mirror/Wallos
1
0
Fork 0
mirror of https://github.com/ellite/Wallos.git synced 2026-05-12 14:58:31 -05:00
Code Issues Packages Projects Releases Wiki Activity

fix: cases on private endpoints where self-xss was possible

Browse Source
This commit is contained in:
Miguel Ribeiro
2026-04-26 11:16:03 +02:00
parent a9d3ba990f
commit ea396b9dca
4 changed files with 71 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files
admin.php
+19 -19
View File
@@ -94,7 +94,7 @@ $loginDisabledAllowed = $userCount == 1 && $settings['registrations_open'] == 0;
?>
<div class="form-group">
<label for="serverUrl"><?= translate('server_url', $i18n) ?></label>
<input type="text" id="serverUrl" autocomplete="off" value="<?= $settings['server_url'] ?>" />
<input type="text" id="serverUrl" autocomplete="off" value="<?= htmlspecialchars($settings['server_url']) ?>" />
</div>
<div class="settings-notes">
<p>
@@ -148,13 +148,13 @@ $loginDisabledAllowed = $userCount == 1 && $settings['registrations_open'] == 0;
<div class="user-list-icon">
<i class="fa-solid <?= $userIcon ?>"></i>
</div>
<?= $user['username'] ?>
<?= htmlspecialchars($user['username']) ?>
</div>
<div title="<?= translate('email', $i18n) ?>">
<div class="user-list-icon">
<i class="fa-solid fa-envelope"></i>
</div>
<a href="mailto:<?= $user['email'] ?>"><?= $user['email'] ?></a>
<a href="mailto:<?= htmlspecialchars($user['email']) ?>"><?= htmlspecialchars($user['email']) ?></a>
</div>
</div>
<div>
@@ -221,47 +221,47 @@ $loginDisabledAllowed = $userCount == 1 && $settings['registrations_open'] == 0;
</div>
<div class="form-group">
<input type="text" id="oidcName" placeholder="Provider Name" autocomplete="off"
value="<?= $oidcSettings['name'] ?>" />
value="<?= htmlspecialchars($oidcSettings['name']) ?>" />
</div>
<div class="form-group">
<input type="text" id="oidcClientId" placeholder="Client ID" autocomplete="off"
value="<?= $oidcSettings['client_id'] ?>" />
value="<?= htmlspecialchars($oidcSettings['client_id']) ?>" />
</div>
<div class="form-group">
<input type="text" id="oidcClientSecret" placeholder="Client Secret" autocomplete="off"
value="<?= $oidcSettings['client_secret'] ?>" />
value="<?= htmlspecialchars($oidcSettings['client_secret']) ?>" />
</div>
<div class="form-group">
<input type="text" id="oidcAuthUrl" placeholder="Auth URL" autocomplete="off"
value="<?= $oidcSettings['authorization_url'] ?>" />
value="<?= htmlspecialchars($oidcSettings['authorization_url']) ?>" />
</div>
<div class="form-group">
<input type="text" id="oidcTokenUrl" placeholder="Token URL" autocomplete="off"
value="<?= $oidcSettings['token_url'] ?>" />
value="<?= htmlspecialchars($oidcSettings['token_url']) ?>" />
</div>
<div class="form-group">
<input type="text" id="oidcUserInfoUrl" placeholder="User Info URL" autocomplete="off"
value="<?= $oidcSettings['user_info_url'] ?>" />
value="<?= htmlspecialchars($oidcSettings['user_info_url']) ?>" />
</div>
<div class="form-group">
<input type="text" id="oidcRedirectUrl" placeholder="Redirect URL" autocomplete="off"
value="<?= $oidcSettings['redirect_url'] ?>" />
value="<?= htmlspecialchars($oidcSettings['redirect_url']) ?>" />
</div>
<div class="form-group">
<input type="text" id="oidcLogoutUrl" placeholder="Logout URL" autocomplete="off"
value="<?= $oidcSettings['logout_url'] ?>" />
value="<?= htmlspecialchars($oidcSettings['logout_url']) ?>" />
</div>
<div class="form-group">
