Merge branch 'master' of github.com:limetech/webgui

2026-01-16 14:39:57 -06:00 · 2021-08-12 08:47:47 -07:00
parent eb65ee0cfc 5a474b4a50
commit befa87430e
23 changed files with 104 additions and 99 deletions
--- a/plugins/dynamix.docker.manager/DockerSettings.page
+++ b/plugins/dynamix.docker.manager/DockerSettings.page
@@ -465,7 +465,7 @@ _(Preserve user defined networks)_:
 $net = normalize($network);
 $docker_dhcp = "DOCKER_DHCP_$net";
 ?>
-<?if ($dockercfg[$docker_dhcp] || empty($dockercfg["DOCKER_AUTO_$net"])):?>
+<?if (isset($dockercfg[$docker_dhcp]) || empty($dockercfg["DOCKER_AUTO_$net"])):?>
 _(IPv4 custom network on interface)_ <?=$network?>:
 : <span class="<?=$gw4class?>">**_(Subnet)_:** <?=$route?></span>
  <span class="<?=$gw4class?>">**_(Gateway)_:** <?=$gateway[$network]?></span>
@@ -500,7 +500,7 @@ _(IPv4 custom network on interface)_ <?=$network?>:
 <?
 $net = normalize($network);
 $docker_dhcp6 = "DOCKER_DHCP6_$net";
-if ($dockercfg[$docker_dhcp6] || empty($dockercfg["DOCKER_AUTO_$net"])):?>
+if (isset($dockercfg[$docker_dhcp6]) || empty($dockercfg["DOCKER_AUTO_$net"])):?>
 <?$wide = true;?>
 _(IPv6 custom network on interface)_ <?=$network?>:
 : <span class="gw6">**_(Subnet)_:** <?=$route?></span>
--- a/plugins/dynamix.docker.manager/include/CreateDocker.php
+++ b/plugins/dynamix.docker.manager/include/CreateDocker.php
@@ -154,14 +154,14 @@ if (isset($_POST['contName'])) {
 ##   UPDATE CONTAINER   ##
 ##########################

-if ($_GET['updateContainer']){
-  $echo = $_GET['mute'] ? false : true;
+if (unscript($_GET['updateContainer'])){
+  $echo = isset($_GET['mute']);
  if ($echo) {
    readfile("$docroot/plugins/dynamix.docker.manager/log.htm");
    @flush();
  }
  foreach ($_GET['ct'] as $value) {
-    $tmpl = $DockerTemplates->getUserTemplate(urldecode($value));
+    $tmpl = $DockerTemplates->getUserTemplate(unscript(urldecode($value)));
    if ($echo && !$tmpl) {
      echo "<script>addLog('<p>"._('Configuration not found').". "._('Was this container created using this plugin')."?</p>');</script>";
      @flush();
@@ -205,8 +205,8 @@ if ($_POST['rmTemplate']) {
 ##    LOAD TEMPLATE    ##
 #########################

-if ($_GET['xmlTemplate']) {
-  [$xmlType, $xmlTemplate] = my_explode(':', urldecode($_GET['xmlTemplate']));
+if (unscript($_GET['xmlTemplate'])) {
+  [$xmlType, $xmlTemplate] = my_explode(':', unscript(urldecode($_GET['xmlTemplate'])));
  if (is_file($xmlTemplate)) {
    $xml = xmlToVar($xmlTemplate);
    $templateName = $xml['Name'];
--- a/plugins/dynamix.docker.manager/include/Events.php
+++ b/plugins/dynamix.docker.manager/include/Events.php
@@ -19,16 +19,18 @@ require_once "$docroot/webGui/include/Translations.php";

 require_once "$docroot/plugins/dynamix.docker.manager/include/DockerClient.php";

+function unscript($text) {
+  return preg_replace('#<script(.*?)>(.+?)</script>#','',html_entity_decode($text));
+}
 function safe($text) {
-  return preg_replace('/[!@#$%^&\*\(\)\[\]{}"\|\?<>\/;]+/','',html_entity_decode($text));
+  return preg_replace('/[!@#$%^&\*\(\)\[\]{}"\|\?<>\/;]+/','',unscript($text));
 }

 $DockerClient = new DockerClient();
-$_REQUEST     = array_merge(array_map('safe',$_GET), $_POST);
-$action       = $_REQUEST['action'] ?? '';
-$container    = $_REQUEST['container'] ?? '';
-$name         = $_REQUEST['name'] ?? '';
-$image        = $_REQUEST['image'] ?? '';
+$action       = unscript($_REQUEST['action'] ?? '');
+$container    = unscript($_REQUEST['container'] ?? '');
+$name         = unscript($_REQUEST['name'] ?? '');
+$image        = unscript($_REQUEST['image'] ?? '');
 $arrResponse  = ['error' => _('Missing parameters')];

 switch ($action) {
@@ -68,8 +70,8 @@ switch ($action) {
 		break;
 	case 'log':
 		if ($container) {
-			$since = $_REQUEST['since'] ?? '';
-			$title = $_REQUEST['title'] ?? '';
+			$since = safe($_REQUEST['since'] ?? '');
+			$title = safe($_REQUEST['title'] ?? '');
 			require_once "$docroot/webGui/include/ColorCoding.php";
 			if (!$since) {
 				readfile("$docroot/plugins/dynamix.docker.manager/log.htm");
--- a/plugins/dynamix.plugin.manager/include/ShowChanges.php
+++ b/plugins/dynamix.plugin.manager/include/ShowChanges.php
@@ -1,6 +1,6 @@
 <?PHP
-/* Copyright 2005-2020, Lime Technology
- * Copyright 2012-2020, Bergware International.
+/* Copyright 2005-2021, Lime Technology
+ * Copyright 2012-2021, Bergware International.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License version 2,
@@ -34,8 +34,8 @@ extract(parse_plugin_cfg('dynamix',true));
 </head>
 <body style="margin:14px 10px">
 <?
-$file = $_GET['file'];
-$tmp = $_GET['tmp'] ? '/var/tmp' : '/tmp/plugins/';
+$file = unscript($_GET['file']);
+$tmp = unscript($_GET['tmp']) ? '/var/tmp' : '/tmp/plugins/';

 if (file_exists($file) && strpos(realpath($file),$tmp)===0 && substr($file,-4)=='.txt') echo Markdown(file_get_contents($file)); else echo Markdown("*"._('No release notes available')."!*");
 ?>
--- a/plugins/dynamix.vm.manager/VMMachines.page
+++ b/plugins/dynamix.vm.manager/VMMachines.page
@@ -52,10 +52,10 @@ function vsize($size,$expand=true) {
  }
 }

