From cdbd2e9a696c55cf9f8acad943301f792c73d4a9 Mon Sep 17 00:00:00 2001
From: Squidly271 <unraidsquid@gmail.com>
Date: Fri, 3 Oct 2025 14:42:26 -0400
Subject: [PATCH] Fix xss issues

---
 .../include/DefaultPageLayout/MainContentTabbed.php   | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/emhttp/plugins/dynamix/include/DefaultPageLayout/MainContentTabbed.php b/emhttp/plugins/dynamix/include/DefaultPageLayout/MainContentTabbed.php
index 8284d70cc..aa01fee64 100644
--- a/emhttp/plugins/dynamix/include/DefaultPageLayout/MainContentTabbed.php
+++ b/emhttp/plugins/dynamix/include/DefaultPageLayout/MainContentTabbed.php
@@ -20,7 +20,7 @@
                     tabindex="<?= $i === 0 ? '0' : '-1' ?>"
                     aria-selected="<?= $i === 0 ? 'true' : 'false' ?>"
                     <? if ( isset($page['Focus']) ): ?>
-                        data-focus="<?= $page['Focus'] ?>"
+                        data-focus="<?= htmlspecialchars($page['Focus'], ENT_QUOTES, 'UTF-8') ?>"
                     <? endif; ?>
                 >
                     <?= tab_title($title, $page['root'], _var($page, 'Tag', false)) ?>
@@ -142,10 +142,11 @@ tabs.forEach((tab, i) => {
         tab.focus();
         // call the focus function if it exists
         if (tab.getAttribute('data-focus') ) {
-            try {
-                eval(tab.getAttribute('data-focus'));
-            } catch (e) {
-                console.error('Error calling focus function: ' + e);
+            const focusFnName = tab.getAttribute('data-focus');
+            if (typeof window[focusFnName] === 'function') {
+                window[focusFnName]();
+            } else {
+                console.error('Focus function not found: ' + focusFnName);
             }
         }
     });