<input type="text" id="oidcUserIdentifierField" placeholder="User Identifier Field" autocomplete="off"
value="<?= $oidcSettings['user_identifier_field'] ?>" />
value="<?= htmlspecialchars($oidcSettings['user_identifier_field']) ?>" />
</div>
<div class="form-group">
<input type="text" id="oidcScopes" placeholder="Scopes" autocomplete="off"
value="<?= $oidcSettings['scopes'] ?>" />
value="<?= htmlspecialchars($oidcSettings['scopes']) ?>" />
</div>
<div class="form-group">
<input type="hidden" id="oidcAuthStyle" placeholder="Auth Style" autocomplete="off"
value="<?= $oidcSettings['auth_style'] ?>" />
value="<?= htmlspecialchars($oidcSettings['auth_style']) ?>" />
</div>
<div class="form-group-inline">
<input type="checkbox" id="oidcAutoCreateUser" <?= $oidcSettings['auto_create_user'] ? 'checked' : '' ?> />
@@ -287,9 +287,9 @@ $loginDisabledAllowed = $userCount == 1 && $settings['registrations_open'] == 0;
<div class="admin-form">
<div class="form-group-inline">
<input type="text" name="smtpaddress" id="smtpaddress" autocomplete="off"
placeholder="<?= translate('smtp_address', $i18n) ?>" value="<?= $settings['smtp_address'] ?>" />
placeholder="<?= translate('smtp_address', $i18n) ?>" value="<?= htmlspecialchars($settings['smtp_address']) ?>" />
<input type="text" name="smtpport" id="smtpport" autocomplete="off"
placeholder="<?= translate('port', $i18n) ?>" class="one-third" value="<?= $settings['smtp_port'] ?>" />
placeholder="<?= translate('port', $i18n) ?>" class="one-third" value="<?= htmlspecialchars($settings['smtp_port']) ?>" />
</div>
<div class="form-group-inline">
<div>
@@ -310,15 +310,15 @@ $loginDisabledAllowed = $userCount == 1 && $settings['registrations_open'] == 0;
</div>
<div class="form-group-inline">
<input type="text" name="smtpusername" id="smtpusername" autocomplete="off"
placeholder="<?= translate('smtp_username', $i18n) ?>" value="<?= $settings['smtp_username'] ?>" />
placeholder="<?= translate('smtp_username', $i18n) ?>" value="<?= htmlspecialchars($settings['smtp_username']) ?>" />
</div>
<div class="form-group-inline">
<input type="password" name="smtppassword" id="smtppassword" autocomplete="off"
placeholder="<?= translate('smtp_password', $i18n) ?>" value="<?= $settings['smtp_password'] ?>" />
placeholder="<?= translate('smtp_password', $i18n) ?>" value="<?= htmlspecialchars($settings['smtp_password']) ?>" />
</div>
<div class="form-group-inline">
<input type="text" name="fromemail" id="fromemail" autocomplete="off"
placeholder="<?= translate('from_email', $i18n) ?>" value="<?= $settings['from_email'] ?>" />
placeholder="<?= translate('from_email', $i18n) ?>" value="<?= htmlspecialchars($settings['from_email']) ?>" />
</div>
<div class="buttons">
<input type="button" class="secondary-button thin mobile-grow" value="<?= translate('test', $i18n) ?>"
includes/version.php
+2 -2
View File
@@ -1,3 +1,3 @@
<?php
$version = "v4.8.2";
?>
$version = "v4.8.3";
?>
profile.php
+15 -15
View File
@@ -42,20 +42,20 @@ while ($row = $result->fetchArray(SQLITE3_ASSOC)) {
<div class="avatar-list">
<?php foreach (scandir('images/avatars') as $image): ?>
<?php if (!str_starts_with($image, '.')): ?>
<img src="images/avatars/<?= $image ?>" alt="<?= $image ?>" class="avatar-option"
data-src="images/avatars/<?= $image ?>">
<img src="images/avatars/<?= htmlspecialchars($image) ?>" alt="<?= htmlspecialchars($image) ?>" class="avatar-option"
