Patch out XSS in edit server (hestiacp#2471)

Author: jaapmarcus

web/edit/db/index.php

@@ -15,6 +15,7 @@
 // Edit as someone else?
 if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
     $user=escapeshellarg($_GET['user']);
+    $user_plain=htmlentities($_GET['user']);
 }
 
 // List datbase

web/edit/dns/index.php

@@ -15,6 +15,7 @@
 // Edit as someone else?
 if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
     $user=escapeshellarg($_GET['user']);
+    $user_plain=htmlentities($_GET['user']);
 }
 
 // List ip addresses

web/edit/mail/index.php

@@ -15,6 +15,7 @@
 // Edit as someone else?
 if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
     $user=escapeshellarg($_GET['user']);
+    $user_plain=htmlentities($_GET['user']);
 }
 
 $v_username = $user;

web/edit/web/index.php

@@ -16,6 +16,7 @@
 // Edit as someone else?
 if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
     $user=escapeshellarg($_GET['user']);
+    $user_plain=htmlentities($_GET['user']);
 }
 
 // Get all user domains

web/templates/pages/edit_server.html

@@ -857,7 +857,7 @@
 									<tr>
 										<td class="vst-text step-top">
 											<?=_('SSL Certificate');?>
-											<span id="generate-csr"> / <a class="generate" target="_blank" href="/generate/ssl/?domain=<?=$v_hostname?>"><?=_('Generate CSR');?></a></span>
+											<span id="generate-csr"> / <a class="generate" target="_blank" href="/generate/ssl/?domain=<?=htmlentities(trim($v_hostname,'"'));?>"><?=_('Generate CSR');?></a></span>
 										</td>
 									</tr>
 									<tr>