-$uuid = $_GET['uuid'];
+$uuid = unscript($_GET['uuid']);
 $subaction = $_GET['subaction'] ?? false;
-if ($_GET['refresh']) {
-  $vm = $_GET['name'];
+if (unscript($_GET['refresh'])) {
+  $vm = unscript($_GET['name']);
  if ($lv->domain_is_active($vm)) {
    echo "<meta http-equiv='refresh' content='5; url=/VMs?name=$vm&amp;refresh=true'>";
    $msg = "Waiting for $vm to shutdown...";
--- a/plugins/dynamix.vm.manager/include/VMMachines.php
+++ b/plugins/dynamix.vm.manager/include/VMMachines.php
@@ -1,7 +1,7 @@
 <?PHP
-/* Copyright 2005-2020, Lime Technology
- * Copyright 2015-2020, Derek Macias, Eric Schultz, Jon Panozzo.
- * Copyright 2012-2020, Bergware International.
+/* Copyright 2005-2021, Lime Technology
+ * Copyright 2015-2021, Derek Macias, Eric Schultz, Jon Panozzo.
+ * Copyright 2012-2021, Bergware International.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License version 2,
@@ -37,7 +37,7 @@ if (file_exists($user_prefs)) {
 $i = 0;
 $menu = [];
 $kvm = ['var kvm=[];'];
-$show = explode(',',$_GET['show']) ?? [];
+$show = explode(',',unscript($_GET['show'])) ?? [];

 foreach ($vms as $vm) {
  $res = $lv->get_domain_by_name($vm);
--- a/plugins/dynamix.vm.manager/include/VMajax.php
+++ b/plugins/dynamix.vm.manager/include/VMajax.php
@@ -63,8 +63,8 @@ function embed(&$syslinux, $key, $value) {

 $arrSizePrefix = [0 => '', 1 => 'K', 2 => 'M', 3 => 'G', 4 => 'T', 5 => 'P'];
 $_REQUEST      = array_merge($_GET, $_POST);
-$action        = $_REQUEST['action'] ?? '';
-$uuid          = $_REQUEST['uuid'] ?? '';
+$action        = unscript($_REQUEST['action'] ?? '');
+$uuid          = unscript($_REQUEST['uuid'] ?? '');
 $arrResponse   = [];

 if ($uuid) {
--- a/plugins/dynamix.vm.manager/include/VMedit.php
+++ b/plugins/dynamix.vm.manager/include/VMedit.php
@@ -1,6 +1,6 @@
 <?PHP
-/* Copyright 2005-2020, Lime Technology
- * Copyright 2015-2020, Derek Macias, Eric Schultz, Jon Panozzo.
+/* Copyright 2005-2021, Lime Technology
+ * Copyright 2015-2021, Derek Macias, Eric Schultz, Jon Panozzo.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License version 2,
@@ -28,8 +28,8 @@ switch ($display['theme']) {
 }

 $strSelectedTemplate = array_keys($arrAllTemplates)[1];
-if (!empty($_GET['template']) && !(empty($arrAllTemplates[$_GET['template']]))) {
-	$strSelectedTemplate = $_GET['template'];
+if (!empty(unscript($_GET['template'])) && !(empty($arrAllTemplates[unscript($_GET['template'])]))) {
+	$strSelectedTemplate = unscript($_GET['template']);
 }

 $arrLoad = [
@@ -41,9 +41,9 @@ $arrLoad = [
 ];
 $strIconURL = '/plugins/dynamix.vm.manager/templates/images/'.$arrLoad['icon'];

-if (!empty($_GET['uuid'])) {
+if (!empty(unscript($_GET['uuid']))) {
 	// Edit VM mode
-	$res = $lv->domain_get_domain_by_uuid($_GET['uuid']);
+	$res = $lv->domain_get_domain_by_uuid(unscript($_GET['uuid']));

 	if ($res === false) {
 		echo "<p class='notice'>"._('Invalid VM to edit').".</p><input type='button' value=\""._('Done')."\" onclick='done()'>";
@@ -59,7 +59,7 @@ if (!empty($_GET['uuid'])) {
 		'state' => $lv->domain_get_state($res)
 	];

-	if (empty($_GET['template'])) {
+	if (empty(unscript($_GET['template']))) {
 		// read vm-template attribute
 		$strTemplateOS = $lv->_get_single_xpath_result($res, '//domain/metadata/*[local-name()=\'vmtemplate\']/@os');
 		$strLibreELEC = $lv->_get_single_xpath_result($res, '//domain/metadata/*[local-name()=\'vmtemplate\']/@libreelec');
--- a/plugins/dynamix.vm.manager/templates/Custom.form.php
+++ b/plugins/dynamix.vm.manager/templates/Custom.form.php
@@ -234,9 +234,9 @@
 		exit;
 	}

-	if ($_GET['uuid']) {
+	if (unscript($_GET['uuid'])) {
 		// edit an existing VM
-		$uuid = $_GET['uuid'];
+		$uuid = unscript($_GET['uuid']);
 		$dom = $lv->domain_get_domain_by_uuid($uuid);
 		$boolRunning = $lv->domain_get_state($dom)=='running';
 		$strXML = $lv->domain_get_xml($dom);
--- a/plugins/dynamix.vm.manager/templates/LibreELEC.form.php
+++ b/plugins/dynamix.vm.manager/templates/LibreELEC.form.php
@@ -389,9 +389,9 @@ $hdrXML = "<?xml version='1.0' encoding='UTF-8'?>\n"; // XML encoding declaratio
 		exit;
 	}

-	if ($_GET['uuid']) {
+	if (unscript($_GET['uuid'])) {
 		// edit an existing VM
-		$uuid = $_GET['uuid'];
+		$uuid = unscript($_GET['uuid']);
 		$dom = $lv->domain_get_domain_by_uuid($uuid);
 		$boolRunning = $lv->domain_get_state($dom)=='running';
 		$strXML = $lv->domain_get_xml($dom);
--- a/plugins/dynamix.vm.manager/templates/OpenELEC.form.php
+++ b/plugins/dynamix.vm.manager/templates/OpenELEC.form.php
@@ -389,9 +389,9 @@ $hdrXML = "<?xml version='1.0' encoding='UTF-8'?>\n"; // XML encoding declaratio
 		exit;
 	}