data-src="images/avatars/<?= htmlspecialchars($image) ?>">
<?php endif ?>
<?php endforeach ?>
<?php foreach ($uploadedAvatars as $path): ?>
<?php
$filename = basename($path);
<?php
$filename = basename($path);
?>
<div class="avatar-container" data-src="<?= $filename ?>">
<img src="<?= $path ?>" alt="<?= $filename ?>"
class="avatar-option" data-src="<?= $path ?>">
<div class="remove-avatar" onclick="deleteAvatar('<?= $filename ?>')"
<div class="avatar-container" data-src="<?= htmlspecialchars($filename) ?>">
<img src="<?= htmlspecialchars($path) ?>" alt="<?= htmlspecialchars($filename) ?>"
class="avatar-option" data-src="<?= htmlspecialchars($path) ?>">
<div class="remove-avatar" onclick="deleteAvatar(<?= json_encode($filename, JSON_HEX_APOS | JSON_HEX_QUOT) ?>)"
title="Delete avatar">
<i class="fa-solid fa-xmark"></i>
</div>
@@ -76,23 +76,23 @@ while ($row = $result->fetchArray(SQLITE3_ASSOC)) {
<div class="grow">
<div class="form-group">
<label for="username"><?= translate('username', $i18n) ?>:</label>
<input type="text" id="username" name="username" value="<?= $userData['username'] ?>"
<input type="text" id="username" name="username" value="<?= htmlspecialchars($userData['username']) ?>"
disabled>
</div>
<div class="form-group">
<label for="firstname"><?= translate('firstname', $i18n) ?>:</label>
<input type="text" id="firstname" name="firstname" autocomplete="given-name"
value="<?= $userData['firstname'] ?>">
value="<?= htmlspecialchars($userData['firstname']) ?>">
</div>
<div class="form-group">
<label for="lastname"><?= translate('lastname', $i18n) ?>:</label>
<input type="text" id="lastname" name="lastname" autocomplete="family-name"
value="<?= $userData['lastname'] ?>">
value="<?= htmlspecialchars($userData['lastname']) ?>">
</div>
<div class="form-group">
<label for="email"><?= translate('email', $i18n) ?>:</label>
<input type="email" id="email" name="email" autocomplete="email"
value="<?= $userData['email'] ?>" required>
value="<?= htmlspecialchars($userData['email']) ?>" required>
</div>
<div class="form-group">
<label for="password"><?= translate('password', $i18n) ?>:</label>
@@ -127,7 +127,7 @@ while ($row = $result->fetchArray(SQLITE3_ASSOC)) {
$userData['currency_symbol'] = $currency['symbol'];
}
?>
<option value="<?= $currency['id'] ?>" <?= $selected ?>><?= $currency['name'] ?></option>
<option value="<?= $currency['id'] ?>" <?= $selected ?>><?= htmlspecialchars($currency['name']) ?></option>
<?php
}
?>
@@ -269,7 +269,7 @@ while ($row = $result->fetchArray(SQLITE3_ASSOC)) {
</header>
<div class="account-api-key">
<div class="form-group-inline">
<input type="text" id="apikey" name="apikey" value="<?= $userData['api_key'] ?>" placeholder="API Key" readonly>
<input type="text" id="apikey" name="apikey" value="<?= htmlspecialchars($userData['api_key']) ?>" placeholder="API Key" readonly>
<input type="submit" value="<?= translate('regenerate', $i18n) ?>" id="regenerateApiKey" onClick="regenerateApiKey()" />
</div>
<div class="settings-notes">
settings.php
+35 -35
View File
@@ -66,12 +66,12 @@ $userData['currency_symbol'] = $currencies[$main_currency]['symbol'];
foreach ($household as $index => $member) {
?>
<div class="form-group-inline" data-memberid="<?= $member['id'] ?>">
<input type="text" name="member" autocomplete="off" value="<?= $member['name'] ?>"
<input type="text" name="member" autocomplete="off" value="<?= htmlspecialchars($member['name']) ?>"
placeholder="Member">
