- fixed further (potential) XSS issues in forms

Marius Burkard · Marius Burkard · commit a324af77eac6 · 2018-01-01T18:47:47.000+01:00
diff --git a/interface/web/admin/firewall_edit.php b/interface/web/admin/firewall_edit.php
@@ -57,7 +57,7 @@ function onShowEnd() {
 		if($this->id ==0) { //* new record
 			$server_list = $app->db->queryAllRecords("SELECT server_id, server_name FROM server WHERE server_id NOT IN (SELECT server_id FROM firewall) ORDER BY server_name");
 			if(is_array($server_list)) {
-				foreach( $server_list as $server) $server_select .= "<option value='$server[server_id]' >$server[server_name]</option>\r\n";
+				foreach( $server_list as $server) $server_select .= "<option value='$server[server_id]' >" . $app->functions->htmlentities($server['server_name']) . "</option>\r\n";
 			}
 			$app->tpl->setVar('server_id', $server_select);
 		}
diff --git a/interface/web/admin/server_edit.php b/interface/web/admin/server_edit.php
@@ -61,7 +61,7 @@ function onShowEnd() {
 		if(is_array($mirror_servers)) {
 			foreach( $mirror_servers as $mirror_server) {
 				$selected = ($mirror_server["server_id"] == $this->dataRecord['mirror_server_id'])?'SELECTED':'';
-				$mirror_server_select .= "<option value='$mirror_server[server_id]' $selected>$mirror_server[server_name]</option>\r\n";
+				$mirror_server_select .= "<option value='$mirror_server[server_id]' $selected>" . $app->functions->htmlentities($mirror_server['server_name']) . "</option>\r\n";
 			}
 		}
 		$app->tpl->setVar("mirror_server_id", $mirror_server_select);
diff --git a/interface/web/admin/server_ip_map_edit.php b/interface/web/admin/server_ip_map_edit.php
@@ -52,7 +52,7 @@ function onShowEnd() {
 		if(is_array($servers)) {
 			foreach($servers as $server) {
 				$selected = ($server['server_id'] == $this->dataRecord['server_id'])?'SELECTED':'';
-				$server_select .= "<option value='$server[server_id]' $selected>$server[server_name]</option>\r\n";
+				$server_select .= "<option value='$server[server_id]' $selected>" . $app->functions->htmlentities($server['server_name']) . "</option>\r\n";
 			}
 		}
 		unset($servers);
@@ -65,7 +65,7 @@ function onShowEnd() {
 		if(is_array($ips)) {
 			foreach( $ips as $ip) {
 				$selected = ($ip['ip_address'] == $this->dataRecord['source_ip'])?'SELECTED':'';
-				$ip_select .= "<option value='$ip[ip_address]' $selected>$ip[source]</option>\r\n";
+				$ip_select .= "<option value='" . $app->functions->htmlentities($ip['ip_address']) . "' $selected>" . $app->functions->htmlentities($ip['source']) . "</option>\r\n";
 			}
 		}
 		unset($ips);
diff --git a/interface/web/client/message_template_edit.php b/interface/web/client/message_template_edit.php
@@ -80,7 +80,7 @@ function onShowEnd() {
 					if($field_name['Field'] == 'gender'){
 						$message_variables .= '<a href="javascript:void(0);" class="addPlaceholder">{salutation}</a> ';
 					} else {
-						$message_variables .= '<a href="javascript:void(0);" class="addPlaceholder">{'.$field_name['Field'].'}</a> ';
+						$message_variables .= '<a href="javascript:void(0);" class="addPlaceholder">{'.$app->functions->htmlentities($field_name['Field']).'}</a> ';
 					}
 				}
 			}
diff --git a/interface/web/dns/dns_dkim_edit.php b/interface/web/dns/dns_dkim_edit.php
@@ -76,16 +76,16 @@ function onShowNew() {
 		if(isset($sql['domain']) && $sql['domain'] != '') {
 			if($sql['dkim'] == 'y') {
 		        $public_key=str_replace(array('-----BEGIN PUBLIC KEY-----','-----END PUBLIC KEY-----',"\r","\n"),'',$sql['dkim_public']);
-				$app->tpl->setVar('public_key', $public_key);
-				$app->tpl->setVar('selector', $sql['dkim_selector']);
+				$app->tpl->setVar('public_key', $public_key, true);
+				$app->tpl->setVar('selector', $sql['dkim_selector'], true);
 			} else {
 			//TODO: show warning - use mail_domain for dkim and enabled dkim
 			}
 			$app->tpl->setVar('edit_disabled', 1);
 		} else {
 			$app->tpl->setVar('edit_disabled', 0);
 		}
-		$app->tpl->setVar('name', $soa['origin']);
+		$app->tpl->setVar('name', $soa['origin'], true);
 
