml( _("Logs")) ?>
 				</a>
 			<?php } ?>
 			<?php
 				$api_status = (!empty($_SESSION['API_SYSTEM']) && is_numeric($_SESSION['API_SYSTEM'])) ? $_SESSION['API_SYSTEM'] : 0;
 				if (($user_plain == $_SESSION['ROOT_USER'] && $api_status > 0) || ($user_plain != $_SESSION['ROOT_USER'] && $api_status > 1)) { ?>
-				<a href="<?= $keys_url; ?>" class="button button-secondary js-button-create" title="<?= _("Access Keys") ?>">
-					<i class="fas fa-key icon-purple"></i><?= _("Access Keys") ?>
+				<a href="<?= tohtml($keys_url) ?>" class="button button-secondary js-button-create" title="<?= tohtml( _("Access Keys")) ?>">
+					<i class="fas fa-key icon-purple"></i><?= tohtml( _("Access Keys")) ?>
 				</a>
 			<?php } ?>
 		</div>
 		<div class="toolbar-buttons">
 			<button type="submit" class="button" form="main-form">
-				<i class="fas fa-floppy-disk icon-purple"></i><?= _("Save") ?>
+				<i class="fas fa-floppy-disk icon-purple"></i><?= tohtml( _("Save")) ?>
 			</button>
 		</div>
 	</div>
@@ -45,49 +45,49 @@
 
 	<form
 		x-data="{
-			loginDisabled: <?= $v_login_disabled === "yes" ? "true" : "false" ?>,
-			useIpAllowList: <?= $v_login_use_iplist === "yes" ? "true" : "false" ?>,
+			loginDisabled: <?= tohtml($v_login_disabled === "yes" ? "true" : "false") ?>,
+			useIpAllowList: <?= tohtml($v_login_use_iplist === "yes" ? "true" : "false") ?>,
 			showAdvanced: false,
 		}"
 		id="main-form"
 		method="post"
 		name="v_edit_user"
-		class="<?= $v_status ?>"
+		class="<?= tohtml($v_status) ?>"
 	>
-		<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+		<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 		<input type="hidden" name="save" value="save">
 
 		<div class="form-container">
-			<h1 class="u-mb20"><?= _("Edit User") ?></h1>
+			<h1 class="u-mb20"><?= tohtml( _("Edit User")) ?></h1>
 			<?php show_alert_message($_SESSION); ?>
 			<div class="u-mb10">
-				<label for="v_user" class="form-label"><?= _("Username") ?></label>
-				<input type="text" class="form-control" name="v_user" id="v_user" value="<?= htmlentities(trim($v_username, "'")) ?>" disabled required>
-				<input type="hidden" name="v_username" value="<?= htmlentities(trim($v_username, "'")) ?>">
+				<label for="v_user" class="form-label"><?= tohtml( _("Username")) ?></label>
+				<input type="text" class="form-control" name="v_user" id="v_user" value="<?= tohtml(trim($v_username, "'")) ?>" disabled required>
+				<input type="hidden" name="v_username" value="<?= tohtml(trim($v_username, "'")) ?>">
 			</div>
 			<div class="u-mb10">
-				<label for="v_name" class="form-label"><?= _("Contact Name") ?></label>
-				<input type="text" class="form-control" name="v_name" id="v_name" value="<?= htmlentities(trim($v_name, "'")) ?>" <?php if (($_SESSION['userContext'] !=='admin' ) && ($_SESSION['POLICY_USER_EDIT_DETAILS'] !=='yes' )) { echo 'disabled' ; }?> required>
+				<label for="v_name" class="form-label"><?= tohtml( _("Contact Name")) ?></label>
+				<input type="text" class="form-control" name="v_name" id="v_name" value="<?= tohtml(trim($v_name, "'")) ?>" <?php if (($_SESSION['userContext'] !=='admin' ) && ($_SESSION['POLICY_USER_EDIT_DETAILS'] !=='yes' )) { echo 'disabled' ; }?> required>
 				<?php if (($_SESSION['userContext'] !== 'admin') && ($_SESSION['POLICY_USER_EDIT_DETAILS'] !== 'yes')) { ?>
-					<input type="hidden" name="v_name" value="<?= htmlentities(trim($v_name, "'")) ?>">
