Escape data.x_forwarded_for value before inserting it into the DOM

Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>
2026-04-24 18:59:48 +01:00 · 2026-01-09 17:56:12 -03:00
parent cd0c392d5b
commit 053cfb2180
1 changed files with 1 additions and 1 deletions
--- a/scripts/js/settings-api.js
+++ b/scripts/js/settings-api.js
@@ -115,7 +115,7 @@ $(() => {
      // Show x-forwarded-for instead of the remote address in italics
      // and show the remote address in the title attribute
      if (data.x_forwarded_for !== null) {
-        $("td:eq(8)", row).html("<em>" + data.x_forwarded_for + "</em>");
+        $("td:eq(8)", row).html("<em>" + utils.escapeHtml(data.x_forwarded_for) + "</em>");
        $("td:eq(8)", row).attr("title", "Original remote address: " + data.remote_addr);
      }
    },