 	}
 
diff --git a/interface/web/dns/dns_dmarc_edit.php b/interface/web/dns/dns_dmarc_edit.php
@@ -93,7 +93,7 @@ function onShowEnd() {
 		if ( isset($rec) && !empty($rec) ) {
 			$this->id = 1;
 			$old_data = strtolower($rec['data']);
-			$app->tpl->setVar("data", $old_data);
+			$app->tpl->setVar("data", $old_data, true);
             if ($rec['active'] == 'Y') $app->tpl->setVar("active", "CHECKED"); else $app->tpl->setVar("active", "UNCHECKED");
 			$dmarc_rua = '';
 			$dmarc_ruf = '';
@@ -123,7 +123,7 @@ function onShowEnd() {
 		} 
 
 		//set html-values
-		$app->tpl->setVar('domain', $domain_name);
+		$app->tpl->setVar('domain', $domain_name, true);
 
 		//create dmarc-policy-list
 		$dmarc_policy_value = array( 
@@ -138,9 +138,9 @@ function onShowEnd() {
 		}
 		$app->tpl->setVar('dmarc_policy', $dmarc_policy_list);
 
-		if (!empty($dmarc_rua)) $app->tpl->setVar("dmarc_rua", $dmarc_rua);
+		if (!empty($dmarc_rua)) $app->tpl->setVar("dmarc_rua", $dmarc_rua, true);
 
-		if (!empty($dmarc_ruf)) $app->tpl->setVar("dmarc_ruf", $dmarc_ruf);
+		if (!empty($dmarc_ruf)) $app->tpl->setVar("dmarc_ruf", $dmarc_ruf, true);
 
 		//set dmarc-fo-options
 		if (isset($dmarc_fo)) {
@@ -178,9 +178,9 @@ function onShowEnd() {
 		if ( strpos($dmarc_rf, 'afrf') !== false ) $app->tpl->setVar("dmarc_rf_afrf", 'CHECKED');
 		if ( strpos($dmarc_rf, 'iodef') !== false ) $app->tpl->setVar("dmarc_rf_iodef", 'CHECKED');
 
-		$app->tpl->setVar("dmarc_pct", $dmarc_pct);
+		$app->tpl->setVar("dmarc_pct", $dmarc_pct, true);
 
-		$app->tpl->setVar("dmarc_ri", $dmarc_ri);
+		$app->tpl->setVar("dmarc_ri", $dmarc_ri, true);
 
 		//create dmarc-sp-list
 		$dmarc_sp_value = array( 
diff --git a/interface/web/dns/dns_slave_edit.php b/interface/web/dns/dns_slave_edit.php
@@ -132,7 +132,7 @@ function onShowEnd() {
 					if ($domain['domain'].'.' == $this->dataRecord["origin"]) {
 						$domain_select .= " selected";
 					}
-					$domain_select .= ">" . $app->functions->idn_decode($domain['domain']) . ".</option>\r\n";
+					$domain_select .= ">" . $app->functions->htmlentities($app->functions->idn_decode($domain['domain'])) . ".</option>\r\n";
 				}
 			}
 			else {
diff --git a/interface/web/dns/dns_soa_edit.php b/interface/web/dns/dns_soa_edit.php
@@ -179,7 +179,7 @@ function onShowEnd() {
 		$options_dns_servers = "";
 
 		foreach ($dns_servers as $dns_server) {
-			$options_dns_servers .= '<option value="'.$dns_server['server_id'].'"'.($this->id > 0 && $this->dataRecord["server_id"] == $dns_server['server_id'] ? ' selected="selected"' : '').'>'.$dns_server['server_name'].'</option>';
+			$options_dns_servers .= '<option value="'.$dns_server['server_id'].'"'.($this->id > 0 && $this->dataRecord["server_id"] == $dns_server['server_id'] ? ' selected="selected"' : '').'>'.$app->functions->htmlentities($dns_server['server_name']).'</option>';
 		}
 
 		$app->tpl->setVar("client_server_id", $options_dns_servers);
@@ -200,7 +200,7 @@ function onShowEnd() {
 				if ($domain['domain'].'.' == $this->dataRecord["origin"]) {
 					$domain_select .= " selected";
 				}
-				$domain_select .= ">" . $app->functions->idn_decode($domain['domain']) . ".</option>\r\n";
+				$domain_select .= ">" . $app->functions->htmlentities($app->functions->idn_decode($domain['domain'])) . ".</option>\r\n";
 			}
 		}
 		else {
@@ -222,7 +222,7 @@ function onShowEnd() {
 		$datalog = $app->db->queryOneRecord("SELECT sys_datalog.error, sys_log.tstamp FROM sys_datalog, sys_log WHERE sys_datalog.dbtable = 'dns_soa' AND sys_datalog.dbidx = ? AND sys_datalog.datalog_id = sys_log.datalog_id AND sys_log.message = CONCAT('Processed datalog_id ',sys_log.datalog_id) ORDER BY sys_datalog.tstamp DESC", 'id:' . $this->id);
 		if(is_array($datalog) && !empty($datalog)){
 			if(trim($datalog['error']) != ''){
-				$app->tpl->setVar("config_error_msg", nl2br(htmlentities($datalog['error'])));
+				$app->tpl->setVar("config_error_msg", nl2br($app->functions->htmlentities($datalog['error'])));
 				$app->tpl->setVar("config_error_tstamp", date($app->lng('conf_format_datetime'), $datalog['tstamp']));
 			}
 		}
diff --git a/interface/web/dns/dns_spf_edit.php b/interface/web/dns/dns_spf_edit.php
@@ -83,7 +83,7 @@ function onShowEnd() {
 			$this->id = 1;
 			$old_data = strtolower($rec['data']);
 
