Merge commit from fork

PromoFaux · web-flow · commit 1a0c6f4fe6d0 · 2026-02-15T17:45:39.000Z
Escape `data.x_forwarded_for` value before inserting it into the DOM
diff --git a/scripts/js/settings-api.js b/scripts/js/settings-api.js
@@ -115,7 +115,7 @@ $(() => {
       // Show x-forwarded-for instead of the remote address in italics
       // and show the remote address in the title attribute
       if (data.x_forwarded_for !== null) {
-        $("td:eq(8)", row).html("<em>" + data.x_forwarded_for + "</em>");
+        $("td:eq(8)", row).html("<em>" + utils.escapeHtml(data.x_forwarded_for) + "</em>");
         $("td:eq(8)", row).attr("title", "Original remote address: " + data.remote_addr);
       }
     },

Original file line number	Diff line number	Diff line change
`@@ -115,7 +115,7 @@ $(() => {`
`115`	`115`	`// Show x-forwarded-for instead of the remote address in italics`
`116`	`116`	`// and show the remote address in the title attribute`
`117`	`117`	`if (data.x_forwarded_for !== null) {`
`118`		`- $("td:eq(8)", row).html("<em>" + data.x_forwarded_for + "</em>");`
	`118`	`+ $("td:eq(8)", row).html("<em>" + utils.escapeHtml(data.x_forwarded_for) + "</em>");`
`119`	`119`	`$("td:eq(8)", row).attr("title", "Original remote address: " + data.remote_addr);`
`120`	`120`	`}`
`121`	`121`	`},`