Fix XXS issues (#2432)

* XSS patches

* Reslove XSS vulnrebilty

* Resolve XSS vulnrebility

* Prevent showing edit form from non exsiting records

* Improve error handling message

Create a function

* Make sure $user from $_SESSION is escapeshellarg

Prevent double escapeshellarg in Edit/web/index

* Enable translateable errors in /inc/main.php

Fix  "White" screen issue when trying to loginas non existing user

* Prevent double escapeshellarg()

* Do not remove unset($output)

* Resolve linting errors

install/deb/phpmyadmin/hestia-sso.php

@@ -147,7 +147,11 @@ function session_invalid()
                 $user = $_GET['user'];
                 $host = 'localhost';
                 $token = $_GET['hestia_token'];
-                $time = $_GET['exp'];
+                if(is_numeric($_GET['exp'])){
+                    $time = $_GET['exp'];
+                }else{
+                    $time = 0; 
+                }
 
                 if ($time + 60 > time()) {
                     //note: Possible issues with cloudflare due to ip obfuscation

web/delete/backup/exclusion/index.php

@@ -4,16 +4,15 @@ ob_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
 if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
-    $user=$_GET['user'];
+    $user=escapeshellarg($_GET['user']);
 }
 
 // Check token
 verify_csrf($_GET);
 
 if (!empty($_GET['system'])) {
-    $v_username = escapeshellarg($user);
     $v_system = escapeshellarg($_GET['system']);
-    exec(HESTIA_CMD."v-delete-user-backup-exclusions ".$v_username." ".$v_system, $output, $return_var);
+    exec(HESTIA_CMD."v-delete-user-backup-exclusions ".$user." ".$v_system, $output, $return_var);
 }
 check_return_code($return_var, $output);
 unset($output);

web/delete/backup/index.php

@@ -4,16 +4,15 @@ ob_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
 if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
-    $user=$_GET['user'];
+    $user=escapeshellarg($_GET['user']);
 }
 
 // Check token
 verify_csrf($_GET);
 
 if (!empty($_GET['backup'])) {
-    $v_username = escapeshellarg($user);
     $v_backup = escapeshellarg($_GET['backup']);
-    exec(HESTIA_CMD."v-delete-user-backup ".$v_username." ".$v_backup, $output, $return_var);
+    exec(HESTIA_CMD."v-delete-user-backup ".$user." ".$v_backup, $output, $return_var);
 }
 check_return_code($return_var, $output);
 unset($output);

web/delete/cron/index.php

@@ -4,7 +4,7 @@ ob_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
 if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
-    $user=$_GET['user'];
+    $user=escapeshellarg($_GET['user']);
 }
 
 // Check token
@@ -13,7 +13,7 @@ verify_csrf($_GET);
 if (!empty($_GET['job'])) {
     $v_username = escapeshellarg($user);
     $v_job = escapeshellarg($_GET['job']);
-    exec(HESTIA_CMD."v-delete-cron-job ".$v_username." ".$v_job, $output, $return_var);
+    exec(HESTIA_CMD."v-delete-cron-job ".$user." ".$v_job, $output, $return_var);
 }
 check_return_code($return_var, $output);
 unset($output);

web/delete/db/index.php

@@ -4,16 +4,15 @@ ob_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
 if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
-    $user=$_GET['user'];
+    $user=escapeshellarg($_GET['user']);
 }
 
 // Check token
 verify_csrf($_GET);
 
 if (!empty($_GET['database'])) {
-    $v_username = escapeshellarg($user);
     $v_database = escapeshellarg($_GET['database']);
-    exec(HESTIA_CMD."v-delete-database ".$v_username." ".$v_database, $output, $return_var);
+    exec(HESTIA_CMD."v-delete-database ".$user." ".$v_database, $output, $return_var);
 }
 check_return_code($return_var, $output);
 unset($output);

web/delete/dns/index.php

@@ -5,7 +5,7 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
 // Delete as someone else?
 if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
-    $user=$_GET['user'];
+    $user=escapeshellarg($_GET['user']);
 }
 
 // Check token
@@ -13,9 +13,8 @@ verify_csrf($_GET);
 
 // DNS domain
 if ((!empty($_GET['domain'])) && (empty($_GET['record_id']))) {
-    $v_username = escapeshellarg($user);
     $v_domain = escapeshellarg($_GET['domain']);
-    exec(HESTIA_CMD."v-delete-dns-domain ".$v_username." ".$v_domain, $output, $return_var);
+    exec(HESTIA_CMD."v-delete-dns-domain ".$user." ".$v_domain, $output, $return_var);
     check_return_code($return_var, $output);
     unset($output);
 
@@ -41,8 +40,14 @@ if ((!empty($_GET['domain'])) && (!empty($_GET['record_id']))) {
         header("Location: ".$back);
         exit;
     }
-    header("Location: /list/dns/?domain=".$_GET['domain']);
-    exit;
+    if($return_var > 0){
+        header("Location: /list/dns/");
+        exit;
+    }else{
+        header("Location: /list/dns/?domain=".$_GET['domain']);
+        exit;
+    }
+    
 }
 
 $back = $_SESSION['back'];

web/delete/key/index.php

@@ -7,13 +7,12 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 verify_csrf($_GET);
 
 if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
-    $user = $_GET['user'];
+    $user=escapeshellarg($_GET['user']);
 }
 
 if (!empty($_GET['key'])) {
     $v_key = escapeshellarg(trim($_GET['key']));
-    $v_user = escapeshellarg(trim($user));
-    exec(HESTIA_CMD."v-delete-user-ssh-key ".$v_user." ".$v_key);
+    exec(HESTIA_CMD."v-delete-user-ssh-key ".$user." ".$v_key);
     check_return_code($return_var, $output);
 }
 

web/delete/log/auth/index.php

@@ -7,13 +7,12 @@ verify_csrf($_GET);
 
 // Check if administrator is viewing system log (currently 'admin' user)
 if (($_SESSION['userContext'] === "admin") && (isset($_GET['user']))) {
-    $user=$_GET['user'];
+    $user=escapeshellarg($_GET['user']);
     $token=$_SESSION['token'];
 }
 
 // Clear log
-$v_username = escapeshellarg($user);
-exec(HESTIA_CMD."v-delete-user-auth-log ".$v_username, $output, $return_var);
+exec(HESTIA_CMD."v-delete-user-auth-log ".$user, $output, $return_var);
 check_return_code($return_var, $output);
 unset($output);
 
@@ -32,7 +31,7 @@ $v_session_id = escapeshellarg($_SESSION['token']);
 
 // Add current user session back to log unless impersonating another user
 if (!isset($_SESSION['look'])) {
-    exec(HESTIA_CMD."v-log-user-login ".$v_username." ".$v_ip." success ".$v_session_id." ".$v_user_agent, $output, $return_var);
+    exec(HESTIA_CMD."v-log-user-login ".$user." ".$v_ip." success ".$v_session_id." ".$v_user_agent, $output, $return_var);
 }
 
 // Flush session messages

web/delete/log/index.php

@@ -7,24 +7,27 @@ verify_csrf($_GET);
 
 // Check if administrator is viewing system log (currently 'admin' user)
 if (($_SESSION['userContext'] === "admin") && (!empty($_GET['user']))) {
-    $user=$_GET['user'];
+    $user=escapeshellarg($_GET['user']);
     $token=$_SESSION['token'];
 }
 
-// Set correct page reload target
-if (($_SESSION['userContext'] === "admin") && (!empty($_GET['user']))) {
-    header("Location: /list/log/?user=$user&token=$token");
-} else {
-    header("Location: /list/log/");
-}
-
 // Clear log
-$v_username = escapeshellarg($user);
-exec(HESTIA_CMD."v-delete-user-log ".$v_username." ".$output, $return_var);
+exec(HESTIA_CMD."v-delete-user-log ".$user." ".$output, $return_var);
 check_return_code($return_var, $output);
 unset($output);
 unset($token);
 
+if($return_var > 0){
+    header("Location: /list/log/");
+}else{
+    // Set correct page reload target
+    if (($_SESSION['userContext'] === "admin") && (!empty($_GET['user']))) {
+        header("Location: /list/log/?user=$user&token=$token");
+    } else {
+        header("Location: /list/log/");
+    }
+}
+
 // Render page
 render_page($user, $TAB, 'list_log');
 

web/delete/mail/index.php

@@ -5,7 +5,7 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
 // Delete as someone else?
 if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
-    $user=$_GET['user'];
+    $user=scapeshellarg($user);
 }
 
 // Check token
@@ -15,10 +15,13 @@ verify_csrf($_GET);
 if ((!empty($_GET['domain'])) && (empty($_GET['account']))) {
     $v_username = escapeshellarg($user);
     $v_domain = escapeshellarg($_GET['domain']);
-    exec(HESTIA_CMD."v-delete-mail-domain ".$v_username." ".$v_domain, $output, $return_var);
+    exec(HESTIA_CMD."v-delete-mail-domain ".$user." ".$v_domain, $output, $return_var);
     check_return_code($return_var, $output);
     unset($output);
     $back = $_SESSION['back'];
+    if($return_var > 0){
+       header("Location: /list/mail/"); 
+    }
     if (!empty($back)) {
         header("Location: ".$back);
         exit;
@@ -29,12 +32,14 @@ if ((!empty($_GET['domain'])) && (empty($_GET['account']))) {
 
 // Mail account
 if ((!empty($_GET['domain'])) && (!empty($_GET['account']))) {
-    $v_username = escapeshellarg($user);
     $v_domain = escapeshellarg($_GET['domain']);
     $v_account = escapeshellarg($_GET['account']);
-    exec(HESTIA_CMD."v-delete-mail-account ".$v_username." ".$v_domain." ".$v_account, $output, $return_var);
+    exec(HESTIA_CMD."v-delete-mail-account ".$user." ".$v_domain." ".$v_account, $output, $return_var);
     check_return_code($return_var, $output);
     unset($output);
+    if($return_var > 0){
+       header("Location: /list/mail/"); 
+    }else{
     $back = $_SESSION['back'];
     if (!empty($back)) {
         header("Location: ".$back);
@@ -42,6 +47,7 @@ if ((!empty($_GET['domain'])) && (!empty($_GET['account']))) {
     }
     header("Location: /list/mail/?domain=".$_GET['domain']);
     exit;
+    }
 }
 
 $back = $_SESSION['back'];

web/delete/notification/index.php

@@ -6,15 +6,14 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 verify_csrf($_GET);
 
 if ($_GET['delete'] == 1) {
-    $v_username = escapeshellarg($user);
     $v_id = escapeshellarg((int)$_GET['notification_id']);
-    exec(HESTIA_CMD."v-delete-user-notification ".$v_username." ".$v_id, $output, $return_var);
+    exec(HESTIA_CMD."v-delete-user-notification ".$user." ".$v_id, $output, $return_var);
     check_return_code($return_var, $output);
     unset($output);
 } else {
     $v_username = escapeshellarg($user);
     $v_id = escapeshellarg((int)$_GET['notification_id']);
-    exec(HESTIA_CMD."v-acknowledge-user-notification ".$v_username." ".$v_id, $output, $return_var);
+    exec(HESTIA_CMD."v-acknowledge-user-notification ".$user." ".$v_id, $output, $return_var);
     check_return_code($return_var, $output);
     unset($output);
 }

web/delete/web/cache/index.php

@@ -8,13 +8,12 @@ verify_csrf($_GET);
 
