From 84e3c32f13d397e47ea0d443ce1621742f78f401 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
Date: Thu, 19 Mar 2026 12:44:00 +0100
Subject: [PATCH] escape HTML in last logins

---
 data/web/js/site/user.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/web/js/site/user.js b/data/web/js/site/user.js
index 5eecf2080..288e7abd2 100644
--- a/data/web/js/site/user.js
+++ b/data/web/js/site/user.js
@@ -98,8 +98,8 @@ jQuery(function($){
               var local_datetime = datetime.toLocaleDateString(undefined, {year: "numeric", month: "2-digit", day: "2-digit", hour: "2-digit", minute: "2-digit", second: "2-digit"});
               var service = '<div class="badge bg-secondary">' + item.service.toUpperCase() + '</div>';
               var app_password = item.app_password ? ' <a href="/edit/app-passwd/' + item.app_password + '"><i class="bi bi-key-fill"></i><span class="ms-1">' + escapeHtml(item.app_password_name || "App") + '</span></a>' : '';
-              var real_rip = item.real_rip.startsWith("Web") ? item.real_rip : '<a href="https://bgp.tools/prefix/' + item.real_rip + '" target="_blank">' + item.real_rip + "</a>";
-              var ip_location = item.location ? ' <span class="flag-icon flag-icon-' + item.location.toLowerCase() + '"></span>' : '';
+              var real_rip = item.real_rip.startsWith("Web") ? escapeHtml(item.real_rip) : '<a href="https://bgp.tools/prefix/' + escapeHtml(item.real_rip) + '" target="_blank">' + escapeHtml(item.real_rip) + "</a>";
+              var ip_location = item.location ? ' <span class="flag-icon flag-icon-' + escapeHtml(item.location.toLowerCase()) + '"></span>' : '';
               var ip_data = real_rip + ip_location + app_password;
 
               $(".last-sasl-login").append(`