+					<input type="hidden" name="v_name" value="<?= tohtml(trim($v_name, "'")) ?>">
 				<?php } ?>
 			</div>
 			<div class="u-mb10">
-				<label for="v_email" class="form-label"><?= _("Email") ?></label>
-				<input type="email" class="form-control" name="v_email" id="v_email" value="<?= htmlentities(trim($v_email, "'")) ?>" <?php if (($_SESSION['userContext'] !=='admin' ) && ($_SESSION['POLICY_USER_EDIT_DETAILS'] !=='yes' )) { echo 'disabled' ; }?> required>
+				<label for="v_email" class="form-label"><?= tohtml( _("Email")) ?></label>
+				<input type="email" class="form-control" name="v_email" id="v_email" value="<?= tohtml(trim($v_email, "'")) ?>" <?php if (($_SESSION['userContext'] !=='admin' ) && ($_SESSION['POLICY_USER_EDIT_DETAILS'] !=='yes' )) { echo 'disabled' ; }?> required>
 				<?php if (($_SESSION['userContext'] !== 'admin') && ($_SESSION['POLICY_USER_EDIT_DETAILS'] !== 'yes')) { ?>
-					<input type="hidden" name="v_email" value="<?= htmlentities(trim($v_email, "'")) ?>">
+					<input type="hidden" name="v_email" value="<?= tohtml(trim($v_email, "'")) ?>">
 				<?php } ?>
 			</div>
 			<div class="u-mb10">
 				<label for="v_password" class="form-label">
-					<?= _("Password") ?>
-					<button type="button" title="<?= _("Generate") ?>" class="u-unstyled-button u-ml5 js-generate-password">
+					<?= tohtml( _("Password")) ?>
+					<button type="button" title="<?= tohtml( _("Generate")) ?>" class="u-unstyled-button u-ml5 js-generate-password">
 						<i class="fas fa-arrows-rotate icon-green"></i>
 					</button>
 				</label>
 				<div class="u-pos-relative u-mb10">
-					<input type="text" class="form-control js-password-input" name="v_password" id="v_password" value="<?= htmlentities(trim($v_password, "'")) ?>">
+					<input type="text" class="form-control js-password-input" name="v_password" id="v_password" value="<?= tohtml(trim($v_password, "'")) ?>">
 					<div class="password-meter">
 						<meter max="4" class="password-meter-input js-password-meter"></meter>
 					</div>
@@ -99,7 +99,7 @@
 					<div class="form-check">
 						<input x-model="loginDisabled" class="form-check-input" type="checkbox" name="v_login_disabled" id="v_login_disabled">
 						<label for="v_login_disabled">
-							<?= _("Do not allow user to log in to Control Panel") ?>
+							<?= tohtml( _("Do not allow user to log in to Control Panel")) ?>
 						</label>
 					</div>
 				<?php } ?>
@@ -107,14 +107,14 @@
 					<div class="form-check">
 						<input class="form-check-input" type="checkbox" name="v_twofa" id="v_twofa" <?php if (!empty($v_twofa)) echo 'checked' ?>>
 						<label for="v_twofa">
-							<?= _("Enable two-factor authentication") ?>
+							<?= tohtml( _("Enable two-factor authentication")) ?>
 						</label>
 					</div>
 					<?php if (!empty($v_twofa)) { ?>
-						<p class="u-mb10"><?= _("Account Recovery Code") . ": " . $v_twofa ?></p>
-						<p class="u-mb10"><?= _("Please scan the code below in your 2FA application") ?>:</p>
+						<p class="u-mb10"><?= tohtml( _("Account Recovery Code") . ": " . $v_twofa) ?></p>
+						<p class="u-mb10"><?= tohtml( _("Please scan the code below in your 2FA application")) ?>:</p>
 						<div class="u-mb10">
-							<img class="qr-code" src="<?= htmlentities($v_qrcode) ?>" alt="<?= _("2FA QR Code") ?>">
+							<img class="qr-code" src="<?= tohtml($v_qrcode) ?>" alt="<?= tohtml( _("2FA QR Code")) ?>">