-			$app->tpl->setVar("data", $old_data);
+			$app->tpl->setVar("data", $old_data, true);
 			if ($rec['active'] == 'Y') $app->tpl->setVar("active", "CHECKED"); else $app->tpl->setVar("active", "UNCHECKED");
 
 			$spf_hostname = '';
diff --git a/interface/web/mail/mail_alias_edit.php b/interface/web/mail/mail_alias_edit.php
@@ -83,7 +83,7 @@ function onShowEnd() {
 			foreach( $domains as $domain) {
 				$domain['domain'] = $app->functions->idn_decode($domain['domain']);
 				$selected = ($domain["domain"] == @$email_parts[1])?'SELECTED':'';
-				$domain_select .= "<option value='$domain[domain]' $selected>$domain[domain]</option>\r\n";
+				$domain_select .= "<option value='" . $app->functions->htmlentities($domain['domain']) . "' $selected>" . $app->functions->htmlentities($domain['domain']) . "</option>\r\n";
 			}
 		}
 		$app->tpl->setVar("email_domain", $domain_select);
diff --git a/interface/web/mail/mail_aliasdomain_edit.php b/interface/web/mail/mail_aliasdomain_edit.php
@@ -82,9 +82,9 @@ function onShowEnd() {
 			foreach( $domains as $domain) {
 				$domain['domain'] = $app->functions->idn_decode($domain['domain']);
 				$selected = ($domain["domain"] == @$source_domain)?'SELECTED':'';
-				$source_select .= "<option value='$domain[domain]' $selected>$domain[domain]</option>\r\n";
+				$source_select .= "<option value='" . $app->functions->htmlentities($domain['domain']) . "' $selected>" . $app->functions->htmlentities($domain['domain']) . "</option>\r\n";
 				$selected = ($domain["domain"] == @$destination_domain)?'SELECTED':'';
-				$destination_select .= "<option value='$domain[domain]' $selected>$domain[domain]</option>\r\n";
+				$destination_select .= "<option value='" . $app->functions->htmlentities($domain['domain']) . "' $selected>" . $app->functions->htmlentities($domain['domain']) . "</option>\r\n";
 			}
 		}
 		$app->tpl->setVar("source_domain", $source_select);
diff --git a/interface/web/mail/mail_domain_catchall_edit.php b/interface/web/mail/mail_domain_catchall_edit.php
@@ -82,7 +82,7 @@ function onShowEnd() {
 			foreach( $domains as $domain) {
 				$domain['domain'] = $app->functions->idn_decode($domain['domain']);
 				$selected = (isset($email_parts[1]) && $domain["domain"] == $email_parts[1])?'SELECTED':'';
-				$domain_select .= "<option value='$domain[domain]' $selected>$domain[domain]</option>\r\n";
+				$domain_select .= "<option value='" . $app->functions->htmlentities($domain['domain']) . "' $selected>" . $app->functions->htmlentities($domain['domain']) . "</option>\r\n";
 			}
 		}
 		$app->tpl->setVar("email_domain", $domain_select);
diff --git a/interface/web/mail/mail_domain_edit.php b/interface/web/mail/mail_domain_edit.php
@@ -101,7 +101,7 @@ function onShowEnd() {
 
 			// Set the mailserver to the default server of the client
 			$tmp = $app->db->queryOneRecord("SELECT server_name FROM server WHERE server_id = ?", $client['default_mailserver']);
-			$app->tpl->setVar("server_id", "<option value='$client[default_mailserver]'>$tmp[server_name]</option>");
+			$app->tpl->setVar("server_id", "<option value='$client[default_mailserver]'>" . $app->functions->htmlentities($tmp['server_name']) . "</option>");
 			unset($tmp);
 
 			if ($settings['use_domain_module'] != 'y') {
@@ -142,7 +142,7 @@ function onShowEnd() {
 			$options_mail_servers = "";
 
 			foreach ($mail_servers as $mail_server) {
-				$options_mail_servers .= '<option value="'.$mail_server['server_id'].'"'.($this->id > 0 && $this->dataRecord["server_id"] == $mail_server['server_id'] ? ' selected="selected"' : '').'>'.$mail_server['server_name'].'</option>';
+				$options_mail_servers .= '<option value="'.$mail_server['server_id'].'"'.($this->id > 0 && $this->dataRecord["server_id"] == $mail_server['server_id'] ? ' selected="selected"' : '').'>'.$app->functions->htmlentities($mail_server['server_name']).'</option>';
 			}
 