 // Delete as someone else?
 if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
-    $user=$_GET['user'];
+    $user=escapeshellarg($_GET['user']);
 }
 
 if (!empty($_GET['domain'])) {
-    $v_username = escapeshellarg($user);
     $v_domain = escapeshellarg($_GET['domain']);
-    exec(HESTIA_CMD."v-purge-nginx-cache ".$v_username." ".$v_domain, $output, $return_var);
+    exec(HESTIA_CMD."v-purge-nginx-cache ".$user." ".$v_domain, $output, $return_var);
     check_return_code($return_var, $output);
 }
 $_SESSION['ok_msg'] = _('Nginx cache has been successfully purged');

web/delete/web/index.php

@@ -8,13 +8,12 @@ verify_csrf($_GET);
 
 // Delete as someone else?
 if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
-    $user = $_GET['user'];
+    $user = escapeshellarg($user);
 }
 
 if (!empty($_GET['domain'])) {
-    $v_username = escapeshellarg($user);
     $v_domain = escapeshellarg($_GET['domain']);
-    exec(HESTIA_CMD . 'v-delete-web-domain ' . $v_username . ' ' . $v_domain . " 'yes'", $output, $return_var);
+    exec(HESTIA_CMD . 'v-delete-web-domain ' . $user . ' ' . $v_domain . " 'yes'", $output, $return_var);
     check_return_code($return_var, $output);
     unset($output);
 }

web/download/backup/index.php

@@ -9,9 +9,8 @@ verify_csrf($_GET);
 $backup = $_GET['backup'];
 
 if (!file_exists('/backup/'.$backup)) {
-    $v_username = escapeshellarg($user);
     $backup = escapeshellarg($_GET['backup']);
-    exec(HESTIA_CMD."v-schedule-user-backup-download ".$v_username." ".$backup, $output, $return_var);
+    exec(HESTIA_CMD."v-schedule-user-backup-download ".$user." ".$backup, $output, $return_var);
     if ($return_var == 0) {
         $_SESSION['error_msg'] = _('BACKUP_DOWNLOAD_SCHEDULED');
     } else {

web/edit/cron/index.php

@@ -19,7 +19,7 @@ if (empty($_GET['job'])) {
 // List cron job
 $v_job = escapeshellarg($_GET['job']);
 exec(HESTIA_CMD."v-list-cron-job ".$user." ".$v_job." 'json'", $output, $return_var);
-check_return_code($return_var, $output);
+check_return_code_redirect($return_var, $output, '/list/cron/');
 
 $data = json_decode(implode('', $output), true);
 unset($output);

web/edit/db/index.php

@@ -20,7 +20,7 @@ if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
 // List datbase
 $v_database = $_GET['database'];
 exec(HESTIA_CMD."v-list-database ".$user." ".escapeshellarg($v_database)." 'json'", $output, $return_var);
-check_return_code($return_var, $output);
+check_return_code_redirect($return_var, $output, '/list/db/');
 $data = json_decode(implode('', $output), true);
 unset($output);
 

web/edit/dns/index.php

@@ -26,7 +26,7 @@ unset($output);
 if ((!empty($_GET['domain'])) && (empty($_GET['record_id']))) {
     $v_domain = escapeshellarg($_GET['domain']);
     exec(HESTIA_CMD."v-list-dns-domain ".$user." ".$v_domain." json", $output, $return_var);
-    check_return_code($return_var, $output);
+    check_return_code_redirect($return_var, $output,'/list/dns/');
     $data = json_decode(implode('', $output), true);
     unset($output);
 
@@ -58,10 +58,9 @@ if ((!empty($_GET['domain'])) && (!empty($_GET['record_id']))) {
     $v_domain = escapeshellarg($_GET['domain']);
     $v_record_id = escapeshellarg($_GET['record_id']);
     exec(HESTIA_CMD."v-list-dns-records ".$user." ".$v_domain." 'json'", $output, $return_var);
-    check_return_code($return_var, $output);
+    check_return_code_redirect($return_var, $output,'/list/dns/');
     $data = json_decode(implode('', $output), true);
     unset($output);
-
     // Parse dns record
     $v_username = $user;
     $v_domain = $_GET['domain'];
@@ -206,6 +205,10 @@ if (empty($_GET['record_id'])) {
     // Display body for dns domain
     render_page($user, $TAB, 'edit_dns');
 } else {
+    if(empty($data[$_GET['record_id']])){
+        header("Location: /list/dns/");
+        $_SESSION['error_msg'] = _("Unknown record ID");
+    }
     // Display body for dns record
     render_page($user, $TAB, 'edit_dns_rec');
 }

web/edit/firewall/index.php

@@ -21,7 +21,7 @@ if (empty($_GET['rule'])) {
 // List rule
 $v_rule = escapeshellarg($_GET['rule']);
 exec(HESTIA_CMD."v-list-firewall-rule ".$v_rule." 'json'", $output, $return_var);
-check_return_code($return_var, $output);
+check_return_code_redirect($return_var, $output,'/list/firewall');
 $data = json_decode(implode('', $output), true);
 unset($output);
 

web/edit/ip/index.php

@@ -21,7 +21,7 @@ if (empty($_GET['ip'])) {
 // List ip
 $v_ip = escapeshellarg($_GET['ip']);
 exec(HESTIA_CMD."v-list-sys-ip ".$v_ip." 'json'", $output, $return_var);
-check_return_code($return_var, $output);
+check_return_code_redirect($return_var, $output,'/list/ip');
 $data = json_decode(implode('', $output), true);
 unset($output);
 

web/edit/mail/index.php

@@ -32,15 +32,10 @@ unset($output);
 // List mail domain
 if ((!empty($_GET['domain'])) && (empty($_GET['account']))) {
     $v_domain = $_GET['domain'];
-    if ($_SESSION['userContext'] !== 'admin') {
-        if (!in_array($v_domain, $user_domains)) {
-            header("Location: /list/mail/");
-            exit;
-        }
-    }
 
     exec(HESTIA_CMD."v-list-mail-domain ".$user." ".escapeshellarg($v_domain)." json", $output, $return_var);
     $data = json_decode(implode('', $output), true);
+    check_return_code_redirect($return_var, $output, '/list/mail/');
     unset($output);
 
     // Parse domain
@@ -89,16 +84,11 @@ if ((!empty($_GET['domain'])) && (empty($_GET['account']))) {
 // List mail account
 if ((!empty($_GET['domain'])) && (!empty($_GET['account']))) {
     $v_domain = $_GET['domain'];
-    if ($_SESSION['userContext'] !== 'admin') {
-        if (!in_array($v_domain, $user_domains)) {
-            header("Location: /list/mail/");
-            exit;
-        }
-    }
 
     $v_account = $_GET['account'];
     exec(HESTIA_CMD."v-list-mail-account ".$user." ".escapeshellarg($v_domain)." ".escapeshellarg($v_account)." 'json'", $output, $return_var);
     $data = json_decode(implode('', $output), true);
+    check_return_code_redirect($return_var, $output, '/list/mail/');
     unset($output);
 
     // Parse mail account

web/edit/package/index.php

@@ -28,6 +28,7 @@ if ($_GET['package'] === 'system') {
 // List package
 $v_package = escapeshellarg($_GET['package']);
 exec(HESTIA_CMD."v-list-user-package ".$v_package." 'json'", $output, $return_var);
+check_return_code_redirect($return_var, $output, '/list/package/');
 $data = json_decode(implode('', $output), true);
 unset($output);
 

web/edit/user/index.php

@@ -33,7 +33,8 @@ verify_csrf($_GET);
 
 // List user
 exec(HESTIA_CMD."v-list-user ".escapeshellarg($v_username)." json", $output, $return_var);
-check_return_code($return_var, $output);
+check_return_code_redirect($return_var, $output, '/list/user/');
+
 $data = json_decode(implode('', $output), true);
 unset($output);
 

web/edit/web/index.php

@@ -19,21 +19,15 @@ if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
 }
 
 // Get all user domains
-exec(HESTIA_CMD."v-list-web-domains ".escapeshellarg($user)." json", $output, $return_var);
+exec(HESTIA_CMD."v-list-web-domains ".$user." json", $output, $return_var);
 $user_domains = json_decode(implode('', $output), true);
 $user_domains = array_keys($user_domains);
 unset($output);
 
-// List domain
 $v_domain = $_GET['domain'];
-if ($_SESSION['userContext'] !== 'admin') {
-    if (!in_array($v_domain, $user_domains)) {
-        header("Location: /list/mail/");
-        exit;
-    }
-}
-
 exec(HESTIA_CMD."v-list-web-domain ".$user." ".escapeshellarg($v_domain)." json", $output, $return_var);
+# Check if domain exists if not return /list/web/
+check_return_code_redirect($return_var, $output, '/list/web/');
 $data = json_decode(implode('', $output), true);
 unset($output);
 

web/inc/main.php

@@ -113,11 +113,11 @@ if (!defined('NO_AUTH_REQUIRED')) {
 }
 
 if (isset($_SESSION['user'])) {
-    $user = $_SESSION['user'];
+    $user = escapeshellarg($_SESSION['user']);
 }
 
 if (isset($_SESSION['look']) && ($_SESSION['userContext'] === 'admin')) {
-    $user = $_SESSION['look'];
+    $user = escapeshellarg($_SESSION['look']);
 }
 
 require_once(dirname(__FILE__) . '/i18n.php');
@@ -140,6 +140,17 @@ function check_return_code($return_var, $output)
         $_SESSION['error_msg'] = $error;
     }
 }
+function check_return_code_redirect($return_var, $output, $location){
+    if ($return_var != 0) {
+        $error = implode('<br>', $output);
+        if (empty($error)) {
+            $error = sprintf(_('Error code:'), $return_var);
+        }
+        $_SESSION['error_msg'] = $error;
+        header("Location:".$location);
+    }
+
+}
 
 function render_page($user, $TAB, $page)
 {
@@ -189,14 +200,31 @@ function verify_csrf($method, $return = false)
     }
 }
 
+function show_error_panel($data){
+    if (!empty($data['error_msg'])) {
+        $msg_icon = 'fa-exclamation-circle status-icon red';
+        $msg_text = $data['error_msg'];
+        $msg_id = 'vst-error';
+    } else {
+        if (!empty($data['ok_msg'])) {
+        $msg_icon = 'fa-check-circle status-icon green';
+        $msg_text = $data['ok_msg'];
+        $msg_id = 'vst-ok';
+    }
+    }
+    ?>
+        <span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=htmlentities($msg_text);?></span>
+    <?php
+}
+
 function top_panel($user, $TAB)
 {
     global $panel;
     $command = HESTIA_CMD . 'v-list-user ' . escapeshellarg($user) . " 'json'";
     exec($command, $output, $return_var);
     if ($return_var > 0) {
-        echo '<span style="font-size: 18px;"><b>ERROR: Unable to retrieve account details.</b><br>Please <b><a href="/login/">log in</a></b> again.</span>';
         destroy_sessions();
+        $_SESSION['error_msg'] = _('You have been logged out. Please log in again.');
         header('Location: /login/');
         exit;
     }
@@ -206,8 +234,8 @@ function top_panel($user, $TAB)
     // Log out active sessions for suspended users
     if (($panel[$user]['SUSPENDED'] === 'yes') && ($_SESSION['POLICY_USER_VIEW_SUSPENDED'] !== 'yes')) {
         if(empty($_SESSION['look'])){
-        $_SESSION['error_msg'] = 'You have been logged out. Please log in again.';
         destroy_sessions();
+        $_SESSION['error_msg'] = _('You have been logged out. Please log in again.');
         header('Location: /login/');
         }
     }

web/login/index.php

@@ -36,6 +36,9 @@ if (isset($_SESSION['user'])) {
                 unset($_SESSION['_sf2_attributes']);
                 unset($_SESSION['_sf2_meta']);
                 header('Location: /login/');
+            }else{
+                # User doesn't exists
+                header('Location: /');
             }
         }
         exit;

web/suspend/cron/index.php

@@ -6,9 +6,8 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 verify_csrf($_GET);
 
 if (!empty($_GET['job'])) {
-    $v_username = escapeshellarg($user);
     $v_job = escapeshellarg($_GET['job']);
-    exec(HESTIA_CMD."v-suspend-cron-job ".$v_username." ".$v_job, $output, $return_var);
+    exec(HESTIA_CMD."v-suspend-cron-job ".$user." ".$v_job, $output, $return_var);
     check_return_code($return_var, $output);
     unset($output);
 }

web/suspend/db/index.php

@@ -10,9 +10,8 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 verify_csrf($_GET);
 
 if (!empty($_GET['database'])) {
-    $v_username = escapeshellarg($user);
     $v_database = escapeshellarg($_GET['database']);
-    exec(HESTIA_CMD."v-suspend-database ".$v_username." ".$v_database, $output, $return_var);
+    exec(HESTIA_CMD."v-suspend-database ".$user." ".$v_database, $output, $return_var);
     check_return_code($return_var, $output);
     unset($output);
 }

web/suspend/dns/index.php

@@ -11,9 +11,8 @@ verify_csrf($_GET);
 
