www: consistent use of <?=, some escapes while at it; closes #986

src/www/diag_logs_filter.php

@@ -761,7 +761,7 @@ include("head.inc");
             $rowIndex++;?>
             <tr class="<?=$evenRowClass?>">
               <td>
-                <a href="#" onclick="javascript:getURL('diag_logs_filter.php?getrulenum=<?php echo "{$filterent['rulenum']},{$filterent['act']}"; ?>', outputrule);" title="<?php echo $filterent['act'];?>">
+                <a href="#" onclick="javascript:getURL('diag_logs_filter.php?getrulenum=<?= html_safe("{$filterent['rulenum']},{$filterent['act']}") ?>', outputrule);" title="<?= html_safe($filterent['act']) ?>">
                   <span class="glyphicon glyphicon-<?php switch ($filterent['act']) {
                     case 'pass':
                         echo "play";  /* icon triangle */
@@ -778,7 +778,7 @@ include("head.inc");
                   </span>
                 </a>
               </td>
-              <td><?php echo htmlspecialchars($filterent['time']);?></td>
+              <td><?= htmlspecialchars($filterent['time']) ?></td>
               <td>
 <?php
                 if ($filterent['direction'] == "out"): ?>
@@ -813,16 +813,16 @@ include("head.inc");
               $dst_htmlclass = str_replace(array('.', ':'), '-', $filterent['dstip']);
 ?>
               <td>
-                <span onclick="javascript:resolve_with_ajax('<?php echo "{$filterent['srcip']}"; ?>');" title="<?=gettext("Click to resolve");?>" class="ICON-<?= $src_htmlclass; ?>" alt="Icon Reverse Resolve with DNS"><span class="btn btn-default btn-xs glyphicon glyphicon-info-sign"></span></span>
+                <span onclick="javascript:resolve_with_ajax('<?= html_safe($filterent['srcip']) ?>');" title="<?=gettext("Click to resolve");?>" class="ICON-<?= $src_htmlclass; ?>" alt="Icon Reverse Resolve with DNS"><span class="btn btn-default btn-xs glyphicon glyphicon-info-sign"></span></span>
                 <a title="<?=gettext("Easy Rule: Add to Block List");?>" href="#blockEasy" class="btn btn-danger btn-xs easy_block">
                 <input type="hidden" value="<?= $filterent['srcip']; ?>" class="srcip"/>
                 <input type="hidden" value="<?= $int;?>" class="intf"/>
                 <input type="hidden" value="<?= $ipproto;?>" class="ipproto"/>
                 <span class="glyphicon glyphicon-remove" alt="Icon Easy Rule: Add to Block List"></span></a>
-                <?php echo $srcstr . '<span class="RESOLVE-' . $src_htmlclass . '"></span>';?>
+                <?= html_safe($srcstr) ?><span class="RESOLVE-<?= html_safe($src_htmlclass) ?>"></span>
               </td>
               <td>
-                <span onclick="javascript:resolve_with_ajax('<?php echo "{$filterent['dstip']}"; ?>');" title="<?=gettext("Click to resolve");?>" class="ICON-<?= $dst_htmlclass; ?>" alt="Icon Reverse Resolve with DNS"><span class="btn btn-default btn-xs  glyphicon glyphicon-info-sign"></span></span>
+                <span onclick="javascript:resolve_with_ajax('<?= html_safe($filterent['dstip']) ?>');" title="<?=gettext("Click to resolve");?>" class="ICON-<?= $dst_htmlclass; ?>" alt="Icon Reverse Resolve with DNS"><span class="btn btn-default btn-xs  glyphicon glyphicon-info-sign"></span></span>
                 <a title="<?=gettext("Easy Rule: Pass this traffic");?>" href="#blockEasy" class="btn btn-success btn-xs easy_pass">
                 <input type="hidden" value="<?= $filterent['srcip']; ?>" class="srcip"/>
                 <input type="hidden" value="<?= $filterent['dstip']; ?>" class="dstip"/>
@@ -831,14 +831,14 @@ include("head.inc");
                 <input type="hidden" value="<?= $proto;?>" class="proto"/>
                 <input type="hidden" value="<?= $ipproto;?>" class="ipproto"/>
                 <span  class="glyphicon glyphicon-play" alt="<?= gettext('Icon Easy Rule: Pass this traffic') ?>"></span></a>
-                <?php echo $dststr . '<span class="RESOLVE-' . $dst_htmlclass . '"></span>';?>
+                <?= html_safe($dststr) ?><span class="RESOLVE-<?= html_safe($dst_htmlclass) ?>"></span>
               </td>
 <?php
               if ($filterent['proto'] == "TCP") {
                   $filterent['proto'] .= ":{$filterent['tcpflags']}";
               }?>
               <td>
-                <?php echo htmlspecialchars($filterent['proto']);?>
+                <?= htmlspecialchars($filterent['proto']);?>
               </td>
             </tr>
 <?php