 						</div>
 					<?php } ?>
 				</div>
@@ -122,16 +122,16 @@
 					<div class="form-check">
 						<input x-model="useIpAllowList" class="form-check-input" type="checkbox" name="v_login_use_iplist" id="v_login_use_iplist">
 						<label for="v_login_use_iplist">
-							<?= _("Use IP address allow list for login attempts") ?>
+							<?= tohtml( _("Use IP address allow list for login attempts")) ?>
 						</label>
 					</div>
 				</div>
 				<div x-cloak x-show="useIpAllowList" id="ip-allowlist" class="u-mt10">
-					<input type="text" class="form-control" name="v_login_allowed_ips" value="<?= htmlentities(trim($v_login_allowed_ips, "'")) ?>" placeholder="<?= _("For example") ?>: 127.0.0.1,192.168.1.100">
+					<input type="text" class="form-control" name="v_login_allowed_ips" value="<?= tohtml(trim($v_login_allowed_ips, "'")) ?>" placeholder="<?= tohtml( _("For example")) ?>: 127.0.0.1,192.168.1.100">
 				</div>
 			</div>
 			<div class="u-mb10">
-				<label for="v_language" class="form-label"><?= _("Language") ?></label>
+				<label for="v_language" class="form-label"><?= tohtml( _("Language")) ?></label>
 				<select class="form-select" name="v_language" id="v_language" required>
 					<?php
 						foreach ($languages as $key => $value) {
@@ -150,17 +150,17 @@
 			</div>
 			<?php if ($v_username != "admin" && $_SESSION["userContext"] === "admin" && $_SESSION["user"] != $v_username): ?>
 				<div class="u-mb10">
-					<label for="v_role" class="form-label"><?= _("Role") ?></label>
+					<label for="v_role" class="form-label"><?= tohtml( _("Role")) ?></label>
 					<select class="form-select" name="v_role" id="v_role" required>
-						<option value="user"><?= _("User") ?></option>
-						<option value="admin" <?= $v_role == "admin" ? "selected" : "" ?>><?= _("Administrator") ?></option>
-						<option value="dns-cluster" <?= $v_role == "dns-cluster" ? "selected" : "" ?>><?= _("DNS Sync User") ?></option>
+						<option value="user"><?= tohtml( _("User")) ?></option>
+						<option value="admin" <?= tohtml($v_role == "admin" ? "selected" : "") ?>><?= tohtml( _("Administrator")) ?></option>
+						<option value="dns-cluster" <?= tohtml($v_role == "dns-cluster" ? "selected" : "") ?>><?= tohtml( _("DNS Sync User")) ?></option>
 					</select>
 				</div>
 			<?php endif; ?>
 			<?php if ($_SESSION["POLICY_USER_CHANGE_THEME"] !== "no") { ?>
 			<div class="u-mb10">
-				<label for="v_user_theme" class="form-label"><?= _("Theme") ?></label>
+				<label for="v_user_theme" class="form-label"><?= tohtml( _("Theme")) ?></label>
 				<select class="form-select" name="v_user_theme" id="v_user_theme">
 					<?php
 						foreach ($themes as $key => $value) {
@@ -178,15 +178,15 @@
 			</div>
 			<?php } ?>
 				<div class="u-mb10">
-					<label for="v_sort_order" class="form-label"><?= _("Default List Sort Order") ?></label>
+					<label for="v_sort_order" class="form-label"><?= tohtml( _("Default List Sort Order")) ?></label>
 					<select class="form-select" name="v_sort_order" id="v_sort_order">
-						<option value='date' <?php if ($v_sort_order === 'date') echo 'selected' ?>><?= _("Date") ?></option>
-						<option value='name' <?php if ($v_sort_order === 'name') echo 'selected' ?>><?= _("Name") ?></option>
+						<option value='date' <?php if ($v_sort_order === 'date') echo 'selected' ?>><?= tohtml( _("Date")) ?></option>