 // DNS domain
 if ((!empty($_GET['domain'])) && (empty($_GET['record_id']))) {
-    $v_username = escapeshellarg($user);
     $v_domain = escapeshellarg($_GET['domain']);
-    exec(HESTIA_CMD."v-suspend-dns-domain ".$v_username." ".$v_domain, $output, $return_var);
+    exec(HESTIA_CMD."v-suspend-dns-domain ".$user." ".$v_domain, $output, $return_var);
     check_return_code($return_var, $output);
     unset($output);
     $back = $_SESSION['back'];
@@ -27,10 +26,9 @@ if ((!empty($_GET['domain'])) && (empty($_GET['record_id']))) {
 
 // DNS record
 if ((!empty($_GET['domain'])) && (!empty($_GET['record_id']))) {
-    $v_username = escapeshellarg($user);
     $v_domain = escapeshellarg($_GET['domain']);
     $v_record_id = escapeshellarg($_GET['record_id']);
-    exec(HESTIA_CMD."v-suspend-dns-record ".$v_username." ".$v_domain." ".$v_record_id, $output, $return_var);
+    exec(HESTIA_CMD."v-suspend-dns-record ".$user." ".$v_domain." ".$v_record_id, $output, $return_var);
     check_return_code($return_var, $output);
     unset($output);
     $back = $_SESSION['back'];

web/suspend/mail/index.php

@@ -11,9 +11,8 @@ verify_csrf($_GET);
 
 // Mail domain
 if ((!empty($_GET['domain'])) && (empty($_GET['account']))) {
-    $v_username = escapeshellarg($user);
     $v_domain = escapeshellarg($_GET['domain']);
-    exec(HESTIA_CMD."v-suspend-mail-domain ".$v_username." ".$v_domain, $output, $return_var);
+    exec(HESTIA_CMD."v-suspend-mail-domain ".$user." ".$v_domain, $output, $return_var);
     check_return_code($return_var, $output);
     unset($output);
     $back=getenv("HTTP_REFERER");
@@ -30,7 +29,7 @@ if ((!empty($_GET['domain'])) && (!empty($_GET['account']))) {
     $v_username = escapeshellarg($user);
     $v_domain = escapeshellarg($_GET['domain']);
     $v_account = escapeshellarg($_GET['account']);
-    exec(HESTIA_CMD."v-suspend-mail-account ".$v_username." ".$v_domain." ".$v_account, $output, $return_var);
+    exec(HESTIA_CMD."v-suspend-mail-account ".$user." ".$v_domain." ".$v_account, $output, $return_var);
     check_return_code($return_var, $output);
     unset($output);
     $back = $_SESSION['back'];

web/suspend/user/index.php

@@ -16,8 +16,7 @@ if ($_SESSION['userContext'] != 'admin') {
 }
 
 if (!empty($_GET['user'])) {
-    $v_username = escapeshellarg($_GET['user']);
-    exec(HESTIA_CMD."v-suspend-user ".$v_username, $output, $return_var);
+    exec(HESTIA_CMD."v-suspend-user ".$user, $output, $return_var);
 }
 check_return_code($return_var, $output);
 unset($output);

web/suspend/web/index.php

@@ -12,7 +12,7 @@ verify_csrf($_GET);
 if (!empty($_GET['domain'])) {
     $v_username = escapeshellarg($user);
     $v_domain = escapeshellarg($_GET['domain']);
-    exec(HESTIA_CMD."v-suspend-web-domain ".$v_username." ".$v_domain, $output, $return_var);
+    exec(HESTIA_CMD."v-suspend-web-domain ".$user." ".$v_domain, $output, $return_var);
 }
 check_return_code($return_var, $output);
 unset($output);

web/templates/includes/title.html

@@ -1,2 +1,2 @@
 <meta charset="utf-8">
-<title><?=$_SERVER['HTTP_HOST']; ?> - <?=_($TAB)?> - <?=_('Hestia Control Panel');?></title>
+<title><?=htmlentities($_SERVER['HTTP_HOST']); ?> - <?=_($TAB)?> - <?=_('Hestia Control Panel');?></title>

web/templates/pages/add_cron.html

@@ -341,20 +341,7 @@
 						</tr>
 						<tr>
 							<td>
-								<?php
-									if (!empty($_SESSION['error_msg'])) {
-										$msg_icon = 'fa-exclamation-circle status-icon red';
-										$msg_text = htmlentities($_SESSION['error_msg']);
-										$msg_id = 'vst-error';
-									} else {
-										if (!empty($_SESSION['ok_msg'])) {
-											$msg_icon = 'fa-check-circle status-icon green';
-											$msg_text = $_SESSION['ok_msg'];
-											$msg_id = 'vst-ok';
-										}
-									}
-								?>
-								<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
+								<?php show_error_panel($_SESSION);?>
 							</td>
 						</tr>
 						<tr>

web/templates/pages/add_db.html

@@ -37,20 +37,7 @@
 						</tr>
 						<tr>
 							<td>
-								<?php
-									if (!empty($_SESSION['error_msg'])) {
-										$msg_icon = 'fa-exclamation-circle status-icon red';
-										$msg_text = htmlentities($_SESSION['error_msg']);
-										$msg_id = 'vst-error';
-									} else {
-										if (!empty($_SESSION['ok_msg'])) {
-											$msg_icon = 'fa-check-circle status-icon green';
-											$msg_text = $_SESSION['ok_msg'];
-											$msg_id = 'vst-ok';
-										}
-									}
-								?>
-								<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
+								<?php show_error_panel($_SESSION);?>
 							</td>
 						</tr>
 						<?php if (($user == 'admin') && (($_GET['accept'] !== "true")))  {?>

web/templates/pages/add_dns.html

@@ -37,20 +37,7 @@
 						</tr>
 						<tr>
 							<td>
-								<?php
-									if (!empty($_SESSION['error_msg'])) {
-										$msg_icon = 'fa-exclamation-circle status-icon red';
-										$msg_text = htmlentities($_SESSION['error_msg']);
-										$msg_id = 'vst-error';
-									} else {
-										if (!empty($_SESSION['ok_msg'])) {
-											$msg_icon = 'fa-check-circle status-icon green';
-											$msg_text = $_SESSION['ok_msg'];
-											$msg_id = 'vst-ok';
-										}
-									}
-								?>
-								<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
+								<?php show_error_panel($_SESSION);?>
 							</td>
 						</tr>
 						<?php if (($user == 'admin') && (($_GET['accept'] !== "true")))  {?>

web/templates/pages/add_dns_rec.html

@@ -37,20 +37,7 @@
 						</tr>
 						<tr>
 							<td>
-								<?php
-									if (!empty($_SESSION['error_msg'])) {
-										$msg_icon = 'fa-exclamation-circle status-icon red';
-										$msg_text = htmlentities($_SESSION['error_msg']);
-										$msg_id = 'vst-error';
-									} else {
-										if (!empty($_SESSION['ok_msg'])) {
-											$msg_icon = 'fa-check-circle status-icon green';
-											$msg_text = $_SESSION['ok_msg'];
-											$msg_id = 'vst-ok';
-										}
-									}
-								?>
-								<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
+								<?php show_error_panel($_SESSION);?>
 							</td>
 						</tr>
 						<tr>

web/templates/pages/add_firewall.html

@@ -37,20 +37,7 @@
 						</tr>
 						<tr>
 							<td>
-								<?php
-									if (!empty($_SESSION['error_msg'])) {
-										$msg_icon = 'fa-exclamation-circle status-icon red';
-										$msg_text = htmlentities($_SESSION['error_msg']);
-										$msg_id = 'vst-error';
-									} else {
-										if (!empty($_SESSION['ok_msg'])) {
-											$msg_icon = 'fa-check-circle status-icon green';
-											$msg_text = $_SESSION['ok_msg'];
-											$msg_id = 'vst-ok';
-										}
-									}
-								?>
-								<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
+								<?php show_error_panel($_SESSION);?>
 							</td>
 						</tr>
 						<tr>

web/templates/pages/add_firewall_banlist.html

@@ -37,20 +37,7 @@
 						</tr>
 						<tr>
 							<td>
-								<?php
-									if (!empty($_SESSION['error_msg'])) {
-										$msg_icon = 'fa-exclamation-circle status-icon red';
-										$msg_text = htmlentities($_SESSION['error_msg']);
-										$msg_id = 'vst-error';
-									} else {
-										if (!empty($_SESSION['ok_msg'])) {
-											$msg_icon = 'fa-check-circle status-icon green';
-											$msg_text = $_SESSION['ok_msg'];
-											$msg_id = 'vst-ok';
-										}
-									}
-								?>
-								<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
+								<?php show_error_panel($_SESSION);?>
 							</td>
 						</tr>
 						<tr>

web/templates/pages/add_firewall_ipset.html

@@ -37,20 +37,7 @@
 						</tr>
 						<tr>
 							<td>
-								<?php
-									if (!empty($_SESSION['error_msg'])) {
-										$msg_icon = 'fa-exclamation-circle status-icon red';
-										$msg_text = htmlentities($_SESSION['error_msg']);
-										$msg_id = 'vst-error';
-									} else {
-										if (!empty($_SESSION['ok_msg'])) {
-											$msg_icon = 'fa-check-circle status-icon green';
-											$msg_text = $_SESSION['ok_msg'];
-											$msg_id = 'vst-ok';
-										}
-									}
-								?>
-								<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
+								<?php show_error_panel($_SESSION);?>
 							</td>
 						</tr>
 						<tr>

web/templates/pages/add_ip.html

@@ -37,20 +37,7 @@
 						</tr>
 						<tr>
 							<td>
-								<?php
-									if (!empty($_SESSION['error_msg'])) {
-										$msg_icon = 'fa-exclamation-circle status-icon red';
-										$msg_text = htmlentities($_SESSION['error_msg']);
-										$msg_id = 'vst-error';
-									} else {
-										if (!empty($_SESSION['ok_msg'])) {
-											$msg_icon = 'fa-check-circle status-icon green';
-											$msg_text = $_SESSION['ok_msg'];
-											$msg_id = 'vst-ok';
-										}
-									}
-								?>
-								<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
+								<?php show_error_panel($_SESSION);?>
 							</td>
 						</tr>
 						<tr>

