From f29d01a7be7a7d82ed03b5ee177b5c201237725c Mon Sep 17 00:00:00 2001
From: iliajie <gpg@ilia.engineer>
Date: Mon, 15 May 2023 21:34:40 +0300
Subject: [PATCH] Add HTML escape for the names of users being deleted

---
 useradmin/mass_delete_user.cgi | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/useradmin/mass_delete_user.cgi b/useradmin/mass_delete_user.cgi
index 9f0096f64..b9ac80bda 100755
--- a/useradmin/mass_delete_user.cgi
+++ b/useradmin/mass_delete_user.cgi
@@ -25,7 +25,7 @@ if ($in{'disable'}) {
 	if ($in{'confirmed'}) {
 		foreach $user (@dlist) {
 			# Show username
-			print "<b>",&text('dmass_doing', $user->{'user'}),"</b><br>\n";
+			print "<b>",&text('dmass_doing', &html_escape($user->{'user'})),"</b><br>\n";
 			print "<ul>\n";
 
 			# Run the before command
@@ -83,7 +83,7 @@ elsif ($in{'enable'}) {
 
 	foreach $user (@dlist) {
 		# Show username
-		print "<b>",&text('emass_doing', $user->{'user'}),"</b><br>\n";
+		print "<b>",&text('emass_doing', &html_escape($user->{'user'})),"</b><br>\n";
 		print "<ul>\n";
 
 		# Run the before command
@@ -136,7 +136,7 @@ else {
 	if ($in{'confirmed'}) {
 		foreach $user (@dlist) {
 			# Show username
-			print "<b>",&text('umass_doing', $user->{'user'}),"</b><br>\n";
+			print "<b>",&text('umass_doing', &html_escape($user->{'user'})),"</b><br>\n";
 			print "<ul>\n";
 
 			# Run the before command