-	if ($_GET['uuid']) {
+	if (unscript($_GET['uuid'])) {
 		// edit an existing VM
-		$uuid = $_GET['uuid'];
+		$uuid = unscript($_GET['uuid']);
 		$dom = $lv->domain_get_domain_by_uuid($uuid);
 		$boolRunning = $lv->domain_get_state($dom)=='running';
 		$strXML = $lv->domain_get_xml($dom);
--- a/plugins/dynamix.vm.manager/templates/XML_Expert.form.php
+++ b/plugins/dynamix.vm.manager/templates/XML_Expert.form.php
@@ -62,9 +62,9 @@
 		exit;
 	}

-	if ($_GET['uuid']) {
+	if (unscript($_GET['uuid'])) {
 		// edit an existing VM
-		$uuid = $_GET['uuid'];
+		$uuid = unscript($_GET['uuid']);
 		$dom = $lv->domain_get_domain_by_uuid($uuid);
 		$boolRunning = $lv->domain_get_state($dom)=='running';
 		$strXML = $lv->domain_get_xml($dom);
--- a/plugins/dynamix/DiskSettings.page
+++ b/plugins/dynamix/DiskSettings.page
@@ -236,7 +236,7 @@ _(Default SMART controller type)_:
 :disk_default_smart_controller_help:

 _(Default SMART attribute notifications)_:
-: <input type="text" name="smCustom" value="<?=$var['smCustom']?>" class="narrow">_(Custom attributes (use comma to separate numbers))_
+: <input type="text" name="smCustom" value="<?=$var['smCustom']??''?>" class="narrow">_(Custom attributes (use comma to separate numbers))_

 <?for ($x = 0; $x < count($preselect); $x++):?>
 &nbsp;
--- a/plugins/dynamix/WG0.page
+++ b/plugins/dynamix/WG0.page
@@ -1220,7 +1220,7 @@ $(function(){
 <input type="hidden" name="#deleted" value="">
 <input type="hidden" name="#locale" value="<?=$locale?>">
 _(Local name)_:
-: <span class="input"><input type="text" name="Name:0" class="wide" maxlength="99" value="<?=$wg0["Name:0"]?>" pattern="<?=$validname?>" title="_(Use only letters A-Z, digits or space,dash,underscore)_" placeholder="(_(optional)_)"></span>
+: <span class="input"><input type="text" name="Name:0" class="wide" maxlength="99" value="<?=$wg0["Name:0"]??''?>" pattern="<?=$validname?>" title="_(Use only letters A-Z, digits or space,dash,underscore)_" placeholder="(_(optional)_)"></span>
  <span class="pin"><i class="fa fa-fw fa-eye eye0<?=$this_wg0?'':' key-off'?>" style="cursor:pointer" onclick="WGconfig(this,'wg0','')" title="_(View Local Config)_"></i>
  <i class="fa fa-fw fa-key zone0<?=$wg0['PublicKey:0']?'':' key-off'?>" style="cursor:pointer" onclick="openClose($(document.wg0),null,'div.key0')" title="_(Toggle keys)_"></i>
  <i id="chevron-wg0-0" class="fa fa-fw fa-chevron-down" style="cursor:pointer" onclick="openClose($(document.wg0),this,'div.zone0')" title="_(Toggle view)_"></i></span>
@@ -1229,13 +1229,13 @@ _(Local name)_:

 <div markdown="1" class="keys wg0 key0"<?=$wg0['PublicKey:0']?' style="display:none">':'>'?>
 _(Local private key)_:
-: <span class="input"><input type="text" name="PrivateKey:0" class="wide private-0" maxlength="64" value="<?=$wg0['PrivateKey:0']?>" onchange="highlight($(document.wg0),this,0)" placeholder="(_(mandatory)_)" required></span>
+: <span class="input"><input type="text" name="PrivateKey:0" class="wide private-0" maxlength="64" value="<?=$wg0['PrivateKey:0']??''?>" onchange="highlight($(document.wg0),this,0)" placeholder="(_(mandatory)_)" required></span>
  <input type="button" class="form" value="_(Generate Keypair)_" onclick="keypair($(document.wg0),'0')">

 :wg_generate_keypair_help:

 _(Local public key)_:
-: <span class="input"><input type="text" name="PublicKey:0" class="wide public-0" maxlength="64" value="<?=$wg0['PublicKey:0']?>" onchange="highlight($(document.wg0),this,0)" placeholder="(_(mandatory)_)" required></span>
+: <span class="input"><input type="text" name="PublicKey:0" class="wide public-0" maxlength="64" value="<?=$wg0['PublicKey:0']??''?>" onchange="highlight($(document.wg0),this,0)" placeholder="(_(mandatory)_)" required></span>

 :wg_generate_keypair_help:

@@ -1308,7 +1308,7 @@ _(Local gateway uses UPnP)_:

 </div>
 _(Local tunnel firewall)_:
-: <span class="input"><input type="text" name="DROP:0" class="wide" value="<?=$wg0['DROP:0']?>" onchange="quickValidate(this);" pattern="<?=$validList?>" title="_(Comma separated list of IPv4 and IPv6 IP addresses)_, _(CIDR optional)_" placeholder="(_(optional)_)"></span>
+: <span class="input"><input type="text" name="DROP:0" class="wide" value="<?=$wg0['DROP:0']??''?>" onchange="quickValidate(this);" pattern="<?=$validList?>" title="_(Comma separated list of IPv4 and IPv6 IP addresses)_, _(CIDR optional)_" placeholder="(_(optional)_)"></span>
  _(Rule)_: <select name="RULE:0" class="auto">
  <?=mk_option($wg0['RULE:0'], "", _("Deny"))?>
  <?=mk_option($wg0['RULE:0'], "1", _("Allow"))?>
@@ -1317,7 +1317,7 @@ _(Local tunnel firewall)_:
 :wg_local_tunnel_firewall_help:

 _(MTU size)_:
-: <span class="input"><input type="number" name="MTU:0" class="trim" min="68" max="9198" value="<?=$wg0['MTU:0']?>" onchange="quickValidate(this);" placeholder="(_(automatic)_)">_(bytes)_</span>
+: <span class="input"><input type="number" name="MTU:0" class="trim" min="68" max="9198" value="<?=$wg0['MTU:0']??''?>" onchange="quickValidate(this);" placeholder="(_(automatic)_)">_(bytes)_</span>

 :wg_mtu_size_help:

@@ -1341,7 +1341,7 @@ _(DNS servers)_:
 <?foreach ($peer_wg0 as $i):?>
 <div markdown="1" id="index-wg0-<?=$i?>" class="shade-<?=$display['theme']?>">
 _(Peer name)_:
-: <span class="input"><input type="text" name="Name:<?=$i?>" class="wide" maxlength="99" value="<?=$wg0["Name:$i"]?>" onchange="quickValidate(this);" pattern="<?=$validname?>" title="_(Use only letters A-Z, digits or space,dash,underscore)_" placeholder="(_(optional)_)"></span>
+: <span class="input"><input type="text" name="Name:<?=$i?>" class="wide" maxlength="99" value="<?=$wg0["Name:$i"]??''?>" onchange="quickValidate(this);" pattern="<?=$validname?>" title="_(Use only letters A-Z, digits or space,dash,underscore)_" placeholder="(_(optional)_)"></span>
  <input type="button" class="form" value="_(Delete Peer)_" onclick="delPeer($(document.wg0),'#index-wg0-<?=$i?>')">
  <span class="pin"><i class="fa fa-fw fa-eye eye<?=$i?><?=(file_exists("$etc/peers/peer-$tower-wg0-$i.conf")&&(int)$wg0["TYPE:$i"]!=7)?'':' key-off'?>" style="cursor:pointer" onclick="WGconfig(this,'peer-<?=$tower?>-wg0-<?=$i?>','/peers')" title="_(View Peer Config)_"></i>
  <i class="fa fa-fw fa-key zone<?=$i?><?=$wg0["PublicKey:$i"]?'':' key-off'?>" style="cursor:pointer" onclick="openClose($(document.wg0),null,'div.key<?=$i?>')" title="_(Toggle keys)_"></i>
@@ -1368,18 +1368,18 @@ _(Peer type of access)_:

 <div markdown="1" class="keys wg0 key<?=$i?>"<?=$wg0["PublicKey:$i"]?' style="display:none">':'>'?>
 _(Peer private key)_:
-: <span class="input"><input type="text" name="PrivateKey:<?=$i?>" class="wide private-<?=$i?>" maxlength="64" value="<?=$wg0["PrivateKey:$i"]?>" onchange="highlight($(document.wg0),this,<?=$i?>)" placeholder="(_(optional)_)"></span>
+: <span class="input"><input type="text" name="PrivateKey:<?=$i?>" class="wide private-<?=$i?>" maxlength="64" value="<?=$wg0["PrivateKey:$i"]??''?>" onchange="highlight($(document.wg0),this,<?=$i?>)" placeholder="(_(optional)_)"></span>
  <input type="button" class="form" value="_(Generate Keypair)_" onclick="keypair($(document.wg0),'<?=$i?>')">

 :wg_generate_keypair_help:

 _(Peer public key)_:
-: <span class="input"><input type="text" name="PublicKey:<?=$i?>" class="wide public-<?=$i?>" maxlength="64" value="<?=$wg0["PublicKey:$i"]?>" onchange="highlight($(document.wg0),this,<?=$i?>)" placeholder="(_(mandatory)_)" required></span>
+: <span class="input"><input type="text" name="PublicKey:<?=$i?>" class="wide public-<?=$i?>" maxlength="64" value="<?=$wg0["PublicKey:$i"]??''?>" onchange="highlight($(document.wg0),this,<?=$i?>)" placeholder="(_(mandatory)_)" required></span>

 :wg_generate_keypair_help:

 _(Peer preshared key)_:
-: <span class="input"><input type="text" name="PresharedKey:<?=$i?>" class="wide preshared-<?=$i?>" maxlength="64" value="<?=$wg0["PresharedKey:$i"]?>" onchange="highlight($(document.wg0),this,<?=$i?>)" placeholder="(_(optional)_)"></span>
+: <span class="input"><input type="text" name="PresharedKey:<?=$i?>" class="wide preshared-<?=$i?>" maxlength="64" value="<?=$wg0["PresharedKey:$i"]??''?>" onchange="highlight($(document.wg0),this,<?=$i?>)" placeholder="(_(optional)_)"></span>
  <input type="button" class="form" value="_(Generate Key)_" onclick="presharedkey($(document.wg0),'<?=$i?>')">

 : wg_peer_preshared_key_help:
@@ -1388,13 +1388,13 @@ _(Peer preshared key)_:
 <div markdown="1" class="advanced wg0 zone<?=$i?>" style="display:none">
 <div markdown="1" class="ipv4 wg0" style="display:none">
 _(Peer tunnel address)_:
-: <span class="input"><input type="text" name="Address:<?=$i?>" class="subnet" maxlength="15" value="<?=$wg0["Address:$i"]?>" onchange="if(verifyInSubnet(this)){setAllow($(document.wg0),this.value,<?=$i?>)}" pattern="<?=$validIP4?>" title="_(IPv4 address)_"></span>
+: <span class="input"><input type="text" name="Address:<?=$i?>" class="subnet" maxlength="15" value="<?=$wg0["Address:$i"]??''?>" onchange="if(verifyInSubnet(this)){setAllow($(document.wg0),this.value,<?=$i?>)}" pattern="<?=$validIP4?>" title="_(IPv4 address)_"></span>
  <input type="button" class="form ping-button1-<?=$i?>" value="_(Ping)_" onclick="ping($(document.wg0),this,'input[name=&quot;Address:<?=$i?>&quot;]')"<?=$wg0["Address:$i"]?'':' disabled'?>>

 </div>
 <div markdown="1" class="ipv6 wg0" style="display:none">
 _(Peer tunnel address IPv6)_:
-: <span class="input"><input type="text" name="Address6:<?=$i?>" class="subnet" maxlength="40" value="<?=$wg0["Address6:$i"]?>" onchange="if(verifyInSubnet6(this)){setAllow6($(document.wg0),this.value,<?=$i?>)}" pattern="<?=$validIP6?>" title="_(IPv6 address)_"></span>
+: <span class="input"><input type="text" name="Address6:<?=$i?>" class="subnet" maxlength="40" value="<?=$wg0["Address6:$i"]??''?>" onchange="if(verifyInSubnet6(this)){setAllow6($(document.wg0),this.value,<?=$i?>)}" pattern="<?=$validIP6?>" title="_(IPv6 address)_"></span>
  <input type="button" class="form ping-button6-<?=$i?>" value="_(Ping)_" onclick="ping($(document.wg0),this,'input[name=&quot;Address6:<?=$i?>&quot;]')"<?=$wg0["Address6:$i"]?'':' disabled'?>>

 </div>
@@ -1402,24 +1402,24 @@ _(Peer tunnel address IPv6)_:

 _(Peer endpoint)_:
 <input type="hidden" name="Endpoint:<?=$i?>" value="">
-: <span class="input"><input type="text" name="gui:Endpoint:<?=$i?>" class="subnet" value="<?=$wg0["Endpoint:$i"]?>" pattern="<?=$validText?>" title="_(IP address or FQDN)_" onchange="toLC(this);quickValidate(this);" <?=($vpn_wg0||(int)$wg0["TYPE:$i"]==2||(int)$wg0["TYPE:$i"]==3)?'placeholder="(_(mandatory)_)" required':'placeholder="(_(not used)_)"'?>>:
-  <input type="number" name="gui:ListenPort:<?=$i?>" class="port" min="1" max="65535" value="<?=$wg0["ListenPort:$i"]?>" onchange="quickValidate(this);"<?=$wg0["Endpoint:$i"]?" placeholder=\"".($wg0['ListenPort:0']?:$netport['wg0'])."\"":""?>></span>
+: <span class="input"><input type="text" name="gui:Endpoint:<?=$i?>" class="subnet" value="<?=$wg0["Endpoint:$i"]??''?>" pattern="<?=$validText?>" title="_(IP address or FQDN)_" onchange="toLC(this);quickValidate(this);" <?=($vpn_wg0||(int)$wg0["TYPE:$i"]==2||(int)$wg0["TYPE:$i"]==3)?'placeholder="(_(mandatory)_)" required':'placeholder="(_(not used)_)"'?>>:
+  <input type="number" name="gui:ListenPort:<?=$i?>" class="port" min="1" max="65535" value="<?=$wg0["ListenPort:$i"]??''?>" onchange="quickValidate(this);"<?=$wg0["Endpoint:$i"]?" placeholder=\"".($wg0['ListenPort:0']?:$netport['wg0'])."\"":""?>></span>
  <input type="button" class="form ping-button2-<?=$i?>" value="_(Ping)_" onclick="ping($(document.wg0),this,'input[name=&quot;gui:Endpoint:<?=$i?>&quot;]')"<?=$wg0["Endpoint:$i"]?'':' disabled'?>>

 :wg_peer_endpoint_help:

 _(Peer allowed IPs)_:
-: <span class="input"><input type="text" name="AllowedIPs:<?=$i?>" class="wide" value="<?=$wg0["AllowedIPs:$i"]?>" onchange="quickValidate(this);" pattern="<?=$validList?>" title="_(Comma separated list of IPv4 and IPv6 IP addresses)_, _(CIDR optional)_" placeholder="(_(mandatory)_)" required></span>
+: <span class="input"><input type="text" name="AllowedIPs:<?=$i?>" class="wide" value="<?=$wg0["AllowedIPs:$i"]??''?>" onchange="quickValidate(this);" pattern="<?=$validList?>" title="_(Comma separated list of IPv4 and IPv6 IP addresses)_, _(CIDR optional)_" placeholder="(_(mandatory)_)" required></span>

 :wg_peer_allowed_ips_help:

 _(Peer DNS server)_:
-: <span class="input"><input type="text" name="DNS:<?=$i?>" class="subnet" maxlength="40" value="<?=$wg0["DNS:$i"]?>" onchange="quickValidate(this);" pattern="<?=$validDNSServerList?>" title="_(Comma separated list of IPv4 and IPv6 IP addresses)_" <?=(int)$wg0["TYPE:$i"]!=6?'placeholder="(_(optional)_)"':'placeholder="(_(mandatory)_)" required'?>></span>
+: <span class="input"><input type="text" name="DNS:<?=$i?>" class="subnet" maxlength="40" value="<?=$wg0["DNS:$i"]??''?>" onchange="quickValidate(this);" pattern="<?=$validDNSServerList?>" title="_(Comma separated list of IPv4 and IPv6 IP addresses)_" <?=(int)$wg0["TYPE:$i"]!=6?'placeholder="(_(optional)_)"':'placeholder="(_(mandatory)_)" required'?>></span>

 :wg_peer_dns_server_help:

 _(Persistent keepalive)_:
-: <span class="input"><input type="number" name="PersistentKeepalive:<?=$i?>" class="trim" min="0" max="600" value="<?=$wg0["PersistentKeepalive:$i"]?>" onchange="quickValidate(this);" placeholder="(_(disabled)_)">_(seconds)_</span>
+: <span class="input"><input type="number" name="PersistentKeepalive:<?=$i?>" class="trim" min="0" max="600" value="<?=$wg0["PersistentKeepalive:$i"]??''?>" onchange="quickValidate(this);" placeholder="(_(disabled)_)">_(seconds)_</span>

 :wg_persistent_keepalive_help:

--- a/plugins/dynamix/WGX.page
+++ b/plugins/dynamix/WGX.page
@@ -156,7 +156,7 @@ $(function(){
 <input type="hidden" name="#deleted" value="">
 <input type="hidden" name="#locale" value="<?=$locale?>">
 _(Local name)_:
-: <span class="input"><input type="text" name="Name:0" class="wide" maxlength="99" value="<?=$wgX["Name:0"]?>" pattern="<?=$validname?>" title="_(Use only letters A-Z, digits or space,dash,underscore)_" placeholder="(_(optional)_)"></span>
+: <span class="input"><input type="text" name="Name:0" class="wide" maxlength="99" value="<?=$wgX["Name:0"]??''?>" pattern="<?=$validname?>" title="_(Use only letters A-Z, digits or space,dash,underscore)_" placeholder="(_(optional)_)"></span>
  <span class="pin"><i class="fa fa-fw fa-eye eye0<?=$this_wgX?'':' key-off'?>" style="cursor:pointer" onclick="WGconfig(this,'wgX','')" title="_(View Local Config)_"></i>
  <i class="fa fa-fw fa-key zone0<?=$wgX['PublicKey:0']?'':' key-off'?>" style="cursor:pointer" onclick="openClose($(document.wgX),null,'div.key0')" title="_(Toggle keys)_"></i>
  <i id="chevron-wgX-0" class="fa fa-fw fa-chevron-down" style="cursor:pointer" onclick="openClose($(document.wgX),this,'div.zone0')" title="_(Toggle view)_"></i></span>
@@ -165,13 +165,13 @@ _(Local name)_:

 <div markdown="1" class="keys wgX key0"<?=$wgX['PublicKey:0']?' style="display:none">':'>'?>
 _(Local private key)_:
-: <span class="input"><input type="text" name="PrivateKey:0" class="wide private-0" maxlength="64" value="<?=$wgX['PrivateKey:0']?>" onchange="highlight($(document.wgX),this,0)" placeholder="(_(mandatory)_)" required></span>
+: <span class="input"><input type="text" name="PrivateKey:0" class="wide private-0" maxlength="64" value="<?=$wgX['PrivateKey:0']??''?>" onchange="highlight($(document.wgX),this,0)" placeholder="(_(mandatory)_)" required></span>
  <input type="button" class="form" value="_(Generate Keypair)_" onclick="keypair($(document.wgX),'0')">