web/templates/pages/add_key.html

@@ -41,20 +41,7 @@
 						</tr>
 						<tr>
 							<td>
-								<?php
-									if (!empty($_SESSION['error_msg'])) {
-										$msg_icon = 'fa-exclamation-circle status-icon red';
-										$msg_text = htmlentities($_SESSION['error_msg']);
-										$msg_id = 'vst-error';
-									} else {
-										if (!empty($_SESSION['ok_msg'])) {
-											$msg_icon = 'fa-check-circle status-icon green';
-											$msg_text = $_SESSION['ok_msg'];
-											$msg_id = 'vst-ok';
-										}
-									}
-								?>
-								<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
+								<?php show_error_panel($_SESSION);?>
 							</td>
 						</tr>
 						<tr>

web/templates/pages/add_mail.html

@@ -37,20 +37,7 @@
 						</tr>
 						<tr>
 							<td>
-								<?php
-									if (!empty($_SESSION['error_msg'])) {
-										$msg_icon = 'fa-exclamation-circle status-icon red';
-										$msg_text = htmlentities($_SESSION['error_msg']);
-										$msg_id = 'vst-error';
-									} else {
-										if (!empty($_SESSION['ok_msg'])) {
-											$msg_icon = 'fa-check-circle status-icon green';
-											$msg_text = $_SESSION['ok_msg'];
-											$msg_id = 'vst-ok';
-										}
-									}
-								?>
-								<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
+								<?php show_error_panel($_SESSION);?>
 							</td>
 						</tr>
 						<?php if (($user == 'admin') && (($_GET['accept'] !== "true")))  {?>

web/templates/pages/add_mail_acc.html

@@ -37,20 +37,7 @@
 						</tr>
 						<tr>
 							<td>
-								<?php
-									if (!empty($_SESSION['error_msg'])) {
-										$msg_icon = 'fa-exclamation-circle status-icon red';
-										$msg_text = htmlentities($_SESSION['error_msg']);
-										$msg_id = 'vst-error';
-									} else {
-										if (!empty($_SESSION['ok_msg'])) {
-											$msg_icon = 'fa-check-circle status-icon green';
-											$msg_text = $_SESSION['ok_msg'];
-											$msg_id = 'vst-ok';
-										}
-									}
-								?>
-								<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
+								<?php show_error_panel($_SESSION);?>
 							</td>
 						</tr>
 						<tr>
@@ -169,7 +156,7 @@
 							<tr>
 								<td colspan="2">
 									<select id="mail_configuration" class="vst-list flat">
-										<option v_type="hostname" domain="<?=$v_domain?>"><?=_('Use domain hostname');?></option>
+										<option v_type="hostname" domain="<?=htmlentities($v_domain)?>"><?=_('Use domain hostname');?></option>
 										<option v_type="starttls"><?=_('Use STARTTLS');?></option>
 										<option v_type="ssl"><?=_('Use SSL / TLS');?></option>
 										<option v_type="no_encryption" domain="<?=htmlentities(trim($v_domain, "'"))?>" no_encryption="<?=_('No encryption');?>"><?=_('No encryption');?></option>
@@ -191,7 +178,7 @@
 							<tr>
 								<td><?=_('IMAP hostname');?>:</td>
 								<td>
-									<div id="td_imap_hostname">mail.<?=$v_domain?></div>
+									<div id="td_imap_hostname">mail.<?=htmlentities($v_domain)?></div>
 								</td>
 							</tr>
 							<tr>
@@ -215,7 +202,7 @@
 							<tr>
 								<td><?=_('SMTP hostname');?>:</td>
 								<td>
-									<div id="td_smtp_hostname">mail.<?=$v_domain?></div>
+									<div id="td_smtp_hostname">mail.<?=htmlentities($v_domain)?></div>
 								</td>
 							</tr>
 							<tr>
@@ -240,7 +227,7 @@
 								<tr>
 									<td><?=_('Webmail URL');?>:</td>
 									<td>
-										<div><a class="vst" href="http://<?=$v_webmail_alias?>" target="_blank">http://<?=$v_webmail_alias?> <i></i></a></div>
+										<div><a class="vst" href="http://<?=htmlentities($v_webmail_alias)?>" target="_blank">http://<?=htmlentities($v_webmail_alias)?> <i></i></a></div>
 									</td>
 								</tr>
 							<?php } ?>

web/templates/pages/add_package.html

@@ -37,20 +37,7 @@
 						</tr>
 						<tr>
 							<td>
-								<?php
-									if (!empty($_SESSION['error_msg'])) {
-										$msg_icon = 'fa-exclamation-circle status-icon red';
-										$msg_text = htmlentities($_SESSION['error_msg']);
-										$msg_id = 'vst-error';
-									} else {
-										if (!empty($_SESSION['ok_msg'])) {
-											$msg_icon = 'fa-check-circle status-icon green';
-											$msg_text = $_SESSION['ok_msg'];
-											$msg_id = 'vst-ok';
-										}
-									}
-								?>
-								<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
+								<?php show_error_panel($_SESSION);?>
 							</td>
 						</tr>
 						<tr>

web/templates/pages/add_user.html

@@ -37,20 +37,7 @@
 						</tr>
 						<tr>
 							<td>
-								<?php
-									if (!empty($_SESSION['error_msg'])) {
-										$msg_icon = 'fa-exclamation-circle status-icon red';
-										$msg_text = htmlentities($_SESSION['error_msg']);
-										$msg_id = 'vst-error';
-									} else {
-										if (!empty($_SESSION['ok_msg'])) {
-											$msg_icon = 'fa-check-circle status-icon green';
-											$msg_text = $_SESSION['ok_msg'];
-											$msg_id = 'vst-ok';
-										}
-									}
-								?>
-								<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
+								<?php show_error_panel($_SESSION);?>
 							</td>
 						</tr>
 						<tr>

web/templates/pages/add_web.html

@@ -39,20 +39,7 @@
 						</tr>
 						<tr>
 							<td>
-								<?php
-									if (!empty($_SESSION['error_msg'])) {
-										$msg_icon = 'fa-exclamation-circle status-icon red';
-										$msg_text = htmlentities($_SESSION['error_msg']);
-										$msg_id = 'vst-error';
-									} else {
-										if (!empty($_SESSION['ok_msg'])) {
-											$msg_icon = 'fa-check-circle status-icon green';
-											$msg_text = $_SESSION['ok_msg'];
-											$msg_id = 'vst-ok';
-										}
-									}
-								?>
-								<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
+								<?php show_error_panel($_SESSION);?>
 							</td>
 						</tr>
 						<?php if (($user == 'admin') && (($_GET['accept'] !== "true")))  {?>
@@ -311,7 +298,7 @@
 									</tr>
 									<tr>
 										<td>
-											<input type="hidden" name="v-custom-doc-root_prepath" value="<?=$v_custom_doc_root_prepath;?>">
+											<input type="hidden" name="v-custom-doc-root_prepath" value="<?=htmlentities($v_custom_doc_root_prepath);?>">
 											<select class="vst-list" name="v-custom-doc-domain">
 												<option value="<?=htmlentities(trim($v_domain, "'"))?>" id="v-custom-doc-domain-main"><?=htmlentities(trim($v_domain, "'"))?></option>
 												<?php
@@ -319,9 +306,9 @@
 														if($domain != $v_domain ){
 														if($v_custom_doc_domain == $domain){
 													?>
-													<option value="<?=$domain;?>" selected="selected"><?=$domain;?></option>
+													<option value="<?=htmlentities($domain);?>" selected="selected"><?=htmlentities($domain);?></option>
 												<?php } else{ ?>
-													<option value="<?=$domain;?>"><?=$domain;?></option>
+													<option value="<?=htmlentities($domain);?>"><?=htmlentities($domain);?></option>
 												<?php } } } ?>
 											</select>
 										</td>

web/templates/pages/edit_backup_exclusions.html

@@ -38,20 +38,7 @@
 						</tr>
 						<tr>
 							<td>
-								<?php
-									if (!empty($_SESSION['error_msg'])) {
-										$msg_icon = 'fa-exclamation-circle status-icon red';
-										$msg_text = htmlentities($_SESSION['error_msg']);
-										$msg_id = 'vst-error';
-									} else {
-										if (!empty($_SESSION['ok_msg'])) {
-											$msg_icon = 'fa-check-circle status-icon green';
-											$msg_text = $_SESSION['ok_msg'];
-											$msg_id = 'vst-ok';
-										}
-									}
-								?>
-								<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
+								<?php show_error_panel($_SESSION);?>
 							</td>
 						</tr>
 						<tr>

web/templates/pages/edit_cron.html

@@ -342,20 +342,7 @@
 						</tr>
 						<tr>
 							<td>
-								<?php
-									if (!empty($_SESSION['error_msg'])) {
-										$msg_icon = 'fa-exclamation-circle status-icon red';
-										$msg_text = htmlentities($_SESSION['error_msg']);
-										$msg_id = 'vst-error';
-									} else {
-										if (!empty($_SESSION['ok_msg'])) {
-											$msg_icon = 'fa-check-circle status-icon green';
-											$msg_text = $_SESSION['ok_msg'];
-											$msg_id = 'vst-ok';
-										}
-									}
-								?>
-								<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
+								<?php show_error_panel($_SESSION);?>
 							</td>
 						</tr>
 						<tr>

web/templates/pages/edit_db.html

@@ -38,20 +38,7 @@
 						</tr>
 						<tr>
 							<td>
-								<?php
-									if (!empty($_SESSION['error_msg'])) {
-										$msg_icon = 'fa-exclamation-circle status-icon red';
-										$msg_text = htmlentities($_SESSION['error_msg']);
-										$msg_id = 'vst-error';
-									} else {
-										if (!empty($_SESSION['ok_msg'])) {
-											$msg_icon = 'fa-check-circle status-icon green';
-											$msg_text = $_SESSION['ok_msg'];
-											$msg_id = 'vst-ok';
-										}
-									}
-								?>
-								<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
+								<?php show_error_panel($_SESSION);?>
 							</td>
 						</tr>
 						<tr>

web/templates/pages/edit_dns.html

@@ -38,20 +38,7 @@
 						</tr>
 						<tr>
 							<td>
-								<?php
-									if (!empty($_SESSION['error_msg'])) {
-										$msg_icon = 'fa-exclamation-circle status-icon red';
-										$msg_text = htmlentities($_SESSION['error_msg']);
-										$msg_id = 'vst-error';
-									} else {
-										if (!empty($_SESSION['ok_msg'])) {
-											$msg_icon = 'fa-check-circle status-icon green';
-											$msg_text = $_SESSION['ok_msg'];
-											$msg_id = 'vst-ok';
-										}
-									}
-								?>
-								<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
+								<?php show_error_panel($_SESSION);?>
 							</td>
 						</tr>
 						<tr>

web/templates/pages/edit_dns_rec.html

@@ -38,20 +38,7 @@
 						</tr>
 						<tr>
 							<td>
-								<?php
-									if (!empty($_SESSION['error_msg'])) {
-										$msg_icon = 'fa-exclamation-circle status-icon red';
-										$msg_text = htmlentities($_SESSION['error_msg']);
-										$msg_id = 'vst-error';
-									} else {
-										if (!empty($_SESSION['ok_msg'])) {
-											$msg_icon = 'fa-check-circle status-icon green';
-											$msg_text = $_SESSION['ok_msg'];
-											$msg_id = 'vst-ok';
-										}
-									}
-								?>
-								<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
+								<?php show_error_panel($_SESSION);?>
 							</td>
 						</tr>
 						<tr>