<?php
if ($index !== 0) {
?>
<input type="text" name="email" autocomplete="off" value="<?= $member['email'] ?? "" ?>"
<input type="text" name="email" autocomplete="off" value="<?= htmlspecialchars($member['email'] ?? "") ?>"
placeholder="<?= translate("email", $i18n) ?>">
<?php
}
@@ -413,10 +413,10 @@ $userData['currency_symbol'] = $currencies[$main_currency]['symbol'];
<div class="form-group-inline">
<input type="text" name="smtpaddress" id="smtpaddress" autocomplete="off"
placeholder="<?= translate('smtp_address', $i18n) ?>"
value="<?= $notificationsEmail['smtp_address'] ?>" />
value="<?= htmlspecialchars($notificationsEmail['smtp_address']) ?>" />
<input type="text" name="smtpport" id="smtpport" autocomplete="off"
placeholder="<?= translate('port', $i18n) ?>" class="one-third"
value="<?= $notificationsEmail['smtp_port'] ?>" />
value="<?= htmlspecialchars($notificationsEmail['smtp_port']) ?>" />
</div>
<div class="form-group-inline">
<div>
@@ -440,23 +440,23 @@ $userData['currency_symbol'] = $currencies[$main_currency]['symbol'];
<div class="form-group-inline">
<input type="text" name="smtpusername" id="smtpusername" autocomplete="off"
placeholder="<?= translate('smtp_username', $i18n) ?>"
value="<?= $notificationsEmail['smtp_username'] ?>" />
value="<?= htmlspecialchars($notificationsEmail['smtp_username']) ?>" />
</div>
<div class="form-group-inline">
<input type="password" name="smtppassword" id="smtppassword" autocomplete="off"
placeholder="<?= translate('smtp_password', $i18n) ?>"
value="<?= $notificationsEmail['smtp_password'] ?>" />
value="<?= htmlspecialchars($notificationsEmail['smtp_password']) ?>" />
</div>
<div class="form-group-inline">
<input type="text" name="fromemail" id="fromemail" autocomplete="off"
placeholder="<?= translate('from_email', $i18n) ?>"
value="<?= $notificationsEmail['from_email'] ?>" />
value="<?= htmlspecialchars($notificationsEmail['from_email']) ?>" />
</div>
<label for="otheremails"><?= translate('send_to_other_emails', $i18n) ?></label>
<div class="form-group-inline">
<input type="text" name="otheremails" id="otheremails" autocomplete="off"
placeholder="<?= translate('other_emails_placeholder', $i18n) ?>"
value="<?= $notificationsEmail['other_emails'] ?>" />
value="<?= htmlspecialchars($notificationsEmail['other_emails']) ?>" />
</div>
<div class="buttons">
<input type="button" class="secondary-button thin mobile-grow"
@@ -489,17 +489,17 @@ $userData['currency_symbol'] = $currencies[$main_currency]['symbol'];
<div class="form-group-inline">
<input type="text" name="discordurl" id="discordurl" autocomplete="off"
placeholder="<?= translate('webhook_url', $i18n) ?>"
value="<?= $notificationsDiscord['webhook_url'] ?>" />
value="<?= htmlspecialchars($notificationsDiscord['webhook_url']) ?>" />
</div>
<div class="form-group-inline">
<input type="text" name="discordbotusername" id="discordbotusername" autocomplete="off"
placeholder="<?= translate('discord_bot_username', $i18n) ?>"
value="<?= $notificationsDiscord['bot_username'] ?>" />
value="<?= htmlspecialchars($notificationsDiscord['bot_username']) ?>" />
</div>
<div class="form-group-inline">
<input type="text" name="discordbotavatar" id="discordbotavatar" autocomplete="off"
placeholder="<?= translate('discord_bot_avatar_url', $i18n) ?>"
value="<?= $notificationsDiscord['bot_avatar'] ?>" />
value="<?= htmlspecialchars($notificationsDiscord['bot_avatar']) ?>" />