 :wg_generate_keypair_help:

 _(Local public key)_:
-: <span class="input"><input type="text" name="PublicKey:0" class="wide public-0" maxlength="64" value="<?=$wgX['PublicKey:0']?>" onchange="highlight($(document.wgX),this,0)" placeholder="(_(mandatory)_)" required></span>
+: <span class="input"><input type="text" name="PublicKey:0" class="wide public-0" maxlength="64" value="<?=$wgX['PublicKey:0']??''?>" onchange="highlight($(document.wgX),this,0)" placeholder="(_(mandatory)_)" required></span>

 :wg_generate_keypair_help:

@@ -244,7 +244,7 @@ _(Local gateway uses UPnP)_:

 </div>
 _(Local tunnel firewall)_:
-: <span class="input"><input type="text" name="DROP:0" class="wide" value="<?=$wgX['DROP:0']?>" onchange="quickValidate(this);" pattern="<?=$validList?>" title="_(Comma separated list of IPv4 and IPv6 IP addresses)_, _(CIDR optional)_" placeholder="(_(optional)_)"></span>
+: <span class="input"><input type="text" name="DROP:0" class="wide" value="<?=$wgX['DROP:0']??''?>" onchange="quickValidate(this);" pattern="<?=$validList?>" title="_(Comma separated list of IPv4 and IPv6 IP addresses)_, _(CIDR optional)_" placeholder="(_(optional)_)"></span>
  _(Rule)_: <select name="RULE:0" class="auto">
  <?=mk_option($wgX['RULE:0'], "", _("Deny"))?>
  <?=mk_option($wgX['RULE:0'], "1", _("Allow"))?>
@@ -253,7 +253,7 @@ _(Local tunnel firewall)_:
 :wg_local_tunnel_firewall_help:

 _(MTU size)_:
-: <span class="input"><input type="number" name="MTU:0" class="trim" min="68" max="9198" value="<?=$wgX['MTU:0']?>" onchange="quickValidate(this);" placeholder="(_(automatic)_)">_(bytes)_</span>
+: <span class="input"><input type="number" name="MTU:0" class="trim" min="68" max="9198" value="<?=$wgX['MTU:0']??''?>" onchange="quickValidate(this);" placeholder="(_(automatic)_)">_(bytes)_</span>

 :wg_mtu_size_help:

@@ -277,7 +277,7 @@ _(DNS servers)_:
 <?foreach ($peer_wgX as $i):?>
 <div markdown="1" id="index-wgX-<?=$i?>" class="shade-<?=$display['theme']?>">
 _(Peer name)_:
-: <span class="input"><input type="text" name="Name:<?=$i?>" class="wide" maxlength="99" value="<?=$wgX["Name:$i"]?>" onchange="quickValidate(this);" pattern="<?=$validname?>" title="_(Use only letters A-Z, digits or space,dash,underscore)_" placeholder="(_(optional)_)"></span>
+: <span class="input"><input type="text" name="Name:<?=$i?>" class="wide" maxlength="99" value="<?=$wgX["Name:$i"]??''?>" onchange="quickValidate(this);" pattern="<?=$validname?>" title="_(Use only letters A-Z, digits or space,dash,underscore)_" placeholder="(_(optional)_)"></span>
  <input type="button" class="form" value="_(Delete Peer)_" onclick="delPeer($(document.wgX),'#index-wgX-<?=$i?>')">
  <span class="pin"><i class="fa fa-fw fa-eye eye<?=$i?><?=(file_exists("$etc/peers/peer-$tower-wgX-$i.conf")&&(int)$wgX["TYPE:$i"]!=7)?'':' key-off'?>" style="cursor:pointer" onclick="WGconfig(this,'peer-<?=$tower?>-wgX-<?=$i?>','/peers')" title="_(View Peer Config)_"></i>
  <i class="fa fa-fw fa-key zone<?=$i?><?=$wgX["PublicKey:$i"]?'':' key-off'?>" style="cursor:pointer" onclick="openClose($(document.wgX),null,'div.key<?=$i?>')" title="_(Toggle keys)_"></i>
@@ -304,18 +304,18 @@ _(Peer type of access)_:

 <div markdown="1" class="keys wgX key<?=$i?>"<?=$wgX["PublicKey:$i"]?' style="display:none">':'>'?>
 _(Peer private key)_:
-: <span class="input"><input type="text" name="PrivateKey:<?=$i?>" class="wide private-<?=$i?>" maxlength="64" value="<?=$wgX["PrivateKey:$i"]?>" onchange="highlight($(document.wgX),this,<?=$i?>)" placeholder="(_(optional)_)"></span>
+: <span class="input"><input type="text" name="PrivateKey:<?=$i?>" class="wide private-<?=$i?>" maxlength="64" value="<?=$wgX["PrivateKey:$i"]??''?>" onchange="highlight($(document.wgX),this,<?=$i?>)" placeholder="(_(optional)_)"></span>
  <input type="button" class="form" value="_(Generate Keypair)_" onclick="keypair($(document.wgX),'<?=$i?>')">

 :wg_generate_keypair_help:

 _(Peer public key)_:
-: <span class="input"><input type="text" name="PublicKey:<?=$i?>" class="wide public-<?=$i?>" maxlength="64" value="<?=$wgX["PublicKey:$i"]?>" onchange="highlight($(document.wgX),this,<?=$i?>)" placeholder="(_(mandatory)_)" required></span>
+: <span class="input"><input type="text" name="PublicKey:<?=$i?>" class="wide public-<?=$i?>" maxlength="64" value="<?=$wgX["PublicKey:$i"]??''?>" onchange="highlight($(document.wgX),this,<?=$i?>)" placeholder="(_(mandatory)_)" required></span>

 :wg_generate_keypair_help:

 _(Peer preshared key)_:
-: <span class="input"><input type="text" name="PresharedKey:<?=$i?>" class="wide preshared-<?=$i?>" maxlength="64" value="<?=$wgX["PresharedKey:$i"]?>" onchange="highlight($(document.wgX),this,<?=$i?>)" placeholder="(_(optional)_)"></span>
+: <span class="input"><input type="text" name="PresharedKey:<?=$i?>" class="wide preshared-<?=$i?>" maxlength="64" value="<?=$wgX["PresharedKey:$i"]??''?>" onchange="highlight($(document.wgX),this,<?=$i?>)" placeholder="(_(optional)_)"></span>
  <input type="button" class="form" value="_(Generate Key)_" onclick="presharedkey($(document.wgX),'<?=$i?>')">