web/templates/pages/edit_firewall.html

@@ -38,20 +38,7 @@
 						</tr>
 						<tr>
 							<td>
-								<?php
-									if (!empty($_SESSION['error_msg'])) {
-										$msg_icon = 'fa-exclamation-circle status-icon red';
-										$msg_text = htmlentities($_SESSION['error_msg']);
-										$msg_id = 'vst-error';
-									} else {
-										if (!empty($_SESSION['ok_msg'])) {
-											$msg_icon = 'fa-check-circle status-icon green';
-											$msg_text = $_SESSION['ok_msg'];
-											$msg_id = 'vst-ok';
-										}
-									}
-								?>
-								<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
+								<?php show_error_panel($_SESSION);?>
 							</td>
 						</tr>
 						<tr>

web/templates/pages/edit_ip.html

@@ -38,20 +38,7 @@
 						</tr>
 						<tr>
 							<td>
-								<?php
-									if (!empty($_SESSION['error_msg'])) {
-										$msg_icon = 'fa-exclamation-circle status-icon red';
-										$msg_text = htmlentities($_SESSION['error_msg']);
-										$msg_id = 'vst-error';
-									} else {
-										if (!empty($_SESSION['ok_msg'])) {
-											$msg_icon = 'fa-check-circle status-icon green';
-											$msg_text = $_SESSION['ok_msg'];
-											$msg_id = 'vst-ok';
-										}
-									}
-								?>
-								<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
+								<?php show_error_panel($_SESSION);?>
 							</td>
 						</tr>
 						<tr>

web/templates/pages/edit_mail.html

@@ -38,20 +38,7 @@
 						</tr>
 						<tr>
 							<td>
-								<?php
-									if (!empty($_SESSION['error_msg'])) {
-										$msg_icon = 'fa-exclamation-circle status-icon red';
-										$msg_text = htmlentities($_SESSION['error_msg']);
-										$msg_id = 'vst-error';
-									} else {
-										if (!empty($_SESSION['ok_msg'])) {
-											$msg_icon = 'fa-check-circle status-icon green';
-											$msg_text = $_SESSION['ok_msg'];
-											$msg_id = 'vst-ok';
-										}
-									}
-								?>
-								<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
+								<?php show_error_panel($_SESSION);?>
 							</td>
 						</tr>
 						<tr>
@@ -133,7 +120,8 @@
 										<td>
 											<span class="alert alert-info alert-with-icon">
 												<i class="fas fa-exclamation"></i>
-												<?=_("To enable Let's Encrypt SSL, ensure that DNS records exist for mail.$v_domain and $v_webmail_alias!")?><br />
+												<?php echo $v_webmail_alias;?>
+												<?=sprintf(_("To enable Let's Encrypt SSL, ensure that DNS records exist for mail.%s and %s!"), $v_domain, $v_webmail_alias); ?><br />
 											</span>
 										</td>
 									</tr>
@@ -143,7 +131,7 @@
 												<tr>
 													<td class="vst-text input-label step-top">
 														<?=_('SSL Certificate');?>
-														<span id="generate-csr"> / <a class="generate" target="_blank" href="/generate/ssl/?domain=<?=$v_domain?>"><?=_('Generate CSR');?></a></span>
+														<span id="generate-csr"> / <a class="generate" target="_blank" href="/generate/ssl/?domain=<?=htmlentities($v_domain)?>"><?=_('Generate CSR');?></a></span>
 													</td>
 												</tr>
 												<tr>
@@ -181,7 +169,7 @@
 																	<b><?=_('SUBJECT');?>:</b>
 																</td>
 																<td class="details">
-																	<?=$v_ssl_subject?>
+																	<?=htmlentities($v_ssl_subject);?>
 																</td>
 															</tr>
 															<?php if ($v_ssl_aliases){?>
@@ -190,7 +178,7 @@
 																		<b><?=_('Aliases');?>:</b>
 																	</td>
 																	<td class="details">
-																		<?=$v_ssl_aliases?>
+																		<?=htmlentities($v_ssl_aliases)?>
 																	</td>
 																</tr>
 															<?php } ?>
@@ -199,7 +187,7 @@
 																	<b><?=_('NOT_BEFORE');?>:</b>
 																</td>
 																<td class="details">
-																	<?=$v_ssl_not_before?>
+																	<?=htmlentities($v_ssl_not_before)?>
 																</td>
 															</tr>
 															<tr>
@@ -207,7 +195,7 @@
 																	<b><?=_('NOT_AFTER');?>:</b>
 																</td>
 																<td class="details">
-																	<?=$v_ssl_not_after?>
+																	<?=htmlentities($v_ssl_not_after)?>
 																</td>
 															</tr>
 															<tr>
@@ -215,7 +203,7 @@
 																	<b><?=_('SIGNATURE');?>:</b>
 																</td>
 																<td class="details">
-																	<?=$v_ssl_signature?>
+																	<?=htmlentities($v_ssl_signature)?>
 																</td>
 															</tr>
 															<tr>
@@ -223,7 +211,7 @@
 																	<b><?=_('PUB_KEY');?>:</b>
 																</td>
 																<td class="details">
-																	<?=$v_ssl_pub_key?>
+																	<?=htmlentities($v_ssl_pub_key)?>
 																</td>
 															</tr>
 															<tr>
@@ -231,7 +219,7 @@
 																	<b><?=_('ISSUER');?>:</b>
 																</td>
 																<td class="details">
-																	<?=$v_ssl_issuer?>
+																	<?=htmlentities($v_ssl_issuer)?>
 																</td>
 															</tr>
 														</table>

web/templates/pages/edit_mail_acc.html

@@ -38,20 +38,7 @@
 						</tr>
 						<tr>
 							<td>
-								<?php
-									if (!empty($_SESSION['error_msg'])) {
-										$msg_icon = 'fa-exclamation-circle status-icon red';
-										$msg_text = htmlentities($_SESSION['error_msg']);
-										$msg_id = 'vst-error';
-									} else {
-										if (!empty($_SESSION['ok_msg'])) {
-											$msg_icon = 'fa-check-circle status-icon green';
-											$msg_text = $_SESSION['ok_msg'];
-											$msg_id = 'vst-ok';
-										}
-									}
-								?>
-								<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
+								<?php show_error_panel($_SESSION);?>
 							</td>
 						</tr>
 						<tr>
@@ -199,7 +186,7 @@
 							<tr>
 								<td><?=_('IMAP hostname');?>:</td>
 								<td>
-									<div id="td_imap_hostname">mail.<?=$v_domain?></div>
+									<div id="td_imap_hostname">mail.<?=htmlentities($v_domain)?></div>
 								</td>
 							</tr>
 							<tr>
@@ -223,7 +210,7 @@
 							<tr>
 								<td><?=_('SMTP hostname');?>:</td>
 								<td>
-									<div id="td_smtp_hostname">mail.<?=$v_domain?></div>
+									<div id="td_smtp_hostname">mail.<?=htmlentities($v_domain)?></div>
 								</td>
 							</tr>
 							<tr>
@@ -248,7 +235,7 @@
 								<tr>
 									<td><?=_('Webmail URL');?>:</td>
 									<td>
-										<div><a class="vst" href="http://<?=$v_webmail_alias?>" target="_blank">http://<?=$v_webmail_alias?> <i></i></a></div>
+										<div><a class="vst" href="http://<?=htmlentities($v_webmail_alias)?>" target="_blank">http://<?=htmlentities($v_webmail_alias)?> <i></i></a></div>
 									</td>
 								</tr>
 							<?php } ?>

web/templates/pages/edit_package.html

@@ -38,20 +38,7 @@
 						</tr>
 						<tr>
 							<td>
-								<?php
-									if (!empty($_SESSION['error_msg'])) {
-										$msg_icon = 'fa-exclamation-circle status-icon red';
-										$msg_text = htmlentities($_SESSION['error_msg']);
-										$msg_id = 'vst-error';
-									} else {
-										if (!empty($_SESSION['ok_msg'])) {
-											$msg_icon = 'fa-check-circle status-icon green';
-											$msg_text = $_SESSION['ok_msg'];
-											$msg_id = 'vst-ok';
-										}
-									}
-								?>
-								<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
+								<?php show_error_panel($_SESSION);?>
 							</td>
 						</tr>
 						<tr>

web/templates/pages/edit_server.html

@@ -41,24 +41,9 @@
 						</tr>
 						<tr>
 							<td>
-								<?php
-									if (!empty($_SESSION['error_msg'])) {
-										$msg_icon = 'fa-exclamation-circle status-icon red';
-										$msg_text = htmlentities($_SESSION['error_msg']);
-										$msg_id = 'vst-error';
-									} else {
-										if (!empty($_SESSION['ok_msg'])) {
-											$msg_icon = 'fa-check-circle status-icon green';
-											$msg_text = $_SESSION['ok_msg'];
-											$msg_id = 'vst-ok';
-										}
-									}
-								?>
-								<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
-								<br><br>
+								<?php show_error_panel($_SESSION);?>
 							</td>
 						</tr>
-
 						<!-- Basic options tab -->
 						<tr>
 							<td class="vst-text input-label step-top advanced-options">

web/templates/pages/edit_server_bind9.html

@@ -37,20 +37,7 @@
 						</tr>
 						<tr>
 							<td>
-								<?php
-									if (!empty($_SESSION['error_msg'])) {
-										$msg_icon = 'fa-exclamation-circle status-icon red';
-										$msg_text = htmlentities($_SESSION['error_msg']);
-										$msg_id = 'vst-error';
-									} else {
-										if (!empty($_SESSION['ok_msg'])) {
-											$msg_icon = 'fa-check-circle status-icon green';
-											$msg_text = $_SESSION['ok_msg'];
-											$msg_id = 'vst-ok';
-										}
-									}
-								?>
-								<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
+								<?php show_error_panel($_SESSION);?>
 							</td>
 						</tr>
 						<tr>

web/templates/pages/edit_server_dovecot.html

@@ -37,20 +37,7 @@
 						</tr>
 						<tr>
 							<td>
-								<?php
-									if (!empty($_SESSION['error_msg'])) {
-										$msg_icon = 'fa-exclamation-circle status-icon red';
-										$msg_text = htmlentities($_SESSION['error_msg']);
-										$msg_id = 'vst-error';
-									} else {
-										if (!empty($_SESSION['ok_msg'])) {
-											$msg_icon = 'fa-check-circle status-icon green';
-											$msg_text = $_SESSION['ok_msg'];
-											$msg_id = 'vst-ok';
-										}
-									}
-								?>
-								<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
+								<?php show_error_panel($_SESSION);?>
 							</td>
 						</tr>
 						<tr>

web/templates/pages/edit_server_httpd.html

@@ -38,20 +38,7 @@
 						</tr>
 						<tr>
 							<td>
-								<?php
-									if (!empty($_SESSION['error_msg'])) {
-										$msg_icon = 'fa-exclamation-circle status-icon red';
-										$msg_text = htmlentities($_SESSION['error_msg']);
-										$msg_id = 'vst-error';
-									} else {
-										if (!empty($_SESSION['ok_msg'])) {
-											$msg_icon = 'fa-check-circle status-icon green';
-											$msg_text = $_SESSION['ok_msg'];
-											$msg_id = 'vst-ok';
-										}
-									}
-								?>
-								<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
+								<?php show_error_panel($_SESSION);?>
 							</td>
 						</tr>
 						<tr>