</div>
<div class="buttons">
<input type="button" class="secondary-button thin mobile-grow"
@@ -525,12 +525,12 @@ $userData['currency_symbol'] = $currencies[$main_currency]['symbol'];
</div>
<div class="form-group-inline">
<input type="text" name="gotifyurl" id="gotifyurl" autocomplete="off"
placeholder="<?= translate('url', $i18n) ?>" value="<?= $notificationsGotify['url'] ?>" />
placeholder="<?= translate('url', $i18n) ?>" value="<?= htmlspecialchars($notificationsGotify['url']) ?>" />
</div>
<div class="form-group-inline">
<input type="text" name="gotifytoken" id="gotifytoken" autocomplete="off"
placeholder="<?= translate('token', $i18n) ?>"
value="<?= $notificationsGotify['token'] ?>" />
value="<?= htmlspecialchars($notificationsGotify['token']) ?>" />
</div>
<div class="form-group-inline">
<input type="checkbox" id="gotifyignoressl" name="gotifyignoressl"
@@ -562,12 +562,12 @@ $userData['currency_symbol'] = $currencies[$main_currency]['symbol'];
<div class="form-group-inline">
<input type="text" name="pushoveruserkey" id="pushoveruserkey" autocomplete="off"
placeholder="<?= translate('pushover_user_key', $i18n) ?>"
value="<?= $notificationsPushover['user_key'] ?>" />
value="<?= htmlspecialchars($notificationsPushover['user_key']) ?>" />
</div>
<div class="form-group-inline">
<input type="text" name="pushovertoken" id="pushovertoken" autocomplete="off"
placeholder="<?= translate('token', $i18n) ?>"
value="<?= $notificationsPushover['token'] ?>" />
value="<?= htmlspecialchars($notificationsPushover['token']) ?>" />
</div>
<div class="buttons">
@@ -595,12 +595,12 @@ $userData['currency_symbol'] = $currencies[$main_currency]['symbol'];
<div class="form-group-inline">
<input type="text" name="telegrambottoken" id="telegrambottoken" autocomplete="off"
placeholder="<?= translate('telegram_bot_token', $i18n) ?>"
value="<?= $notificationsTelegram['bot_token'] ? $notificationsTelegram['bot_token'] : "" ?>" />
value="<?= htmlspecialchars($notificationsTelegram['bot_token'] ? $notificationsTelegram['bot_token'] : "") ?>" />
</div>
<div class="form-group-inline">
<input type="text" name="telegramchatid" id="telegramchatid" autocomplete="off"
placeholder="<?= translate('telegram_chat_id', $i18n) ?>"
value="<?= $notificationsTelegram['chat_id'] ?>" />
value="<?= htmlspecialchars($notificationsTelegram['chat_id']) ?>" />
</div>
<div class="buttons">
<input type="button" class="secondary-button thin mobile-grow"
@@ -628,7 +628,7 @@ $userData['currency_symbol'] = $currencies[$main_currency]['symbol'];
<div class="form-group-inline">
<input type="text" name="pushplustoken" id="pushplustoken" autocomplete="off"
placeholder="<?= translate('pushplus_token', $i18n) ?>"
value="<?= $notificationsPushPlus['token'] ? $notificationsPushPlus['token'] : '' ?>" />
value="<?= htmlspecialchars($notificationsPushPlus['token'] ? $notificationsPushPlus['token'] : '') ?>" />
</div>
<div class="buttons">
<input type="button" class="secondary-button thin mobile-grow"
@@ -656,17 +656,17 @@ $userData['currency_symbol'] = $currencies[$main_currency]['symbol'];
<div class="form-group-inline">
<input type="text" name="mattermostwebhookurl" id="mattermostwebhookurl"
placeholder="<?= translate('mattermost_webhook_url', $i18n) ?>"
value="<?= $notificationsMattermost['webhook_url'] ? $notificationsMattermost['webhook_url'] : '' ?>" />
value="<?= htmlspecialchars($notificationsMattermost['webhook_url'] ? $notificationsMattermost['webhook_url'] : '') ?>" />
