XSS Vulnerabilities

[EAnushan]

I believe the textarea input is vulnerable to xss. It uses $value to between the textarea tags. We haven't escaped this value. We need to be using htmlentities($output, ENT_QUOTES, 'UTF-8') to escape any user provided output, as none of it should be able to break the html.

There are other locations, other than textarea where we should be doing this escaping. Anywhere we accept user/developer input and render it should be escaped.

[adamwathan]

Thanks for the heads up, feel free to submit a PR if you'd like, otherwise I'll try and get to it today! Thanks!