web/templates/pages/edit_server_mysql.html

@@ -37,20 +37,7 @@
 						</tr>
 						<tr>
 							<td>
-								<?php
-									if (!empty($_SESSION['error_msg'])) {
-										$msg_icon = 'fa-exclamation-circle status-icon red';
-										$msg_text = htmlentities($_SESSION['error_msg']);
-										$msg_id = 'vst-error';
-									} else {
-										if (!empty($_SESSION['ok_msg'])) {
-											$msg_icon = 'fa-check-circle status-icon green';
-											$msg_text = $_SESSION['ok_msg'];
-											$msg_id = 'vst-ok';
-										}
-									}
-								?>
-								<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
+								<?php show_error_panel($_SESSION);?>
 							</td>
 						</tr>
 						<tr>

web/templates/pages/edit_server_nginx.html

@@ -38,20 +38,7 @@
 						</tr>
 						<tr>
 							<td>
-								<?php
-									if (!empty($_SESSION['error_msg'])) {
-										$msg_icon = 'fa-exclamation-circle status-icon red';
-										$msg_text = htmlentities($_SESSION['error_msg']);
-										$msg_id = 'vst-error';
-									} else {
-										if (!empty($_SESSION['ok_msg'])) {
-											$msg_icon = 'fa-check-circle status-icon green';
-											$msg_text = $_SESSION['ok_msg'];
-											$msg_id = 'vst-ok';
-										}
-									}
-								?>
-								<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
+								<?php show_error_panel($_SESSION);?>
 							</td>
 						</tr>
 						<tr>

web/templates/pages/edit_server_pgsql.html

@@ -37,20 +37,7 @@
 						</tr>
 						<tr>
 							<td>
-								<?php
-									if (!empty($_SESSION['error_msg'])) {
-										$msg_icon = 'fa-exclamation-circle status-icon red';
-										$msg_text = htmlentities($_SESSION['error_msg']);
-										$msg_id = 'vst-error';
-									} else {
-										if (!empty($_SESSION['ok_msg'])) {
-											$msg_icon = 'fa-check-circle status-icon green';
-											$msg_text = $_SESSION['ok_msg'];
-											$msg_id = 'vst-ok';
-										}
-									}
-								?>
-								<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
+								<?php show_error_panel($_SESSION);?>
 							</td>
 						</tr>
 						<tr>

web/templates/pages/edit_server_php.html

@@ -37,20 +37,7 @@
 						</tr>
 						<tr>
 							<td>
-								<?php
-									if (!empty($_SESSION['error_msg'])) {
-										$msg_icon = 'fa-exclamation-circle status-icon red';
-										$msg_text = htmlentities($_SESSION['error_msg']);
-										$msg_id = 'vst-error';
-									} else {
-										if (!empty($_SESSION['ok_msg'])) {
-											$msg_icon = 'fa-check-circle status-icon green';
-											$msg_text = $_SESSION['ok_msg'];
-											$msg_id = 'vst-ok';
-										}
-									}
-								?>
-								<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
+								<?php show_error_panel($_SESSION);?>
 							</td>
 						</tr>
 						<tr>

web/templates/pages/edit_server_service.html

@@ -37,20 +37,7 @@
 						</tr>
 						<tr>
 							<td>
-								<?php
-									if (!empty($_SESSION['error_msg'])) {
-										$msg_icon = 'fa-exclamation-circle status-icon red';
-										$msg_text = htmlentities($_SESSION['error_msg']);
-										$msg_id = 'vst-error';
-									} else {
-										if (!empty($_SESSION['ok_msg'])) {
-											$msg_icon = 'fa-check-circle status-icon green';
-											$msg_text = $_SESSION['ok_msg'];
-											$msg_id = 'vst-ok';
-										}
-									}
-								?>
-								<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
+								<?php show_error_panel($_SESSION);?>
 							</td>
 						</tr>
 						<tr>

web/templates/pages/edit_user.html

@@ -5,8 +5,8 @@
 			<a class="ui-button cancel" dir="ltr" id="btn-back" href="/list/user/"><i class="fas fa-arrow-left status-icon blue"></i><?=_('Back');?></a>
 			<?php 
 				if (($_SESSION['userContext'] === 'admin') && (!isset($_SESSION['look'])) && ($_SESSION['user'] !== $v_username)) {
-					$ssh_key_url = "/list/key/?user=".$user."&token=".$_SESSION['token']."";
-					$log_url = "/list/log/?user=".$user."&token=".$_SESSION['token']."";
+					$ssh_key_url = "/list/key/?user=".htmlentities($user)."&token=".$_SESSION['token']."";
+					$log_url = "/list/log/?user=".htmlentities($user)."&token=".$_SESSION['token']."";
 				} else {
 					$ssh_key_url = "/list/key/";
 					$log_url = "/list/log/";
@@ -22,14 +22,14 @@
 			<?php if (($_SESSION['user'] == $v_username) || (isset($_SESSION['look']))) {?>
 				<!-- Do not show delete button for currently logged in user-->
 			<?} else {?>
-				<a href="/login/?loginas=<?=$v_username?>&token=<?=$_SESSION['token']?>" id="btn-create" class="ui-button cancel" dir="ltr" title="<?=_('login as');?>"><i class="fas fa-sign-in-alt status-icon maroon"></i><?=_('login as');?></a>
+				<a href="/login/?loginas=<?=htmlentities($v_username)?>&token=<?=$_SESSION['token']?>" id="btn-create" class="ui-button cancel" dir="ltr" title="<?=_('login as');?>"><i class="fas fa-sign-in-alt status-icon maroon"></i><?=_('login as');?></a>
 				<div class="display-inline-block" key-action="js">
 					<a class="data-controls do_delete ui-button danger cancel">
 						<i class="do_delete fas fa-times-circle status-icon red"></i>
 						<?=_('Delete');?>
-						<input type="hidden" name="delete_url" value="/delete/user/?user=<?=$v_username?>&token=<?=$_SESSION['token']?>" />
+						<input type="hidden" name="delete_url" value="/delete/user/?user=<?=htmlentities($v_username)?>&token=<?=$_SESSION['token']?>" />
 						<div class="confirmation-text-delete hidden" title="<?=_('Confirmation');?>">
-							<p class="confirmation"><?=sprintf(_('DELETE_USER_CONFIRMATION'),$v_username)?></p>
+							<p class="confirmation"><?=sprintf(_('DELETE_USER_CONFIRMATION'),htmlentities($v_username))?></p>
 						</div>
 					</a>
 				</div>
@@ -68,20 +68,7 @@
 						</tr>
 						<tr>
 							<td>
-								<?php
-									if (!empty($_SESSION['error_msg'])) {
-										$msg_icon = 'fa-exclamation-circle status-icon red';
-										$msg_text = htmlentities($_SESSION['error_msg']);
-										$msg_id = 'vst-error';
-									} else {
-										if (!empty($_SESSION['ok_msg'])) {
-											$msg_icon = 'fa-check-circle status-icon green';
-											$msg_text = $_SESSION['ok_msg'];
-											$msg_id = 'vst-ok';
-										}
-									}
-								?>
-								<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
+								<?php show_error_panel($_SESSION);?>
 							</td>
 						</tr>
 						<tr>
@@ -158,7 +145,7 @@
 											<?php if (!empty($v_twofa)) { ?>
 											<p><?=_('2FA Reset Code:').' '.$v_twofa; ?></br></p>
 											<p><?=_('Please scan the code below in your 2FA application:'); ?></p>
-											<div><img class="qr-code" src="<?=$v_qrcode; ?>"></div>
+											<div><img class="qr-code" src="<?=htmlentities($v_qrcode); ?>"></div>
 											<?php } ?>
 										</td>
 									</tr>

web/templates/pages/edit_web.html

@@ -5,11 +5,11 @@
 			<a class="ui-button cancel" dir="ltr" id="btn-back" href="/list/web/"><i class="fas fa-arrow-left status-icon blue"></i><?=_('Back');?></a>
 		</div>
 		<div class="l-unit-toolbar__buttonstrip float-right">
-			<a href="/delete/web/cache/?domain=<?=$v_domain;?>&token=<?=$_SESSION['token'];?>" class="ui-button cancel <?php if ( $v_nginx_cache == 'yes' || ($v_proxy_template == 'caching' && $_SESSION['PROXY_SYSTEM'] == 'nginx')) { echo "block"; } else{ echo "hidden"; }?>" id="v-clear-cache">
+			<a href="/delete/web/cache/?domain=<?=htmlentities($v_domain);?>&token=<?=$_SESSION['token'];?>" class="ui-button cancel <?php if ( $v_nginx_cache == 'yes' || ($v_proxy_template == 'caching' && $_SESSION['PROXY_SYSTEM'] == 'nginx')) { echo "block"; } else{ echo "hidden"; }?>" id="v-clear-cache">
 				<i class="fas fa-trash status-icon red"></i><?=_('Purge Nginx Cache');?>
 			</a>
 			<?php if ($_SESSION['PLUGIN_APP_INSTALLER'] !== 'false') {?>
-				<a href="/add/webapp/?domain=<?=$v_domain?>" class="ui-button cancel" dir="ltr">
+				<a href="/add/webapp/?domain=<?=htmlentities($v_domain);?>" class="ui-button cancel" dir="ltr">
 					<i class="fas fa-magic status-icon blue"></i> <?=_('Quick Install App');?>
 				</a>
 			<?php } ?>
@@ -46,20 +46,7 @@
 						</tr>
 						<tr>
 							<td>
-								<?php
-									if (!empty($_SESSION['error_msg'])) {
-										$msg_icon = 'fa-exclamation-circle status-icon red';
-										$msg_text = htmlentities($_SESSION['error_msg']);
-										$msg_id = 'vst-error';
-									} else {
-										if (!empty($_SESSION['ok_msg'])) {
-											$msg_icon = 'fa-check-circle status-icon green';
-											$msg_text = $_SESSION['ok_msg'];
-											$msg_id = 'vst-ok';
-										}
-									}
-								?>
-								<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
+								<?php show_error_panel($_SESSION);?>
 							</td>
 						</tr>
 						<tr>
@@ -173,8 +160,8 @@
 								<table style="display:<?php if (empty($v_redirect)) { echo 'none';} else {echo 'block';}?> ;" id="v_redirect">
 									<tr>
 										<td>
-											<label><input type="radio" name="v-redirect" value="<?='www.'.$v_domain;?>" <?php if ($v_redirect == "www.".$v_domain) echo "checked"; ?> class="v-redirect-custom-value"><?=sprintf(_('Redirect visitors to %s'),"www.".$v_domain);?></label></input><br />
-											<label><input type="radio" name="v-redirect" value="<?=$v_domain;?>" <?php if( $v_redirect == $v_domain) echo "checked";?> class="v-redirect-custom-value"><?=sprintf(_('Redirect visitors to %s'),$v_domain);?></label></input><br />
+											<label><input type="radio" name="v-redirect" value="<?='www.'.htmlentities($v_domain);?>" <?php if ($v_redirect == "www.".$v_domain) echo "checked"; ?> class="v-redirect-custom-value"><?=sprintf(_('Redirect visitors to %s'),"www.".htmlentities($v_domain));?></label></input><br />
+											<label><input type="radio" name="v-redirect" value="<?=htmlentities($v_domain);?>" <?php if( $v_redirect == $v_domain) echo "checked";?> class="v-redirect-custom-value"><?=sprintf(_('Redirect visitors to %s'),htmlentities($v_domain));?></label></input><br />
 											<label><input type="radio" name="v-redirect" value="custom" <?php if( !empty($v_redirect_custom)) echo "checked";?> class="v-redirect-custom-value"><?=_("Redirect visitors to a custom domain or web address");?></label></input>
 										</td>
 									</tr>
@@ -257,7 +244,7 @@
 												<tr>
 													<td class="vst-text input-label step-top">
 														<?=_('SSL Certificate');?>
-														<span id="generate-csr"> / <a class="generate" target="_blank" href="/generate/ssl/?domain=<?=$v_domain?>"><?=_('Generate CSR');?></a></span>
+														<span id="generate-csr"> / <a class="generate" target="_blank" href="/generate/ssl/?domain=<?=htmlentities($v_domain)?>"><?=_('Generate CSR');?></a></span>
 													</td>
 												</tr>
 												<tr>
@@ -503,9 +490,9 @@
 														<input type="hidden" name="v-custom-doc-root_prepath" value="<?=$v_custom_doc_root_prepath;?>">
 														<select class="vst-list" name="v-custom-doc-domain">
 															<?php foreach ($user_domains as $domain): ?>
-															<option value="<?=$domain;?>"
+															<option value="<?=htmlentities($domain);?>"
 																<?=($v_custom_doc_domain === $domain || (empty($v_custom_doc_domain) && $domain === $v_domain))?' selected="selected" ':''; ?>>
-																<?=$domain;?>
+																<?=htmlentities($domain);?>
 															</option>
 															<?php endforeach; ?>
 														</select>

