Files
D1041231009-WebGIS-PovertyMap/resources/views
GuavaPopper c1c1fae93c fix: escape user-controlled fields in admin/users innerHTML to prevent stored XSS
u.name and u.email are stored user input and were interpolated raw into
tbody.innerHTML. Added esc() helper and applied to name, email, and role
display string.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-03 13:53:01 +07:00
..