+						<option value='name' <?php if ($v_sort_order === 'name') echo 'selected' ?>><?= tohtml( _("Name")) ?></option>
 					</select>
 				</div>
 			<?php if ($_SESSION['userContext'] === 'admin') { ?>
 				<div class="u-mb20">
-					<label for="v_package" class="form-label"><?= _("Package") ?></label>
+					<label for="v_package" class="form-label"><?= tohtml( _("Package")) ?></label>
 					<select class="form-select" name="v_package" id="v_package" required>
 						<?php
 							foreach ($packages as $key => $value) {
@@ -202,12 +202,12 @@
 				</div>
 				<div class="u-mb20">
 					<button x-on:click="showAdvanced = !showAdvanced" type="button" class="button button-secondary">
-						<?= _("Advanced Options") ?>
+						<?= tohtml( _("Advanced Options")) ?>
 					</button>
 				</div>
 				<div x-cloak x-show="showAdvanced">
 					<div class="u-mb10">
-						<label for="v_shell" class="form-label"><?= _("SSH Access") ?></label>
+						<label for="v_shell" class="form-label"><?= tohtml( _("SSH Access")) ?></label>
 						<select class="form-select" name="v_shell" id="v_shell">
 							<?php
 								foreach ($shells as $key => $value) {
@@ -222,7 +222,7 @@
 						</select>
 					</div>
 					<div class="u-mb10">
-						<label for="v_phpcli" class="form-label"><?= _("PHP CLI Version") ?></label>
+						<label for="v_phpcli" class="form-label"><?= tohtml( _("PHP CLI Version")) ?></label>
 						<select class="form-select" name="v_phpcli" id="v_phpcli">
 							<?php
 								foreach ($php_versions as $key => $value) {
@@ -241,16 +241,16 @@
 						</select>
 					</div>
 					<?php if ((isset($_SESSION['DNS_SYSTEM'])) && (!empty($_SESSION['DNS_SYSTEM']))) { ?>
-						<p class="form-label u-mb10"><?= _("Default Name Servers") ?></p>
+						<p class="form-label u-mb10"><?= tohtml( _("Default Name Servers")) ?></p>
 						<div class="u-mb5">
-							<input type="text" class="form-control" name="v_ns1" value="<?= htmlentities(trim($v_ns1, "'")) ?>">
+							<input type="text" class="form-control" name="v_ns1" value="<?= tohtml(trim($v_ns1, "'")) ?>">
 						</div>
 						<div class="u-mb5">
-							<input type="text" class="form-control" name="v_ns2" value="<?= htmlentities(trim($v_ns2, "'")) ?>">
+							<input type="text" class="form-control" name="v_ns2" value="<?= tohtml(trim($v_ns2, "'")) ?>">
 						</div>
 						<?php require $_SERVER["HESTIA"] . "/web/templates/includes/extra-ns-fields.php"; ?>
 						<button type="button" class="form-link u-mt20 js-add-ns" <?php if ($v_ns8) echo 'style="display:none;"'; ?>>
-							<?= _("Add Name Server") ?>
+							<?= tohtml( _("Add Name Server")) ?>
 						</button>
 					<?php } ?>
 				</div>

web/templates/pages/list_stats.php

@@ -3,15 +3,15 @@
 	<div class="toolbar-inner">
 		<div class="toolbar-buttons">
 			<?php if ($_SESSION["userContext"] === "admin" && $_SESSION["look"] == '') { ?>
-				<a class="button button-secondary" href='/list/stats/'><i class="fas fa-binoculars icon-lightblue"></i><?= _("Overall Statistics") ?></a>
+				<a class="button button-secondary" href='/list/stats/'><i class="fas fa-binoculars icon-lightblue"></i><?= tohtml( _("Overall Statistics")) ?></a>
 			<?php } ?>
 		</div>
 		<div class="toolbar-right">
 			<?php if ($_SESSION["userContext"] === "admin" && $_SESSION["look"] == '') { ?>
 				<form x-data x-bind="BulkEdit" action="/list/stats/" method="get">
-					<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
