Fix multiple issues (hestiacp#1899)

* Update top_js.html

Fix: "Warning: The type attribute for the script element is not needed and should be omitted."

* Update end_js.html

Fix: "Warning: The type attribute for the script element is not needed and should be omitted."

* Update css.html

Fix: "Warning: The type attribute for the link element is not needed and should be omitted."

* Update main.php

Fix php style

* Update main.php

* Update main.php

* Update policies.php

* Update policies.php

* Update secure_login.php

* Update query-3.6.0.min.js

* Update top_js.html

* Update footer.html

* Update header.html

* Update header.html

* Update index.php

Fix php style

* Update main.php

Fix php style and optimize code

* Update index.php

Fix php style and optimize code

* Update index.php

* Update css.html

Fix load custom theme

* Update hotkeys.html

Optimize code, fix error

* Update hotkeys.html

fix }

* Update index.php

* Fix XSS issue with list rrd

* Fix XSS issue on search page

* Fix XSS issue on login page

- Remove hidden user field
- htmlspecialchars username
- Delete old session when generate new session.

* XSS issue with $_GET['user']

* Update changelog + improve regenerate session code

* Allow static files to be cached

Change release branch or enable debug mode to disable the caching

* Force redirect user to login

* Improve error message 

Replace "Message" sub.domain.com allready exsists with rv-add-web-domain idn lalal.xxx.nu
Error: xxx.nu belongs to a different user

* Fix issues with login screen

* Update changelog

Co-authored-by: s0t <s0t@users.noreply.github.com>

Author: jaapmarcus

CHANGELOG.md

@@ -20,6 +20,10 @@ All notable changes to this project will be documented in this file.
 - Increased minimal memory requirements for ClamD / ClamAV.  #1840
 - Restore of backup did not rebuild the "Forced SSL" and "HSTS" config on new account #1862
 - Keep changes made by /install/upgrade/manual/install_awstats_geopip.sh on update HestiaCP (via Discord)
+- Refactor/improve PHP and HTML code @s0t (#1860)
+- Fixed XSS vulnerability in login page and a few other locations @briansemrau / @numanturle
+- Delete old session after after session_regenerate_id() @briansemrau
+- Improve error message when domain all ready exists on different account.
 - Fixed an issue where phpmyadmin did not update when Postgresql was availble.
 
 ## [1.4.2] - Service release

func/domain.sh

@@ -924,10 +924,18 @@ is_base_domain_owner(){
                     parse_object_kv_list "$web"
                     if [ -z "$ALLOW_USERS" ] ||  [ "$ALLOW_USERS" != "yes" ]; then
                         # Don't care if $basedomain all ready exists only if the owner is of the base domain is the current user
-                        is_domain_new "" $basedomain
+                        test=$(is_domain_new "" $basedomain)
+                        if [ $? -ne 0 ]; then
+                            echo "Error: $basedomain belongs to a different user";
+                            exit 1;
+                        fi
                     fi
                 else
-                    is_domain_new "" $basedomain
+                    test=$(is_domain_new "" $basedomain);
+                    if [ $? -ne 0 ]; then
+                        echo "Error: $basedomain belongs to a different user";
+                        exit 1;
+                    fi
                 fi
             fi
         fi

web/delete/web/index.php

@@ -3,32 +3,32 @@
 error_reporting(NULL);
 ob_start();
 session_start();
-include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
+include($_SERVER['DOCUMENT_ROOT'] . '/inc/main.php');
 
 // Check token
 if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
     header('location: /login/');
-    exit();
+    exit;
 }
 
 // Delete as someone else?
 if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
-    $user=$_GET['user'];
+    $user = $_GET['user'];
 }
 
 if (!empty($_GET['domain'])) {
     $v_username = escapeshellarg($user);
     $v_domain = escapeshellarg($_GET['domain']);
-    exec (HESTIA_CMD."v-delete-web-domain ".$v_username." ".$v_domain." 'yes'", $output, $return_var);
-    check_return_code($return_var,$output);
+    exec (HESTIA_CMD . 'v-delete-web-domain ' . $v_username . ' ' . $v_domain . " 'yes'", $output, $return_var);
+    check_return_code($return_var, $output);
     unset($output);
 }
 
 $back = $_SESSION['back'];
 if (!empty($back)) {
-    header("Location: ".$back);
+    header('Location: ' . $back);
     exit;
 }
 
-header("Location: /list/web/");
+header('Location: /list/web/');
 exit;