</div>
<div class="form-group-inline">
<input type="text" name="mattermostbotusername" id="mattermostbotusername"
placeholder="<?= translate('mattermost_bot_username', $i18n) ?>"
value="<?= $notificationsMattermost['bot_username'] ? $notificationsMattermost['bot_username'] : '' ?>" />
value="<?= htmlspecialchars($notificationsMattermost['bot_username'] ? $notificationsMattermost['bot_username'] : '') ?>" />
</div>
<div class="form-group-inline">
<input type="text" name="mattermostboticonemoji" id="mattermostboticonemoji"
placeholder="<?= translate('mattermost_bot_icon_emoji', $i18n) ?>"
value="<?= $notificationsMattermost['bot_icon_emoji'] ? $notificationsMattermost['bot_icon_emoji'] : '' ?>" />
value="<?= htmlspecialchars($notificationsMattermost['bot_icon_emoji'] ? $notificationsMattermost['bot_icon_emoji'] : '') ?>" />
</div>
<div class="buttons">
<input type="button" class="secondary-button thin mobile-grow"
@@ -691,15 +691,15 @@ $userData['currency_symbol'] = $currencies[$main_currency]['symbol'];
</div>
<div class="form-group-inline">
<input type="text" name="ntfyhost" id="ntfyhost" autocomplete="off"
placeholder="<?= translate('host', $i18n) ?>" value="<?= $notificationsNtfy['host'] ?>" />
placeholder="<?= translate('host', $i18n) ?>" value="<?= htmlspecialchars($notificationsNtfy['host']) ?>" />
</div>
<div class="form-group-inline">
<input type="text" name="ntfytopic" id="ntfytopic" autocomplete="off"
placeholder="<?= translate('topic', $i18n) ?>" value="<?= $notificationsNtfy['topic'] ?>" />
placeholder="<?= translate('topic', $i18n) ?>" value="<?= htmlspecialchars($notificationsNtfy['topic']) ?>" />
</div>
<div class="form-group-inline">
<textarea class="thin" name="ntfyheaders" id="ntfyheaders"
placeholder="<?= translate('custom_headers', $i18n) ?>"><?= $notificationsNtfy['headers'] ?></textarea>
placeholder="<?= translate('custom_headers', $i18n) ?>"><?= htmlspecialchars($notificationsNtfy['headers']) ?></textarea>
</div>
<div class="form-grpup-inline">
<input type="checkbox" id="ntfyignoressl" name="ntfyignoressl"
@@ -731,7 +731,7 @@ $userData['currency_symbol'] = $currencies[$main_currency]['symbol'];
<div class="form-group-inline">
<input type="text" name="serverchansendkey" id="serverchansendkey" autocomplete="off"
placeholder="<?= translate('serverchan_sendkey', $i18n) ?>"
value="<?= $notificationsServerchan['sendkey'] ? $notificationsServerchan['sendkey'] : '' ?>" />
value="<?= htmlspecialchars($notificationsServerchan['sendkey'] ? $notificationsServerchan['sendkey'] : '') ?>" />
</div>
<div class="buttons">
<input type="button" class="secondary-button thin mobile-grow"
@@ -770,19 +770,19 @@ $userData['currency_symbol'] = $currencies[$main_currency]['symbol'];
<div class="form-group-inline">
<input type="text" name="webhookurl" id="webhookurl" autocomplete="off"
placeholder="<?= translate('webhook_url', $i18n) ?>"
value="<?= $notificationsWebhook['url'] ?>" />
value="<?= htmlspecialchars($notificationsWebhook['url']) ?>" />
</div>
<div class="form-group-inline">
<textarea class="thin" name="webhookcustomheaders" id="webhookcustomheaders"
placeholder="<?= translate('custom_headers', $i18n) ?>"><?= $notificationsWebhook['headers'] ?></textarea>
placeholder="<?= translate('custom_headers', $i18n) ?>"><?= htmlspecialchars($notificationsWebhook['headers']) ?></textarea>
</div>