+					<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
 					<select class="form-select" name="user">
-						<option value=""><?= _("Show Per User") ?></option>
+						<option value=""><?= tohtml( _("Show Per User")) ?></option>
 						<?php
 							foreach ($users as $key => $value) {
 								if (($_SESSION['POLICY_SYSTEM_HIDE_ADMIN'] === 'yes') && ($value === 'admin')) {
@@ -26,16 +26,16 @@
 							}
 						?>
 					</select>
-					<button type="submit" class="toolbar-input-submit" title="<?= _("Apply to selected") ?>">
+					<button type="submit" class="toolbar-input-submit" title="<?= tohtml( _("Apply to selected")) ?>">
 						<i class="fas fa-arrow-right"></i>
 					</button>
 				</form>
 			<?php } ?>
 			<div class="toolbar-search">
 				<form action="/search/" method="get">
-					<input type="hidden" name="token" value="<?= $_SESSION["token"] ?>">
-					<input type="search" class="form-control js-search-input" name="q" value="<? echo isset($_POST['q']) ? htmlspecialchars($_POST['q']) : '' ?>" title="<?= _("Search") ?>">
-					<button type="submit" class="toolbar-input-submit" title="<?= _("Search") ?>">
+					<input type="hidden" name="token" value="<?= tohtml($_SESSION["token"]) ?>">
+					<input type="search" class="form-control js-search-input" name="q" value="<?= tohtml($_POST['q'] ?? '') ?>" title="<?= tohtml( _("Search")) ?>">
+					<button type="submit" class="toolbar-input-submit" title="<?= tohtml( _("Search")) ?>">
 						<i class="fas fa-magnifying-glass"></i>
 					</button>
 				</form>
@@ -66,75 +66,75 @@
 					<div class="stats-item-summary">
 						<h3 class="stats-item-summary-title">
 							<span class="u-text-bold">
-								<i class="fas fa-right-left icon-dim icon-large u-mr5" title="<?= _("Bandwidth") ?>"></i>
-								<?= _("Bandwidth") ?>
+								<i class="fas fa-right-left icon-dim icon-large u-mr5" title="<?= tohtml( _("Bandwidth")) ?>"></i>
+								<?= tohtml( _("Bandwidth")) ?>
 							</span>
 							<span class="u-mr10">
-								<span class="u-text-bold"><?= humanize_usage_size($data[$key]["U_BANDWIDTH"]) ?></span>
-								<?= humanize_usage_measure($data[$key]["U_BANDWIDTH"]) ?> / <span class="u-text-bold"><?= humanize_usage_size($data[$key]["BANDWIDTH"]) ?></span>
-									<?= humanize_usage_measure($data[$key]["BANDWIDTH"]) ?>
+								<span class="u-text-bold"><?= tohtml(humanize_usage_size($data[$key]["U_BANDWIDTH"])) ?></span>
+								<?= tohtml(humanize_usage_measure($data[$key]["U_BANDWIDTH"])) ?> / <span class="u-text-bold"><?= tohtml(humanize_usage_size($data[$key]["BANDWIDTH"])) ?></span>
+									<?= tohtml(humanize_usage_measure($data[$key]["BANDWIDTH"])) ?>
 							</span>
 						</h3>
 						<ul class="stats-item-summary-list u-mb10">
 							<li class="stats-item-summary-list-item">
 								<span>
 									<?php if ($_SESSION["userContext"] === "admin" || ($_SESSION["userContext"] === "user" && $data[$key]["IP_OWNED"] != "0")) { ?>
-										<?= _("IP Addresses") ?>:
+										<?= tohtml( _("IP Addresses")) ?>:
 									<?php } ?>
 								</span>
 								<span>
-									<span class="u-text-bold"><?= $data[$key]["IP_OWNED"] ?></span>
-									<?= _("IPs") ?>
+									<span class="u-text-bold"><?= tohtml($data[$key]["IP_OWNED"]) ?></span>
+									<?= tohtml( _("IPs")) ?>
 								</span>
 							</li>
 						</ul>
 						<h3 class="stats-item-summary-title">