 			$app->tpl->setVar("client_server_id", $options_mail_servers);
@@ -167,7 +167,7 @@ function onShowEnd() {
 					if ($domain['domain'] == $this->dataRecord["domain"]) {
 						$domain_select .= " selected";
 					}
-					$domain_select .= ">" . $app->functions->idn_decode($domain['domain']) . "</option>\r\n";
+					$domain_select .= ">" . $app->functions->htmlentities($app->functions->idn_decode($domain['domain'])) . "</option>\r\n";
 				}
 			}
 			else {
@@ -193,7 +193,7 @@ function onShowEnd() {
 		if(is_array($policys)) {
 			foreach( $policys as $p) {
 				$selected = ($p["id"] == $tmp_user["policy_id"])?'SELECTED':'';
-				$policy_select .= "<option value='$p[id]' $selected>$p[policy_name]</option>\r\n";
+				$policy_select .= "<option value='$p[id]' $selected>" . $app->functions->htmlentities($p['policy_name']) . "</option>\r\n";
 			}
 		}
 		$app->tpl->setVar("policy", $policy_select);
@@ -214,10 +214,10 @@ function onShowEnd() {
 		$rec = $app->db->queryOneRecord($sql, $app->functions->intval($_GET['id']));
 		$dns_key = str_replace(array('-----BEGIN PUBLIC KEY-----','-----END PUBLIC KEY-----',"\r","\n"),'',$rec['dkim_public']);
 		$dns_record = $rec['dkim_selector'] . '._domainkey.' . $rec['domain'] . '. 3600   TXT   v=DKIM1; t=s; p=' . $dns_key;
-		$app->tpl->setVar('dkim_selector', $rec['dkim_selector']);
-		$app->tpl->setVar('dkim_private', $rec['dkim_private']);
-		$app->tpl->setVar('dkim_public', $rec['dkim_public']);
-		if (!empty($rec['dkim_public'])) $app->tpl->setVar('dns_record', $dns_record);
+		$app->tpl->setVar('dkim_selector', $rec['dkim_selector'], true);
+		$app->tpl->setVar('dkim_private', $rec['dkim_private'], true);
+		$app->tpl->setVar('dkim_public', $rec['dkim_public'], true);
+		if (!empty($rec['dkim_public'])) $app->tpl->setVar('dns_record', $dns_record, true);
 
 		parent::onShowEnd();
 	}
diff --git a/interface/web/mail/mail_forward_edit.php b/interface/web/mail/mail_forward_edit.php
@@ -82,7 +82,7 @@ function onShowEnd() {
 		foreach( $domains as $domain) {
 			$domain['domain'] = $app->functions->idn_decode($domain['domain']);
 			$selected = (isset($email_parts[1]) && $domain["domain"] == $email_parts[1])?'SELECTED':'';
-			$domain_select .= "<option value='$domain[domain]' $selected>$domain[domain]</option>\r\n";
+			$domain_select .= "<option value='" . $app->functions->htmlentities($domain['domain']) . "' $selected>" . $app->functions->htmlentities($domain['domain']) . "</option>\r\n";
 		}
 		$app->tpl->setVar("email_domain", $domain_select);
 
diff --git a/interface/web/mail/mail_mailinglist_edit.php b/interface/web/mail/mail_mailinglist_edit.php
@@ -116,7 +116,7 @@ function onShowEnd() {
 		if(is_array($domains)) {
 			foreach( $domains as $domain) {
 				$selected = ($domain["domain"] == $this->dataRecord["domain"])?'SELECTED':'';
-				$domain_select .= "<option value='$domain[domain]' $selected>$domain[domain]</option>\r\n";
+				$domain_select .= "<option value='" . $app->functions->htmlentities($domain['domain']) . "' $selected>" . $app->functions->htmlentities($domain['domain']) . "</option>\r\n";
 			}
 		}
 		$app->tpl->setVar("domain_option", $domain_select);
diff --git a/interface/web/mail/mail_spamfilter_edit.php b/interface/web/mail/mail_spamfilter_edit.php
@@ -67,7 +67,7 @@ function onShowEnd() {
 		$domain_select = '';
 		foreach( $domains as $domain) {
 			$selected = ($domain["domain"] == $email_parts[1])?'SELECTED':'';
-			$domain_select .= "<option value='$domain[domain]' $selected>$domain[domain]</option>\r\n";
+			$domain_select .= "<option value='" . $app->functions->htmlentities($domain['domain']) . "' $selected>" . $app->functions->htmlentities($domain['domain']) . "</option>\r\n";
 		}
 		$app->tpl->setVar("email_domain", $domain_select);
 
diff --git a/interface/web/mail/mail_transport_edit.php b/interface/web/mail/mail_transport_edit.php
@@ -70,6 +70,7 @@ function onShowNew() {
 	function onShowEnd() {
 		global $app, $conf;
 