web/templates/pages/generate_ssl.html

@@ -1,20 +1,7 @@
 <div class="l-center">
 	<div class="l-sort clearfix">
 		<div class="l-sort-toolbar clearfix float-left">
-			<?php
-				if (!empty($_SESSION['error_msg'])) {
-					$msg_icon = 'fa-exclamation-circle status-icon red';
-					$msg_text = htmlentities($_SESSION['error_msg']);
-					$msg_id = 'vst-error';
-				} else {
-					if (!empty($_SESSION['ok_msg'])) {
-						$msg_icon = 'fa-check-circle status-icon green';
-						$msg_text = $_SESSION['ok_msg'];
-						$msg_id = 'vst-ok';
-					}
-				}
-			?>
-			<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
+			<?php show_error_panel($_SESSION);?>
 		</div>
 	</div>
 </div>

web/templates/pages/list_backup_detail.html

@@ -53,7 +53,7 @@
 
 	<!-- List web domains -->
 	<?php
-		$backup = $_GET['backup'];
+		$backup = htmlentities($_GET['backup']);
 		$web = explode(',',$data[$backup]['WEB']);
 		foreach ($web as $key) {
 			if (!empty($key)) {
@@ -183,7 +183,6 @@
 
 	<!-- List Cron Jobs -->
 	<?php
-		$backup = $_GET['backup'];
 		if (!empty($data[$backup]['CRON'])) {
 			if (!empty($key)) {
 		?>

web/templates/pages/list_cron.html

@@ -21,8 +21,8 @@
 					<td class="sort-by" title="<?=_('Sort items');?>">
 						<?=_('sort by');?>: <span>
 							<b>
-								<?php if ($_SESSION['userSortOrder'] === 'name') { $label = 'Command'; } else { $label = 'Date'; } ?>
-								<?=_($label)?> <i class="fas fa-sort-alpha-down"></i>
+								<?php if ($_SESSION['userSortOrder'] === 'name') { $label = _('Name'); } else { $label = _('Date'); } ?>
+								<?=$label;?> <i class="fas fa-sort-alpha-down"></i>
 							</b>
 						</span>
 					</td>

web/templates/pages/list_db.html

@@ -40,8 +40,8 @@
 					<td class="sort-by" title="<?=_('Sort items');?>">
 						<?=_('sort by');?>: <span>
 							<b>
-								<?php if ($_SESSION['userSortOrder'] === 'name') { $label = 'Name'; } else { $label = 'Date'; } ?>
-								<?=_($label)?> <i class="fas fa-sort-alpha-down"></i>
+								<?php if ($_SESSION['userSortOrder'] === 'name') { $label = _('Name'); } else { $label = _('Date'); } ?>
+								<?=$label;?> <i class="fas fa-sort-alpha-down"></i>
 							</b>
 						</span>
 					</td>

web/templates/pages/list_dns.html

@@ -20,8 +20,8 @@
 						<td class="sort-by" title="<?=_('Sort items');?>">
 							<?=_('sort by');?>: <span>
 								<b>
-									<?php if ($_SESSION['userSortOrder'] === 'name') { $label = 'Name'; } else { $label = 'Date'; } ?>
-									<?=_($label)?> <i class="fas fa-sort-alpha-down"></i>
+									<?php if ($_SESSION['userSortOrder'] === 'name') { $label = _('Name'); } else { $label = _('Date'); } ?>
+									<?=$label;?> <i class="fas fa-sort-alpha-down"></i>
 								</b>
 							</span>
 						</td>

web/templates/pages/list_dns_rec.html

@@ -21,8 +21,8 @@
 					<td class="sort-by" title="<?=_('Sort items');?>">
 						<?=_('sort by');?>: <span>
 							<b>
-								<?php if ($_SESSION['userSortOrder'] === 'name') { $label = 'Record'; } else { $label = 'Date'; } ?>
-								<?=_($label)?> <i class="fas fa-sort-alpha-down"></i>
+								<?php if ($_SESSION['userSortOrder'] === 'name') { $label = _('Record'); } else { $label = _('Date'); } ?>
+								<?=$label;?> <i class="fas fa-sort-alpha-down"></i>
 							</b>
 						</span>
 					</td>

web/templates/pages/list_mail.html

@@ -18,8 +18,8 @@
 					<td class="sort-by" title="<?=_('Sort items');?>">
 						<?=_('sort by');?>: <span>
 							<b>
-								<?php if ($_SESSION['userSortOrder'] === 'name') { $label = 'Name'; } else { $label = 'Date'; } ?>
-								<?=_($label)?> <i class="fas fa-sort-alpha-down"></i>
+								<?php if ($_SESSION['userSortOrder'] === 'name') { $label = _('Name'); } else { $label = _('Date'); } ?>
+								<?=$label;?> <i class="fas fa-sort-alpha-down"></i>
 							</b>
 						</span>
 					</td>

web/templates/pages/list_mail_acc.html

@@ -24,8 +24,8 @@
 					<td class="sort-by" title="<?=_('Sort items');?>">
 						<?=_('sort by');?>: <span>
 							<b>
-								<?php if ($_SESSION['userSortOrder'] === 'name') { $label = 'Name'; } else { $label = 'Date'; } ?>
-								<?=_($label)?> <i class="fas fa-sort-alpha-down"></i>
+								<?php if ($_SESSION['userSortOrder'] === 'name') { $label = _('Name'); } else { $label = _('Date'); } ?>
+								<?=$label;?> <i class="fas fa-sort-alpha-down"></i>
 							</b>
 						</span>
 					</td>
@@ -127,7 +127,7 @@
 			}
 		?>
 		<div class="l-unit <?php if ($status == 'suspended') echo 'l-unit--suspended'; if($_SESSION['favourites']['MAIL_ACC'][$key." @".$_GET['domain']]==1) echo ' l-unit--starred' ; ?> animated fadeIn"
-			v_unit_id="<?=$key."@".$_GET['domain']?>" v_section="mail_acc" sort-date="<?=strtotime($data[$key]['DATE'].' '.$data[$key]['TIME'])?>" sort-name="<?=$key?>" sort-disk="<?=$data[$key]['U_DISK']?>"
+			v_unit_id="<?=$key."@".htmlentities($_GET['domain']);?>" v_section="mail_acc" sort-date="<?=strtotime($data[$key]['DATE'].' '.$data[$key]['TIME'])?>" sort-name="<?=$key?>" sort-disk="<?=$data[$key]['U_DISK']?>"
 			sort-quota="<?=$data[$key]['QUOTA']?>" sort-star="
 			<?php if ($_SESSION['favourites']['MAIL_ACC'][$key."@".$_GET['domain']] == 1) echo '1'; else echo '0'; ?>">
 			<div class="l-unit__col l-unit__col--right">
@@ -136,9 +136,9 @@
 				</div>
 				<div class="clearfix l-unit__stat-col--left wide-3 truncate">
 					<?php if (($read_only === 'true') || ($data[$key]['SUSPENDED'] == 'yes')) { ?>
-						<b><?=$key."@".$_GET['domain']?></b>
+						<b><?=$key."@".htmlentities($_GET['domain']);?></b>
 					<?php } else { ?>
-						<b><a href="/edit/mail/?domain=<?=htmlspecialchars($_GET['domain'])?>&account=<?=$key?>&token=<?=$_SESSION['token']?>" title="<?=_('Editing Mail Account');?>: <?=$key?>@<?=htmlspecialchars($_GET['domain'])?>"><?=$key."@".$_GET['domain']?></a></b>
+						<b><a href="/edit/mail/?domain=<?=htmlspecialchars($_GET['domain'])?>&account=<?=$key?>&token=<?=$_SESSION['token']?>" title="<?=_('Editing Mail Account');?>: <?=$key?>@<?=htmlspecialchars($_GET['domain'])?>"><?=$key."@".htmlentities($_GET['domain']);?></a></b>
 					<?php } ?>
 				</div>
 				<!-- START QUICK ACTION TOOLBAR AREA -->

web/templates/pages/list_packages.html

@@ -15,10 +15,11 @@
 					<td class="sort-by" title="<?=_('Sort items');?>">
 						<?=_('sort by');?>: <span>
 							<b>
-								<?php if ($_SESSION['userSortOrder'] === 'name') { $label = 'Name'; } else { $label = 'Date'; } ?>
-								<?=_($label)?> <i class="fas fa-sort-alpha-down"></i>
+								<?php if ($_SESSION['userSortOrder'] === 'name') { $label = _('Name'); } else { $label = _('Date'); } ?>
+								<?=$label;?> <i class="fas fa-sort-alpha-down"></i>
 							</b>
 						</span>
+					</td>
 					<td>
 						<form action="/bulk/package/" method="post" id="objects">
 							<input type="hidden" name="token" value="<?=$_SESSION['token']?>" />

web/templates/pages/list_ssl.html

@@ -32,25 +32,12 @@
 							</td>
 						<tr>
 							<td>
-								<?php
-									if (!empty($_SESSION['error_msg'])) {
-										$msg_icon = 'fa-exclamation-circle status-icon red';
-										$msg_text = htmlentities($_SESSION['error_msg']);
-										$msg_id = 'vst-error';
-									} else {
-										if (!empty($_SESSION['ok_msg'])) {
-											$msg_icon = 'fa-check-circle status-icon green';
-											$msg_text = $_SESSION['ok_msg'];
-											$msg_id = 'vst-ok';
-										}
-									}
-								?>
-								<span class="<?=$msg_id;?>"> <i class="fas <?=$msg_icon;?>"></i> <?=$msg_text;?></span>
+								<?php show_error_panel($_SESSION);?>
 							</td>
 						</tr>
 						</tr>
 						<tr>
-							<td class="vst-text" style="padding: 12px 0 0 0;"><?=_('SSL Certificate');?> <a href="javascript:saveTextToBlob('<?php echo $v_domain;?>.crt', 'v_crt');"><i class="fas fa-download"></i></a>
+							<td class="vst-text" style="padding: 12px 0 0 0;"><?=_('SSL Certificate');?> <a href="javascript:saveTextToBlob('<?php echo htmlentities($v_domain);?>.crt', 'v_crt');"><i class="fas fa-download"></i></a>
 							</td>
 						</tr>
 						<tr>
@@ -60,7 +47,7 @@
 						</tr>
 						<tr>
 							<td class="vst-text" style="padding: 12px 0 0 0;">
-								<?=_('SSL Key');?> <a href="javascript:saveTextToBlob('<?php echo $v_domain;?>.key', 'v_key');"><i class="fas fa-download"></i></a>
+								<?=_('SSL Key');?> <a href="javascript:saveTextToBlob('<?php echo htmlentities($v_domain);?>.key', 'v_key');"><i class="fas fa-download"></i></a>
 							</td>
 						</tr>
 						<tr>
@@ -70,7 +57,7 @@
 						</tr>
 						<tr>
 							<td class="vst-text" style="padding: 24px 0 0 0;">
-								<?=_('SSL CSR');?> <a href="javascript:saveTextToBlob('<?php echo $v_domain;?>.csr', 'v_crt');"><i class="fas fa-download"></i></a>
+								<?=_('SSL CSR');?> <a href="javascript:saveTextToBlob('<?php echo htmlentities($v_domain);?>.csr', 'v_crt');"><i class="fas fa-download"></i></a>
 							</td>
 						</tr>
 						<tr>

