From 57cc2c3fa01a5b51e475bc8dbe82138f0398ef3d Mon Sep 17 00:00:00 2001
From: Christos Choutouridis <hoo2@hoo2.net>
Date: Sun, 11 Jan 2026 17:53:04 +0200
Subject: [PATCH] Apply contex-aware encoding to the rest of the program.

---
 passman-dev/php/passman/dashboard.php | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/passman-dev/php/passman/dashboard.php b/passman-dev/php/passman/dashboard.php
index dcc8401..ba8795f 100644
--- a/passman-dev/php/passman/dashboard.php
+++ b/passman-dev/php/passman/dashboard.php
@@ -99,16 +99,23 @@ $stmt->close();
 
 
 //echo htmlspecialchars($username);
-echo "<h3>Entries of " . $username . "</h3>";
+$safe_username = htmlspecialchars($username, ENT_QUOTES | ENT_SUBSTITUTE, "UTF-8");
+echo "<h3>Entries of " . $safe_username . "</h3>";
 
 if (!empty($result) && $result->num_rows >= 1) {
 	while ($row = $result -> fetch_assoc()) {
+		// Escape output to prevent stored XSS (DB content must be treated as untrusted).
+		$safe_url  = htmlspecialchars($row["web_url"], ENT_QUOTES | ENT_SUBSTITUTE, "UTF-8");
+		$safe_user = htmlspecialchars($row["web_username"], ENT_QUOTES | ENT_SUBSTITUTE, "UTF-8");
+		$safe_pass = htmlspecialchars($row["web_password"], ENT_QUOTES | ENT_SUBSTITUTE, "UTF-8");
+		$webid_safe = (int)$row["webid"];
+
 		echo "<table border=0>";
-		echo	"<tr style='background-color: #f4f4f4;'><td colspan=2>" . $row["web_url"] . "</td></tr>" . 
-				"<tr><td>Username: " . $row["web_username"] . "</td><td>Password: " . $row["web_password"] . "</td></tr>";
+		echo	"<tr style='background-color: #f4f4f4;'><td colspan=2>" . $safe_url . "</td></tr>" . 
+				"<tr><td>Username: " . $safe_user . "</td><td>Password: " . $safe_pass  . "</td></tr>";
 
 		echo	"<tr><td><form method='POST' style='height: 3px'>" . 
-				"<input type='hidden' name='websiteid' value='" . $row["webid"] . "'>" .
+				"<input type='hidden' name='websiteid' value='" . $webid_safe . "'>" .
 				"<button type='submit' name='delete_website'>Delete</button></form></td></tr>";
 
 		echo	"<tr><td colspan=2 style=height: 20px;></td></tr>";

" . $row["web_url"] . "
Username: " . $row["web_username"] . "	Password: " . $row["web_password"] . "
" . $safe_url . "
Username: " . $safe_user . "	Password: " . $safe_pass . "
" . - "" . + "" . "