+		$rec = array();
 		$types = array('smtp' => 'smtp', 'uucp' => 'uucp', 'slow' => 'slow', 'error' => 'error', 'custom' => 'custom', '' => 'null');
 		$tmp_parts = explode(":", $this->dataRecord["transport"]);
 		if(!empty($this->id) && !stristr($this->dataRecord["transport"], ':')) {
@@ -106,7 +107,7 @@ function onShowEnd() {
 			}
 		}
 		$rec["type"] = $type_select;
-		$app->tpl->setVar($rec);
+		$app->tpl->setVar($rec, null, true);
 		unset($type);
 		unset($types);
 
diff --git a/interface/web/mail/mail_user_edit.php b/interface/web/mail/mail_user_edit.php
@@ -84,7 +84,7 @@ function onShowEnd() {
 			foreach( $domains as $domain) {
 				$domain['domain'] = $app->functions->idn_decode($domain['domain']);
 				$selected = ($domain["domain"] == @$email_parts[1])?'SELECTED':'';
-				$domain_select .= "<option value='$domain[domain]' $selected>$domain[domain]</option>\r\n";
+				$domain_select .= "<option value='" . $app->functions->htmlentities($domain['domain']) . "' $selected>" . $app->functions->htmlentities($domain['domain']) . "</option>\r\n";
 			}
 		}
 		$app->tpl->setVar("email_domain", $domain_select);
@@ -100,7 +100,7 @@ function onShowEnd() {
 		if(is_array($policys)) {
 			foreach( $policys as $p) {
 				$selected = ($p["id"] == $tmp_user["policy_id"])?'SELECTED':'';
-				$policy_select .= "<option value='$p[id]' $selected>$p[policy_name]</option>\r\n";
+				$policy_select .= "<option value='$p[id]' $selected>" . $app->functions->htmlentities(($p['policy_name']) . "</option>\r\n";
 			}
 		}
 		$app->tpl->setVar("policy", $policy_select);
diff --git a/interface/web/mail/xmpp_domain_edit.php b/interface/web/mail/xmpp_domain_edit.php
@@ -165,7 +165,7 @@ function onShowEnd() {
 			$options_xmpp_servers = "";
 
 			foreach ($xmpp_servers as $xmpp_server) {
-				$options_xmpp_servers .= "<option value='$xmpp_server[server_id]'>$xmpp_server[server_name]</option>";
+				$options_xmpp_servers .= "<option value='$xmpp_server[server_id]'>" . $app->functions->htmlentities($xmpp_server['server_name']) . "</option>";
 			}
 
 			$app->tpl->setVar("client_server_id", $options_xmpp_servers);
@@ -190,7 +190,7 @@ function onShowEnd() {
 					if ($domain['domain'] == $this->dataRecord["domain"]) {
 						$domain_select .= " selected";
 					}
-					$domain_select .= ">" . $app->functions->idn_decode($domain['domain']) . "</option>\r\n";
+					$domain_select .= ">" . $app->functions->htmlentities($app->functions->idn_decode($domain['domain'])) . "</option>\r\n";
 				}
 			}
 			else {
diff --git a/interface/web/mail/xmpp_user_edit.php b/interface/web/mail/xmpp_user_edit.php
@@ -83,7 +83,7 @@ function onShowEnd() {
 			foreach( $domains as $domain) {
 				$domain['domain'] = $app->functions->idn_decode($domain['domain']);
 				$selected = ($domain["domain"] == @$jid_parts[1])?'SELECTED':'';
-				$domain_select .= "<option value='$domain[domain]' $selected>$domain[domain]</option>\r\n";
+				$domain_select .= "<option value='" . $app->functions->htmlentities($domain['domain']) . "' $selected>" . $app->functions->htmlentities($domain['domain']) . "</option>\r\n";
 			}
 		}
 		$app->tpl->setVar("jid_domain", $domain_select);
diff --git a/interface/web/mailuser/mail_user_cc_edit.php b/interface/web/mailuser/mail_user_cc_edit.php
@@ -75,7 +75,7 @@ function onShowEnd() {
 		global $app, $conf;
 