 : wg_peer_preshared_key_help:
@@ -324,13 +324,13 @@ _(Peer preshared key)_:
 <div markdown="1" class="advanced wgX zone<?=$i?>" style="display:none">
 <div markdown="1" class="ipv4 wgX" style="display:none">
 _(Peer tunnel address)_:
-: <span class="input"><input type="text" name="Address:<?=$i?>" class="subnet" maxlength="15" value="<?=$wgX["Address:$i"]?>" onchange="if(verifyInSubnet(this)){setAllow($(document.wgX),this.value,<?=$i?>)}" pattern="<?=$validIP4?>" title="_(IPv4 address)_"></span>
+: <span class="input"><input type="text" name="Address:<?=$i?>" class="subnet" maxlength="15" value="<?=$wgX["Address:$i"]??''?>" onchange="if(verifyInSubnet(this)){setAllow($(document.wgX),this.value,<?=$i?>)}" pattern="<?=$validIP4?>" title="_(IPv4 address)_"></span>
  <input type="button" class="form ping-button1-<?=$i?>" value="_(Ping)_" onclick="ping($(document.wgX),this,'input[name=&quot;Address:<?=$i?>&quot;]')"<?=$wgX["Address:$i"]?'':' disabled'?>>

 </div>
 <div markdown="1" class="ipv6 wgX" style="display:none">
 _(Peer tunnel address IPv6)_:
-: <span class="input"><input type="text" name="Address6:<?=$i?>" class="subnet" maxlength="40" value="<?=$wgX["Address6:$i"]?>" onchange="if(verifyInSubnet6(this)){setAllow6($(document.wgX),this.value,<?=$i?>)}" pattern="<?=$validIP6?>" title="_(IPv6 address)_"></span>
+: <span class="input"><input type="text" name="Address6:<?=$i?>" class="subnet" maxlength="40" value="<?=$wgX["Address6:$i"]??''?>" onchange="if(verifyInSubnet6(this)){setAllow6($(document.wgX),this.value,<?=$i?>)}" pattern="<?=$validIP6?>" title="_(IPv6 address)_"></span>
  <input type="button" class="form ping-button6-<?=$i?>" value="_(Ping)_" onclick="ping($(document.wgX),this,'input[name=&quot;Address6:<?=$i?>&quot;]')"<?=$wgX["Address6:$i"]?'':' disabled'?>>

 </div>
@@ -338,24 +338,24 @@ _(Peer tunnel address IPv6)_:

 _(Peer endpoint)_:
 <input type="hidden" name="Endpoint:<?=$i?>" value="">
-: <span class="input"><input type="text" name="gui:Endpoint:<?=$i?>" class="subnet" value="<?=$wgX["Endpoint:$i"]?>" pattern="<?=$validText?>" title="_(IP address or FQDN)_" onchange="toLC(this);quickValidate(this);" <?=($vpn_wgX||(int)$wgX["TYPE:$i"]==2||(int)$wgX["TYPE:$i"]==3)?'placeholder="(_(mandatory)_)" required':'placeholder="(_(not used)_)"'?>>:
-  <input type="number" name="gui:ListenPort:<?=$i?>" class="port" min="1" max="65535" value="<?=$wgX["ListenPort:$i"]?>" onchange="quickValidate(this);"<?=$wgX["Endpoint:$i"]?" placeholder=\"".($wgX['ListenPort:0']?:$netport['wgX'])."\"":""?>></span>
+: <span class="input"><input type="text" name="gui:Endpoint:<?=$i?>" class="subnet" value="<?=$wgX["Endpoint:$i"]??''?>" pattern="<?=$validText?>" title="_(IP address or FQDN)_" onchange="toLC(this);quickValidate(this);" <?=($vpn_wgX||(int)$wgX["TYPE:$i"]==2||(int)$wgX["TYPE:$i"]==3)?'placeholder="(_(mandatory)_)" required':'placeholder="(_(not used)_)"'?>>:
+  <input type="number" name="gui:ListenPort:<?=$i?>" class="port" min="1" max="65535" value="<?=$wgX["ListenPort:$i"]??''?>" onchange="quickValidate(this);"<?=$wgX["Endpoint:$i"]?" placeholder=\"".($wgX['ListenPort:0']?:$netport['wgX'])."\"":""?>></span>
  <input type="button" class="form ping-button2-<?=$i?>" value="Ping" onclick="ping($(document.wgX),this,'input[name=&quot;gui:Endpoint:<?=$i?>&quot;]')"<?=$wgX["Endpoint:$i"]?'':' disabled'?>>

 :wg_peer_endpoint_help:

 _(Peer allowed IPs)_:
-: <span class="input"><input type="text" name="AllowedIPs:<?=$i?>" class="wide" value="<?=$wgX["AllowedIPs:$i"]?>" onchange="quickValidate(this);" pattern="<?=$validList?>" title="_(Comma separated list of IPv4 and IPv6 IP addresses)_, _(CIDR optional)_" placeholder="(_(mandatory)_)" required></span>
+: <span class="input"><input type="text" name="AllowedIPs:<?=$i?>" class="wide" value="<?=$wgX["AllowedIPs:$i"]??''?>" onchange="quickValidate(this);" pattern="<?=$validList?>" title="_(Comma separated list of IPv4 and IPv6 IP addresses)_, _(CIDR optional)_" placeholder="(_(mandatory)_)" required></span>

 :wg_peer_allowed_ips_help:

 _(Peer DNS server)_:
-: <span class="input"><input type="text" name="DNS:<?=$i?>" class="subnet" maxlength="40" value="<?=$wgX["DNS:$i"]?>" onchange="quickValidate(this);" pattern="<?=$validDNSServerList?>" title="_(Comma separated list of IPv4 and IPv6 IP addresses)_"<?=(int)$wgX["TYPE:$i"]!=6?'placeholder="(_(optional)_)"':'placeholder="(_(mandatory)_)" required'?>></span>
+: <span class="input"><input type="text" name="DNS:<?=$i?>" class="subnet" maxlength="40" value="<?=$wgX["DNS:$i"]??''?>" onchange="quickValidate(this);" pattern="<?=$validDNSServerList?>" title="_(Comma separated list of IPv4 and IPv6 IP addresses)_"<?=(int)$wgX["TYPE:$i"]!=6?'placeholder="(_(optional)_)"':'placeholder="(_(mandatory)_)" required'?>></span>

 :wg_peer_dns_server_help:

 _(Persistent keepalive)_:
-: <span class="input"><input type="number" name="PersistentKeepalive:<?=$i?>" class="trim" min="0" max="600" value="<?=$wgX["PersistentKeepalive:$i"]?>" onchange="quickValidate(this);" placeholder="(_(disabled)_)">_(seconds)_</span>
+: <span class="input"><input type="number" name="PersistentKeepalive:<?=$i?>" class="trim" min="0" max="600" value="<?=$wgX["PersistentKeepalive:$i"]??''?>" onchange="quickValidate(this);" placeholder="(_(disabled)_)">_(seconds)_</span>

 :wg_persistent_keepalive_help:

--- a/plugins/dynamix/include/Browse.php
+++ b/plugins/dynamix/include/Browse.php
@@ -1,6 +1,6 @@
 <?PHP
-/* Copyright 2005-2020, Lime Technology
- * Copyright 2012-2020, Bergware International.
+/* Copyright 2005-2021, Lime Technology
+ * Copyright 2012-2021, Bergware International.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License version 2,
@@ -42,9 +42,9 @@ function my_devs(&$devs) {
 }
 extract(parse_plugin_cfg('dynamix',true));
 $disks = parse_ini_file('state/disks.ini',true);
-$dir   = urldecode($_GET['dir']);
-$path  = $_GET['path'];
-$user  = $_GET['user'];
+$dir   = unscript(urldecode($_GET['dir']));
+$path  = unscript($_GET['path']);
+$user  = unscript($_GET['user']);
 $all   = $docroot.preg_replace('/([\'" &()[\]\\\\])/','\\\\$1',$dir).'/*';
 $fix   = substr($dir,0,4)=='/mnt' ? (explode('/',trim_slash($dir))[2] ?: _('---')) : _('flash');
 $fmt   = "%F {$display['time']}";
--- a/plugins/dynamix/include/DefaultPageLayout.php
+++ b/plugins/dynamix/include/DefaultPageLayout.php
@@ -11,7 +11,7 @@
 */
 ?>
 <?
-$display['font'] = $_COOKIE['fontSize'] ?? $display['font'];
+$display['font'] = unscript($_COOKIE['fontSize'] ?? $display['font']);
 $theme   = strtok($display['theme'],'-');
 $header  = $display['header'];
 $backgnd = $display['background'];
--- a/plugins/dynamix/include/DiskList.php
+++ b/plugins/dynamix/include/DiskList.php
@@ -1,6 +1,6 @@
 <?PHP
-/* Copyright 2005-2020, Lime Technology
- * Copyright 2012-2020, Bergware International.
+/* Copyright 2005-2021, Lime Technology
+ * Copyright 2012-2021, Bergware International.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License version 2,
@@ -23,13 +23,13 @@ $disks   = parse_ini_file('state/disks.ini',true);
 $var     = parse_ini_file('state/var.ini');
 $sec     = parse_ini_file('state/sec.ini',true);
 $sec_nfs = parse_ini_file('state/sec_nfs.ini',true);
-$compute = $_GET['compute'];
-$path    = $_GET['path'];
-$fill    = $_GET['fill'];
+$compute = unscript($_GET['compute']);
+$path    = unscript($_GET['path']);
+$fill    = unscript($_GET['fill']);

 $display = [];
-$display['scale'] = $_GET['scale'];
-$display['number'] = $_GET['number'];
+$display['scale'] = unscript($_GET['scale']);
+$display['number'] = unscript($_GET['number']);

 // Display export settings
 function disk_share_settings($protocol,$share) {
--- a/plugins/dynamix/include/Helpers.php
+++ b/plugins/dynamix/include/Helpers.php
@@ -263,4 +263,7 @@ function my_explode($split,$text,$count=2) {
 function my_preg_split($split,$text,$count=2) {
  return array_pad(preg_split($split,$text,$count),$count,'');
 }
+function unscript($text) {
+  return preg_replace('#<script(.*?)>(.+?)</script>#','',html_entity_decode($text));
+}
 ?>
--- a/plugins/dynamix/include/ShareList.php
+++ b/plugins/dynamix/include/ShareList.php
@@ -1,6 +1,6 @@
 <?PHP
-/* Copyright 2005-2020, Lime Technology
- * Copyright 2012-2020, Bergware International.
+/* Copyright 2005-2021, Lime Technology
+ * Copyright 2012-2021, Bergware International.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License version 2,
@@ -23,9 +23,9 @@ $disks   = parse_ini_file('state/disks.ini',true);
 $var     = parse_ini_file('state/var.ini');
 $sec     = parse_ini_file('state/sec.ini',true);
 $sec_nfs = parse_ini_file('state/sec_nfs.ini',true);
-$compute = $_GET['compute'];
-$path    = $_GET['path'];
-$fill    = $_GET['fill'];
+$compute = unscript($_GET['compute']);
+$path    = unscript($_GET['path']);
+$fill    = unscript($_GET['fill']);

 $display = [];
 $display['scale'] = $_GET['scale'];
--- a/plugins/dynamix/include/WGconfig.php
+++ b/plugins/dynamix/include/WGconfig.php
@@ -18,7 +18,7 @@ require_once "$docroot/webGui/include/Translations.php";

 require_once "$docroot/webGui/include/Helpers.php";

-$file = $_GET['file'];
+$file = unscript($_GET['file']);
 $path = realpath('/etc/wireguard'.$_GET['path']);
 $csrf = exec("grep -Pom1 '^csrf_token=\"\K.[^\"]+' /var/local/emhttp/var.ini");
 if (!$path || strpos($path,'/boot/config/wireguard')!==0 || !$_GET['csrf_token'] || $_GET['csrf_token']!=$csrf) return;
--- a/plugins/dynamix/include/update.crypto.php
+++ b/plugins/dynamix/include/update.crypto.php
@@ -16,8 +16,8 @@ $_SERVER['REQUEST_URI'] = '';
 require_once "$docroot/webGui/include/Translations.php";
 require_once "$docroot/webGui/include/Helpers.php";

-$index = $_GET['index'];
-$tests = explode(',',$_GET['test']);
+$index = unscript($_GET['index']);
+$tests = explode(',',unscript($_GET['test']));
 if ($index < count($tests)) {
  $test = $tests[$index];
  [$name,$size] = my_explode(':',$test);
--- a/plugins/dynamix/template.php
+++ b/plugins/dynamix/template.php
@@ -63,8 +63,8 @@ foreach (glob('plugins/*', GLOB_ONLYDIR) as $plugin) {
 }

 // Get general variables
-$name = $_GET['name'] ?? '';
-$dir  = $_GET['dir'] ?? '';
+$name = unscript($_GET['name'] ?? '');
+$dir  = unscript($_GET['dir'] ?? '');
 $path = substr(strtok($_SERVER['REQUEST_URI'],'?'),1);

 // The current "task" is the first element of the path