<div class="form-group-inline">
<textarea name="webhookpayload" id="webhookpayload"
placeholder="<?= translate('payment_notifications_payload', $i18n) ?>"><?= $notificationsWebhook['payload'] ?></textarea>
placeholder="<?= translate('payment_notifications_payload', $i18n) ?>"><?= htmlspecialchars($notificationsWebhook['payload']) ?></textarea>
</div>
<div class="form-group-inline">
<textarea name="webhookcancelationpayload" id="webhookcancelationpayload"
placeholder="<?= translate('cancelation_notification_payload', $i18n) ?>"><?= $notificationsWebhook['cancelation_payload'] ?></textarea>
placeholder="<?= translate('cancelation_notification_payload', $i18n) ?>"><?= htmlspecialchars($notificationsWebhook['cancelation_payload']) ?></textarea>
</div>
<div class="form-group-inline">
<input type="checkbox" id="webhookignoressl" name="webhookignoressl"
@@ -849,7 +849,7 @@ $userData['currency_symbol'] = $currencies[$main_currency]['symbol'];
?>
<div class="form-group-inline" data-categoryid="<?= $category['id'] ?>">
<div class=" drag-icon"><i class="fa-solid fa-grip-vertical"></i></div>
<input type="text" name="category" autocomplete="off" value="<?= $category['name'] ?>"
<input type="text" name="category" autocomplete="off" value="<?= htmlspecialchars($category['name']) ?>"
placeholder="Category">
<button class="image-button medium" onClick="editCategory(<?= $category['id'] ?>)" name="save"
title="<?= translate('save_category', $i18n) ?>">
@@ -938,11 +938,11 @@ $userData['currency_symbol'] = $currencies[$main_currency]['symbol'];
?>
<div class="form-group-inline" data-currencyid="<?= $currency['id'] ?>">
<input type="text" class="short" name="symbol" autocomplete="off" value="<?= $currency['symbol'] ?>"
<input type="text" class="short" name="symbol" autocomplete="off" value="<?= htmlspecialchars($currency['symbol']) ?>"
placeholder="$">
<input type="text" name="currency" autocomplete="off" value="<?= $currency['name'] ?>"
<input type="text" name="currency" autocomplete="off" value="<?= htmlspecialchars($currency['name']) ?>"
placeholder="Currency Name">
<input type="text" name="code" autocomplete="off" value="<?= $currency['code'] ?>"
<input type="text" name="code" autocomplete="off" value="<?= htmlspecialchars($currency['code']) ?>"
placeholder="Currency Code" <?= !$canDelete ? 'disabled' : '' ?>>
<button class="image-button medium" onClick="editCurrency(<?= $currency['id'] ?>)" name="save"
title="<?= translate('save_currency', $i18n) ?>">
@@ -1023,7 +1023,7 @@ $userData['currency_symbol'] = $currencies[$main_currency]['symbol'];
</header>
<div class="account-fixer">
<div class="form-group">
<input type="text" name="fixer-key" id="fixerKey" autocomplete="off" value="<?= $apiKey ?>"
<input type="text" name="fixer-key" id="fixerKey" autocomplete="off" value="<?= htmlspecialchars($apiKey) ?>"
placeholder="<?= translate('api_key', $i18n) ?>" <?= $demoMode ? 'disabled title="Not available on Demo Mode"' : '' ?>>
</div>
<div class="form-group">
@@ -1202,7 +1202,7 @@ $userData['currency_symbol'] = $currencies[$main_currency]['symbol'];
</div>
<img src="<?= $paymentIconFolder . $payment['icon'] ?>" alt="Logo" />
<span class="payment-name" contenteditable="true"
title="<?= translate("rename_payment_method", $i18n) ?>"><?= $payment['name'] ?></span>
title="<?= translate("rename_payment_method", $i18n) ?>"><?= htmlspecialchars($payment['name']) ?></span>
<?php
if (!$inUse) {
?>