 		$rec = $app->tform->getDataRecord($this->id);
-		$app->tpl->setVar("email", $rec['email']);
+		$app->tpl->setVar("email", $rec['email'], true);
 
 		parent::onShowEnd();
 	}
diff --git a/interface/web/mailuser/mail_user_password_edit.php b/interface/web/mailuser/mail_user_password_edit.php
@@ -63,7 +63,7 @@ function onShowEnd() {
 		global $app, $conf;
 
 		$rec = $app->tform->getDataRecord($_SESSION['s']['user']['mailuser_id']);
-		$app->tpl->setVar("email", $rec['email']);
+		$app->tpl->setVar("email", $rec['email'], true);
 
 		parent::onShowEnd();
 	}
diff --git a/interface/web/mailuser/mail_user_spamfilter_edit.php b/interface/web/mailuser/mail_user_spamfilter_edit.php
@@ -112,7 +112,7 @@ function onShowEnd() {
 		global $app, $conf;
 
 		$rec = $app->tform->getDataRecord($this->id);
-		$app->tpl->setVar("email", $rec['email']);
+		$app->tpl->setVar("email", $rec['email'], true);
 
 		// Get the spamfilter policys for the user
 		$tmp_user = $app->db->queryOneRecord("SELECT policy_id FROM spamfilter_users WHERE email = ?", $rec['email']);
@@ -122,7 +122,7 @@ function onShowEnd() {
 		if(is_array($policys)) {
 			foreach( $policys as $p) {
 				$selected = ($p["id"] == $tmp_user["policy_id"])?'SELECTED':'';
-				$policy_select .= "<option value='$p[id]' $selected>$p[policy_name]</option>\r\n";
+				$policy_select .= "<option value='$p[id]' $selected>" . $app->functions->htmlentities($p['policy_name']) . "</option>\r\n";
 			}
 		}
 		$app->tpl->setVar("policy", $policy_select);
diff --git a/interface/web/sites/database_edit.php b/interface/web/sites/database_edit.php
@@ -89,7 +89,7 @@ function onShowEnd() {
 			}
 
 			foreach ($tmp as $db_server) {
-				$options_db_servers .= '<option value="'.$db_server['server_id'].'"'.($this->id > 0 && $this->dataRecord["server_id"] == $db_server['server_id'] ? ' selected="selected"' : '').'>'.$db_server['server_name'].'</option>';
+				$options_db_servers .= '<option value="'.$db_server['server_id'].'"'.($this->id > 0 && $this->dataRecord["server_id"] == $db_server['server_id'] ? ' selected="selected"' : '').'>'.$app->functions->htmlentities($db_server['server_name']).'</option>';
 			}
 
 			$app->tpl->setVar("server_id", $options_db_servers);
@@ -112,7 +112,7 @@ function onShowEnd() {
 			}
 
 			foreach ($tmp as $db_server) {
-				$options_db_servers .= '<option value="'.$db_server['server_id'].'"'.($this->id > 0 && $this->dataRecord["server_id"] == $db_server['server_id'] ? ' selected="selected"' : '').'>'.$db_server['server_name'].'</option>';
+				$options_db_servers .= '<option value="'.$db_server['server_id'].'"'.($this->id > 0 && $this->dataRecord["server_id"] == $db_server['server_id'] ? ' selected="selected"' : '').'>'.$app->functions->htmlentities($db_server['server_name']).'</option>';
 			}
 
 			$app->tpl->setVar("server_id", $options_db_servers);
@@ -147,7 +147,7 @@ function onShowEnd() {
 		}
 
 		if($this->dataRecord['database_name'] == "") {
-			$app->tpl->setVar("database_name_prefix", $dbname_prefix);
+			$app->tpl->setVar("database_name_prefix", $dbname_prefix, true);
 		} else {
 			$app->tpl->setVar("database_name_prefix", $app->tools_sites->getPrefix($this->dataRecord['database_name_prefix'], $dbname_prefix, $global_config['dbname_prefix']), true);
 		}
diff --git a/interface/web/sites/database_user_edit.php b/interface/web/sites/database_user_edit.php
diff --git a/interface/web/sites/ftp_user_edit.php b/interface/web/sites/ftp_user_edit.php
diff --git a/interface/web/sites/shell_user_edit.php b/interface/web/sites/shell_user_edit.php
diff --git a/interface/web/sites/web_childdomain_edit.php b/interface/web/sites/web_childdomain_edit.php
diff --git a/interface/web/sites/web_vhost_domain_edit.php b/interface/web/sites/web_vhost_domain_edit.php
diff --git a/interface/web/sites/webdav_user_edit.php b/interface/web/sites/webdav_user_edit.php
diff --git a/interface/web/vm/openvz_vm_edit.php b/interface/web/vm/openvz_vm_edit.php