 							<span class="u-text-bold">
 								<i class="fas fa-hard-drive icon-dim icon-large u-mr5" title="Disk"></i>
-								<?= _("Disk") ?>
+								<?= tohtml( _("Disk")) ?>
 							</span>
 							<span class="u-mr10">
-								<span class="u-text-bold"><?= humanize_usage_size($data[$key]["U_DISK"]) ?></span>
-								<?= humanize_usage_measure($data[$key]["U_DISK"]) ?> / <span class="u-text-bold"><?= humanize_usage_size($data[$key]["DISK_QUOTA"]) ?></span>
-										<?= humanize_usage_measure($data[$key]["DISK_QUOTA"]) ?>
+								<span class="u-text-bold"><?= tohtml(humanize_usage_size($data[$key]["U_DISK"])) ?></span>
+								<?= tohtml(humanize_usage_measure($data[$key]["U_DISK"])) ?> / <span class="u-text-bold"><?= tohtml(humanize_usage_size($data[$key]["DISK_QUOTA"])) ?></span>
+										<?= tohtml(humanize_usage_measure($data[$key]["DISK_QUOTA"])) ?>
 								</span>
 							</span>
 						</h3>
 						<ul class="stats-item-summary-list">
 							<li class="stats-item-summary-list-item">
 								<span>
-									<?= _("Web") ?>:
+									<?= tohtml( _("Web")) ?>:
 								</span>
 								<span>
-									<span class="u-text-bold"><?= humanize_usage_size($data[$key]["U_DISK_WEB"]) ?></span>
-									<?= humanize_usage_measure($data[$key]["U_DISK_WEB"]) ?>
+									<span class="u-text-bold"><?= tohtml(humanize_usage_size($data[$key]["U_DISK_WEB"])) ?></span>
+									<?= tohtml(humanize_usage_measure($data[$key]["U_DISK_WEB"])) ?>
 								</span>
 							</li>
 							<li class="stats-item-summary-list-item u-mb5">
 								<span>
-									<?= _("Databases") ?>:
+									<?= tohtml( _("Databases")) ?>:
 								</span>
 								<span>
-									<span class="u-text-bold"><?= humanize_usage_size($data[$key]["U_DISK_DB"]) ?></span>
-									<?= humanize_usage_measure($data[$key]["U_DISK_DB"]) ?>
+									<span class="u-text-bold"><?= tohtml(humanize_usage_size($data[$key]["U_DISK_DB"])) ?></span>
+									<?= tohtml(humanize_usage_measure($data[$key]["U_DISK_DB"])) ?>
 								</span>
 							</li>
 							<li class="stats-item-summary-list-item">
 								<span>
-									<?= _("Mail") ?>:
+									<?= tohtml( _("Mail")) ?>:
 								</span>
 								<span>
-									<span class="u-text-bold"><?= humanize_usage_size($data[$key]["U_DISK_MAIL"]) ?></span>
-									<?= humanize_usage_measure($data[$key]["U_DISK_MAIL"]) ?>
+									<span class="u-text-bold"><?= tohtml(humanize_usage_size($data[$key]["U_DISK_MAIL"])) ?></span>
+									<?= tohtml(humanize_usage_measure($data[$key]["U_DISK_MAIL"])) ?>
 								</span>
 							</li>
 							<li class="stats-item-summary-list-item">
 								<span>
-									<?= _("User Directory") ?>:
+									<?= tohtml( _("User Directory")) ?>:
 								</span>
 								<span>
-									<span class="u-text-bold"><?= humanize_usage_size($data[$key]["U_DISK_DIRS"]) ?></span>
-									<?= humanize_usage_measure($data[$key]["U_DISK_DIRS"]) ?>
+									<span class="u-text-bold"><?= tohtml(humanize_usage_size($data[$key]["U_DISK_DIRS"])) ?></span>
+									<?= tohtml(humanize_usage_measure($data[$key]["U_DISK_DIRS"])) ?>
 								</span>
 							</li>
 						</ul>
@@ -143,82 +143,82 @@
 					<ul class="stats-item-list">
 						<li class="stats-item-list-item">
 							<span class="stats-item-list-item-label">
-								<?= _("Web Domains") ?>:
+								<?= tohtml( _("Web Domains")) ?>:
 							</span>
 							<span class="stats-item-list-item-value">
-								<?= $data[$key]["U_WEB_DOMAINS"] ?>
+								<?= tohtml($data[$key]["U_WEB_DOMAINS"]) ?>
 							</span>
 						</li>
 						<li class="stats-item-list-item">
 							<span class="stats-item-list-item-label">
-								<?= _("Mail Domains") ?>:
+								<?= tohtml( _("Mail Domains")) ?>:
 							</span>
 							<span class="stats-item-list-item-value">
-								<?= $data[$key]["U_MAIL_DOMAINS"] ?>
+								<?= tohtml($data[$key]["U_MAIL_DOMAINS"]) ?>
 							</span>
 						</li>
 						<li class="stats-item-list-item">
 							<span class="stats-item-list-item-label">
-								<?= _("SSL Domains") ?>:
+								<?= tohtml( _("SSL Domains")) ?>:
 							</span>
 							<span class="stats-item-list-item-value">
-								<?= $data[$key]["U_WEB_SSL"] ?>
+								<?= tohtml($data[$key]["U_WEB_SSL"]) ?>
 							</span>
 						</li>
 						<li class="stats-item-list-item">
 							<span class="stats-item-list-item-label">
-								<?= _("Mail Accounts") ?>:
+								<?= tohtml( _("Mail Accounts")) ?>:
 							</span>
 							<span class="stats-item-list-item-value">
-								<?= $data[$key]["U_MAIL_ACCOUNTS"] ?>
+								<?= tohtml($data[$key]["U_MAIL_ACCOUNTS"]) ?>
 							</span>
 						</li>
 						<li class="stats-item-list-item">
 							<span class="stats-item-list-item-label">
-								<?= _("Web Aliases") ?>:
+								<?= tohtml( _("Web Aliases")) ?>:
 							</span>
 							<span class="stats-item-list-item-value">
-								<?= $data[$key]["U_WEB_ALIASES"] ?>
+								<?= tohtml($data[$key]["U_WEB_ALIASES"]) ?>
 							</span>
 						</li>
 						<li class="stats-item-list-item">
 							<span class="stats-item-list-item-label">
-								<?= _("Databases") ?>:
+								<?= tohtml( _("Databases")) ?>:
 							</span>
 							<span class="stats-item-list-item-value">
-								<?= $data[$key]["U_DATABASES"] ?>
+								<?= tohtml($data[$key]["U_DATABASES"]) ?>
 							</span>
 						</li>
 						<li class="stats-item-list-item">
 							<span class="stats-item-list-item-label">
-								<?= _("DNS Zones") ?>:
+								<?= tohtml( _("DNS Zones")) ?>:
 							</span>
 							<span class="stats-item-list-item-value">
-								<?= $data[$key]["U_DNS_DOMAINS"] ?>
+								<?= tohtml($data[$key]["U_DNS_DOMAINS"]) ?>
 							</span>
 						</li>
 						<li class="stats-item-list-item">
 							<span class="stats-item-list-item-label">
-								<?= _("Cron Jobs") ?>:
+								<?= tohtml( _("Cron Jobs")) ?>:
 							</span>
 							<span class="stats-item-list-item-value">
-								<?= $data[$key]["U_CRON_JOBS"] ?>
+								<?= tohtml($data[$key]["U_CRON_JOBS"]) ?>
 							</span>
 						</li>
 						<li class="stats-item-list-item">
 							<span class="stats-item-list-item-label">
-								<?= _("DNS Records") ?>:
+								<?= tohtml( _("DNS Records")) ?>:
 							</span>
 							<span class="stats-item-list-item-value">
-								<?= $data[$key]["U_DNS_RECORDS"] ?>
+								<?= tohtml($data[$key]["U_DNS_RECORDS"]) ?>
 							</span>
 						</li>
 						<li class="stats-item-list-item">
 							<span class="stats-item-list-item-label">
-								<?= _("Backups") ?>:
+								<?= tohtml( _("Backups")) ?>:
 							</span>
 							<span class="stats-item-list-item-value">
-								<?= $data[$key]["U_BACKUPS"] ?>
+								<?= tohtml($data[$key]["U_BACKUPS"]) ?>
 							</span>
 						</li>
 					</ul>