web/templates/pages/list_user.html

@@ -17,8 +17,8 @@
 					<td class="sort-by" title="<?=_('Sort items');?>">
 						<?=_('sort by');?>: <span>
 							<b>
-								<?php if ($_SESSION['userSortOrder'] === 'name') { $label = 'Name'; } else { $label = 'Date'; } ?>
-								<?=_($label)?> <i class="fas fa-sort-alpha-down"></i>
+								<?php if ($_SESSION['userSortOrder'] === 'name') { $label = _('Name'); } else { $label = _('Date'); } ?>
+								<?=$label;?> <i class="fas fa-sort-alpha-down"></i>
 							</b>
 						</span>
 					</td>

web/templates/pages/list_web.html

@@ -19,8 +19,8 @@
 					<td class="sort-by" title="<?=_('Sort items');?>">
 						<?=_('sort by');?>: <span>
 							<b>
-								<?php if ($_SESSION['userSortOrder'] === 'name') { $label = 'Name'; } else { $label = 'Date'; } ?>
-								<?=_($label)?> <i class="fas fa-sort-alpha-down"></i>
+								<?php if ($_SESSION['userSortOrder'] === 'name') { $label = ('Name'); } else { $label = _('Date'); } ?>
+								<?=$label?> <i class="fas fa-sort-alpha-down"></i>
 							</b>
 						</span>
 					</td>

web/templates/pages/list_webapps.html

@@ -2,7 +2,7 @@
 <div class="l-center edit">
 	<div class="l-sort clearfix">
 		<div class="l-unit-toolbar__buttonstrip">
-			<a class="ui-button cancel" dir="ltr" id="btn-back" href="/edit/web/?domain=<?=$v_domain?>"><i class="fas fa-arrow-left status-icon blue"></i><?=_('Back');?></a>
+			<a class="ui-button cancel" dir="ltr" id="btn-back" href="/edit/web/?domain=<?=htmlentities($v_domain)?>"><i class="fas fa-arrow-left status-icon blue"></i><?=_('Back');?></a>
 		</div>
 		<div class="l-unit-toolbar__buttonstrip float-right">
 		</div>
@@ -45,7 +45,7 @@
 				<div class="card-details">
 					<p class="card-title"><?=$webapp['name'];?></p>
 					<p><?=_('version');?>: <?=$webapp['version'];?></p>
-					<a href="/add/webapp/?app=<?=$webapp['name'];?>&domain=<?=$v_domain?>" class="ui-button cancel" dir="ltr"><?=_('Setup');?></a>
+					<a href="/add/webapp/?app=<?=$webapp['name'];?>&domain=<?=htmlentities($v_domain)?>" class="ui-button cancel" dir="ltr"><?=_('Setup');?></a>
 				</div>
 			</div>
 		<?php endforeach; ?>

web/templates/pages/list_weblog.html

@@ -31,7 +31,7 @@
 			</div>
 			<div class="l-profile">
 				<div class="l-menu__item"><a href="javascript:location.reload();" title="<?=_('Refresh');?>"><i class="fas fa-redo"></i></a></div>
-				<div class="l-menu__item"><a href="/edit/user/?user=<?=$user; ?>" title="<?=$user?>" class="l-profile__username"><i class="fas fa-user-circle"></i></a></div>
+				<div class="l-menu__item"><a href="/edit/user/?user=<?=htmlentities($user); ?>" title="<?=htmlentities($user)?>" class="l-profile__username"><i class="fas fa-user-circle"></i></a></div>
 				<div class="l-menu__item"><a href="/logout/?token=<?=$_SESSION['token']?>" title="<?=_('Log out');?>" class="l-profile__logout"><i class="fas fa-sign-out-alt"></i></a></div>
 			</div>
 		</div>

web/templates/pages/login/reset_2.html

@@ -26,8 +26,8 @@
 									<tr>
 										<td>
 											<input type="hidden" name="action" value="confirm">
-											<input type="hidden" name="token" value="<?=$_SESSION['token'];?>"/>
-											<input type="hidden" name="user" value="<?=htmlentities($_GET['user'], ENT_QUOTES|ENT_HTML5)?>">
+											<input type="hidden" name="token" value="<?=htmlentities($_SESSION['token']);?>"/>
+											<input type="hidden" name="user" value="<?=htmlentities($_GET['user'])?>">
 											<input tabindex="1" type="text" size="20px" style="width:240px" name="code" class="vst-input">
 										</td>
 									</tr>

web/templates/pages/login/reset_3.html

@@ -18,9 +18,9 @@
 									<tr>
 										<td style="padding: 12px 0 0 2px;">
 											<input type="hidden" name="action" value="confirm">
-											<input type="hidden" name="token" value="<?=$_SESSION['token'];?>"/>
-											<input type="hidden" name="user" value="<?=htmlentities($_GET['user'], ENT_QUOTES|ENT_HTML5)?>">
-											<input type="hidden" name="code" value="<?=htmlentities($_GET['code'], ENT_QUOTES|ENT_HTML5)?>">
+											<input type="hidden" name="token" value="<?=htmlentities($_SESSION['token']);?>"/>
+											<input type="hidden" name="user" value="<?=htmlentities($_GET['user']);?>">
+											<input type="hidden" name="code" value="<?=htmlentities($_GET['code']);?>">
 											<?=_('New Password');?>
 										</td>
 									</tr>

web/templates/pages/setup_webapp.html

@@ -2,7 +2,7 @@
 <div class="l-center edit">
 	<div class="l-sort clearfix">
 		<div class="l-unit-toolbar__buttonstrip">
-			<a class="ui-button cancel" dir="ltr" id="btn-back" href="/add/webapp/?domain=<?=$v_domain?>"><i class="fas fa-arrow-left status-icon blue"></i><?=_('Back');?></a>
+			<a class="ui-button cancel" dir="ltr" id="btn-back" href="/add/webapp/?domain=<?=htmlentities($v_domain);?>"><i class="fas fa-arrow-left status-icon blue"></i><?=_('Back');?></a>
 		</div>
 		<div class="l-unit-toolbar__buttonstrip float-right">
 			<?php
@@ -56,6 +56,7 @@
 
 						$f_value = htmlentities($f_value);
 						$f_label = htmlentities($f_label);
+						$f_name = htmlentities($f_name);
 						$f_placeholder = htmlentities($f_placeholder);
 					?>
 					<div class="form-group">

web/unsuspend/cron/index.php

@@ -9,9 +9,8 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 verify_csrf($_GET);
 
 if (!empty($_GET['job'])) {
-    $v_username = escapeshellarg($user);
     $v_job = escapeshellarg($_GET['job']);
-    exec(HESTIA_CMD."v-unsuspend-cron-job ".$v_username." ".$v_job, $output, $return_var);
+    exec(HESTIA_CMD."v-unsuspend-cron-job ".$user." ".$v_job, $output, $return_var);
     check_return_code($return_var, $output);
     unset($output);
 }

web/unsuspend/db/index.php

@@ -9,9 +9,8 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 verify_csrf($_GET);
 
 if (!empty($_GET['database'])) {
-    $v_username = escapeshellarg($user);
     $v_database = escapeshellarg($_GET['database']);
-    exec(HESTIA_CMD."v-unsuspend-database ".$v_username." ".$v_database, $output, $return_var);
+    exec(HESTIA_CMD."v-unsuspend-database ".$user." ".$v_database, $output, $return_var);
     check_return_code($return_var, $output);
     unset($output);
 }

web/unsuspend/dns/index.php

@@ -9,9 +9,8 @@ verify_csrf($_GET);
 
 // DNS domain
 if ((!empty($_GET['domain'])) && (empty($_GET['record_id']))) {
-    $v_username = escapeshellarg($user);
     $v_domain = escapeshellarg($_GET['domain']);
-    exec(HESTIA_CMD."v-unsuspend-dns-domain ".$v_username." ".$v_domain, $output, $return_var);
+    exec(HESTIA_CMD."v-unsuspend-dns-domain ".$user." ".$v_domain, $output, $return_var);
     if ($return_var != 0) {
         $error = implode('<br>', $output);
         if (empty($error)) {
@@ -31,10 +30,9 @@ if ((!empty($_GET['domain'])) && (empty($_GET['record_id']))) {
 
 // DNS record
 if ((!empty($_GET['domain'])) && (!empty($_GET['record_id']))) {
-    $v_username = escapeshellarg($user);
     $v_domain = escapeshellarg($_GET['domain']);
     $v_record_id = escapeshellarg($_GET['record_id']);
-    exec(HESTIA_CMD."v-unsuspend-dns-record ".$v_username." ".$v_domain." ".$v_record_id, $output, $return_var);
+    exec(HESTIA_CMD."v-unsuspend-dns-record ".$user." ".$v_domain." ".$v_record_id, $output, $return_var);
     if ($return_var != 0) {
         $error = implode('<br>', $output);
         if (empty($error)) {

web/unsuspend/mail/index.php

@@ -9,9 +9,8 @@ verify_csrf($_GET);
 
 // Mail domain
 if ((!empty($_GET['domain'])) && (empty($_GET['account']))) {
-    $v_username = escapeshellarg($user);
     $v_domain = escapeshellarg($_GET['domain']);
-    exec(HESTIA_CMD."v-unsuspend-mail-domain ".$v_username." ".$v_domain, $output, $return_var);
+    exec(HESTIA_CMD."v-unsuspend-mail-domain ".$user." ".$v_domain, $output, $return_var);
     if ($return_var != 0) {
         $error = implode('<br>', $output);
         if (empty($error)) {
@@ -34,7 +33,7 @@ if ((!empty($_GET['domain'])) && (!empty($_GET['account']))) {
     $v_username = escapeshellarg($user);
     $v_domain = escapeshellarg($_GET['domain']);
     $v_account = escapeshellarg($_GET['account']);
-    exec(HESTIA_CMD."v-unsuspend-mail-account ".$v_username." ".$v_domain." ".$v_account, $output, $return_var);
+    exec(HESTIA_CMD."v-unsuspend-mail-account ".$user." ".$v_domain." ".$v_account, $output, $return_var);
     if ($return_var != 0) {
         $error = implode('<br>', $output);
         if (empty($error)) {

web/unsuspend/web/index.php

@@ -8,9 +8,8 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 verify_csrf($_GET);
 
 if (!empty($_GET['domain'])) {
-    $v_username = escapeshellarg($user);
     $v_domain = escapeshellarg($_GET['domain']);
-    exec(HESTIA_CMD."v-unsuspend-domain ".$v_username." ".$v_domain, $output, $return_var);
+    exec(HESTIA_CMD."v-unsuspend-domain ".$user." ".$v_domain, $output, $return_var);
     check_return_code($return_var, $output);
     unset($output);
 }