Original file line number	Diff line number	Diff line change
`@@ -57,7 +57,7 @@ function onShowEnd() {`
`57`	`57`	`if($this->id ==0) { //* new record`
`58`	`58`	`$server_list = $app->db->queryAllRecords("SELECT server_id, server_name FROM server WHERE server_id NOT IN (SELECT server_id FROM firewall) ORDER BY server_name");`
`59`	`59`	`if(is_array($server_list)) {`
`60`		`- foreach( $server_list as $server) $server_select .= "<option value='$server[server_id]' >$server[server_name]</option>\r\n";`
	`60`	`+ foreach( $server_list as $server) $server_select .= "<option value='$server[server_id]' >" . $app->functions->htmlentities($server['server_name']) . "</option>\r\n";`
`61`	`61`	`}`
`62`	`62`	`$app->tpl->setVar('server_id', $server_select);`
`63`	`63`	`}`
Original file line number	Diff line number	Diff line change
`@@ -61,7 +61,7 @@ function onShowEnd() {`
`61`	`61`	`if(is_array($mirror_servers)) {`
`62`	`62`	`foreach( $mirror_servers as $mirror_server) {`
`63`	`63`	`$selected = ($mirror_server["server_id"] == $this->dataRecord['mirror_server_id'])?'SELECTED':'';`
`64`		`- $mirror_server_select .= "<option value='$mirror_server[server_id]' $selected>$mirror_server[server_name]</option>\r\n";`
	`64`	`+ $mirror_server_select .= "<option value='$mirror_server[server_id]' $selected>" . $app->functions->htmlentities($mirror_server['server_name']) . "</option>\r\n";`
`65`	`65`	`}`
`66`	`66`	`}`
`67`	`67`	`$app->tpl->setVar("mirror_server_id", $mirror_server_select);`
Original file line number	Diff line number	Diff line change
`@@ -52,7 +52,7 @@ function onShowEnd() {`
`52`	`52`	`if(is_array($servers)) {`
`53`	`53`	`foreach($servers as $server) {`
`54`	`54`	`$selected = ($server['server_id'] == $this->dataRecord['server_id'])?'SELECTED':'';`
`55`		`- $server_select .= "<option value='$server[server_id]' $selected>$server[server_name]</option>\r\n";`
	`55`	`+ $server_select .= "<option value='$server[server_id]' $selected>" . $app->functions->htmlentities($server['server_name']) . "</option>\r\n";`
`56`	`56`	`}`
`57`	`57`	`}`
`58`	`58`	`unset($servers);`
`@@ -65,7 +65,7 @@ function onShowEnd() {`
`65`	`65`	`if(is_array($ips)) {`
`66`	`66`	`foreach( $ips as $ip) {`
`67`	`67`	`$selected = ($ip['ip_address'] == $this->dataRecord['source_ip'])?'SELECTED':'';`
`68`		`- $ip_select .= "<option value='$ip[ip_address]' $selected>$ip[source]</option>\r\n";`
	`68`	`+ $ip_select .= "<option value='" . $app->functions->htmlentities($ip['ip_address']) . "' $selected>" . $app->functions->htmlentities($ip['source']) . "</option>\r\n";`
`69`	`69`	`}`
`70`	`70`	`}`
`71`	`71`	`unset($ips);`
Original file line number	Diff line number	Diff line change
`@@ -80,7 +80,7 @@ function onShowEnd() {`
`80`	`80`	`if($field_name['Field'] == 'gender'){`
`81`	`81`	`$message_variables .= '<a href="javascript:void(0);" class="addPlaceholder">{salutation}</a> ';`
`82`	`82`	`} else {`
`83`		`- $message_variables .= '<a href="javascript:void(0);" class="addPlaceholder">{'.$field_name['Field'].'}</a> ';`
	`83`	`+ $message_variables .= '<a href="javascript:void(0);" class="addPlaceholder">{'.$app->functions->htmlentities($field_name['Field']).'}</a> ';`
`84`	`84`	`}`
`85`	`85`	`}`
`86`	`86`	`}`
Original file line number	Diff line number	Diff line change
`@@ -76,16 +76,16 @@ function onShowNew() {`
`76`	`76`	`if(isset($sql['domain']) && $sql['domain'] != '') {`
`77`	`77`	`if($sql['dkim'] == 'y') {`
`78`	`78`	`$public_key=str_replace(array('-----BEGIN PUBLIC KEY-----','-----END PUBLIC KEY-----',"\r","\n"),'',$sql['dkim_public']);`
`79`		`- $app->tpl->setVar('public_key', $public_key);`
`80`		`- $app->tpl->setVar('selector', $sql['dkim_selector']);`
	`79`	`+ $app->tpl->setVar('public_key', $public_key, true);`
	`80`	`+ $app->tpl->setVar('selector', $sql['dkim_selector'], true);`
`81`	`81`	`} else {`
`82`	`82`	`//TODO: show warning - use mail_domain for dkim and enabled dkim`
`83`	`83`	`}`
`84`	`84`	`$app->tpl->setVar('edit_disabled', 1);`
`85`	`85`	`} else {`
`86`	`86`	`$app->tpl->setVar('edit_disabled', 0);`
`87`	`87`	`}`
`88`		`- $app->tpl->setVar('name', $soa['origin']);`
	`88`	`+ $app->tpl->setVar('name', $soa['origin'], true);`
`89`	`89`
`90`	`90`	`}`
`91`	`91`
Original file line number	Diff line number	Diff line change
`@@ -132,7 +132,7 @@ function onShowEnd() {`
`132`	`132`	`if ($domain['domain'].'.' == $this->dataRecord["origin"]) {`
`133`	`133`	`$domain_select .= " selected";`
`134`	`134`	`}`
`135`		`- $domain_select .= ">" . $app->functions->idn_decode($domain['domain']) . ".</option>\r\n";`
	`135`	`+ $domain_select .= ">" . $app->functions->htmlentities($app->functions->idn_decode($domain['domain'])) . ".</option>\r\n";`
`136`	`136`	`}`
`137`	`137`	`}`
`138`	`138`	`else {`
Original file line number	Diff line number	Diff line change
`@@ -179,7 +179,7 @@ function onShowEnd() {`
`179`	`179`	`$options_dns_servers = "";`
`180`	`180`
`181`	`181`	`foreach ($dns_servers as $dns_server) {`
`182`		`- $options_dns_servers .= '<option value="'.$dns_server['server_id'].'"'.($this->id > 0 && $this->dataRecord["server_id"] == $dns_server['server_id'] ? ' selected="selected"' : '').'>'.$dns_server['server_name'].'</option>';`
	`182`	`+ $options_dns_servers .= '<option value="'.$dns_server['server_id'].'"'.($this->id > 0 && $this->dataRecord["server_id"] == $dns_server['server_id'] ? ' selected="selected"' : '').'>'.$app->functions->htmlentities($dns_server['server_name']).'</option>';`
`183`	`183`	`}`
`184`	`184`
`185`	`185`	`$app->tpl->setVar("client_server_id", $options_dns_servers);`
`@@ -200,7 +200,7 @@ function onShowEnd() {`
`200`	`200`	`if ($domain['domain'].'.' == $this->dataRecord["origin"]) {`
`201`	`201`	`$domain_select .= " selected";`
`202`	`202`	`}`
`203`		`- $domain_select .= ">" . $app->functions->idn_decode($domain['domain']) . ".</option>\r\n";`
	`203`	`+ $domain_select .= ">" . $app->functions->htmlentities($app->functions->idn_decode($domain['domain'])) . ".</option>\r\n";`
`204`	`204`	`}`
`205`	`205`	`}`
`206`	`206`	`else {`
`@@ -222,7 +222,7 @@ function onShowEnd() {`
`222`	`222`	`$datalog = $app->db->queryOneRecord("SELECT sys_datalog.error, sys_log.tstamp FROM sys_datalog, sys_log WHERE sys_datalog.dbtable = 'dns_soa' AND sys_datalog.dbidx = ? AND sys_datalog.datalog_id = sys_log.datalog_id AND sys_log.message = CONCAT('Processed datalog_id ',sys_log.datalog_id) ORDER BY sys_datalog.tstamp DESC", 'id:' . $this->id);`
`223`	`223`	`if(is_array($datalog) && !empty($datalog)){`
`224`	`224`	`if(trim($datalog['error']) != ''){`
`225`		`- $app->tpl->setVar("config_error_msg", nl2br(htmlentities($datalog['error'])));`
	`225`	`+ $app->tpl->setVar("config_error_msg", nl2br($app->functions->htmlentities($datalog['error'])));`
`226`	`226`	`$app->tpl->setVar("config_error_tstamp", date($app->lng('conf_format_datetime'), $datalog['tstamp']));`
`227`	`227`	`}`
`228`	`228`	`}`
Original file line number	Diff line number	Diff line change
`@@ -83,7 +83,7 @@ function onShowEnd() {`
`83`	`83`	`foreach( $domains as $domain) {`
`84`	`84`	`$domain['domain'] = $app->functions->idn_decode($domain['domain']);`
`85`	`85`	`$selected = ($domain["domain"] == @$email_parts[1])?'SELECTED':'';`
`86`		`- $domain_select .= "<option value='$domain[domain]' $selected>$domain[domain]</option>\r\n";`
	`86`	`+ $domain_select .= "<option value='" . $app->functions->htmlentities($domain['domain']) . "' $selected>" . $app->functions->htmlentities($domain['domain']) . "</option>\r\n";`
`87`	`87`	`}`
`88`	`88`	`}`
`89`	`89`	`$app->tpl->setVar("email_domain", $domain_select);`