src/www/diag_logs_filter_dynamic.php

@@ -92,7 +92,7 @@ include("head.inc");
                 <thead>
                   <tr>
                     <td colspan="6">
-                    <strong><?php printf(gettext("Showing last %s records."),$nentries);?></strong>
+                    <strong><?= sprintf(gettext('Showing last %s records.'), $nentries) ?></strong>
                     </td>
                   </tr>
                   <tr>

src/www/diag_testport.php

@@ -114,9 +114,9 @@ include("head.inc"); ?>
     <div class="row">
       <section class="col-xs-12">
         <div id="message" style="" class="alert alert-warning" role="alert">
-          <?php echo gettext("This page allows you to perform a simple TCP connection test to determine if a host is up and accepting connections on a given port. This test does not function for UDP since there is no way to reliably determine if a UDP port accepts connections in this manner."); ?>
+          <?= gettext('This page allows you to perform a simple TCP connection test to determine if a host is up and accepting connections on a given port. This test does not function for UDP since there is no way to reliably determine if a UDP port accepts connections in this manner.') ?>
           <br /><br />
-          <?php echo gettext("No data is transmitted to the remote host during this test, it will only attempt to open a connection and optionally display the data sent back from the server."); ?>
+          <?= gettext('No data is transmitted to the remote host during this test, it will only attempt to open a connection and optionally display the data sent back from the server.') ?>
         </div>
         <div class="content-box">
           <div class="content-box-main ">

src/www/firewall_schedule_edit.php

@@ -882,13 +882,15 @@ function removeRow(el) {
                                       }
                                       if ($firstdayofmonth == $positioncounter){?>
                                         <td align="center" style="cursor: pointer;" class="listr" id="w<?=$weekcounter;?>p<?=$positioncounter;?>" onclick="daytoggle('w<?=$weekcounter;?>p<?=$positioncounter;?>-m<?=$monthcounter;?>d<?=$daycounter;?>');">
-                                          <?php echo $daycounter;
+                                        <?php
+                                          echo $daycounter;
                                           $daycounter++;
                                           $firstdayprinted = TRUE;
                                           echo "</td>";
                                       } elseif ($firstdayprinted == TRUE && $daycounter <= $numberofdays){?>
                                       <td align="center" style="cursor: pointer;" class="listr" id="w<?=$weekcounter;?>p<?=$positioncounter;?>" onclick="daytoggle('w<?=$weekcounter;?>p<?=$positioncounter;?>-m<?=$monthcounter;?>d<?=$daycounter;?>');">
-                                          <?php echo $daycounter;
+                                        <?php
+                                          echo $daycounter;
                                           $daycounter++;
                                           echo "</td>";
                                       } else {

src/www/interfaces.php

@@ -1715,7 +1715,7 @@ include("head.inc");
                         <tr>
                           <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("IPv6 Configuration Type"); ?></td>
                           <td>
-                            <select name="type6" <?php echo (substr($pconfig['if'], 0, 3) == 'gre') ? 'disabled="disabled"' : ''; ?> class="selectpicker" data-style="btn-default" id="type6">
+                            <select name="type6" <?= (substr($pconfig['if'], 0, 3) == 'gre') ? 'disabled="disabled"' : '' ?> class="selectpicker" data-style="btn-default" id="type6">
 <?php
                             $types6 = array("none" => gettext("None"), "staticv6" => gettext("Static IPv6"), "dhcp6" => gettext("DHCPv6"), "slaac" => gettext("SLAAC"), "6rd" => gettext("6rd Tunnel"), "6to4" => gettext("6to4 Tunnel"), "track6" => gettext("Track Interface"));
                             foreach ($types6 as $key => $opt):?>
@@ -1736,14 +1736,12 @@ include("head.inc");
                               $mac = str_replace("\n","",$mac);
                               if (!empty($mac)):
 ?>
-                              <a onclick="document.getElementById('spoofmac').value='<?=$mac?>';" href="#"><?=gettext("Insert my local MAC address"); ?></a><br />
+                              <a onclick="document.getElementById('spoofmac').value='<?= html_safe($mac) ?>';" href="#"><?=gettext("Insert my local MAC address"); ?></a><br />
 <?php
                               endif; ?>
-                              <?=gettext("This field can be used to modify (\"spoof\") the MAC " .
-                              "address of this interface"); ?><br />
-                              <?=gettext("(may be required with some cable connections)"); ?><br />
-                              <?=gettext("Enter a MAC address in the following format: xx:xx:xx:xx:xx:xx " .
-                              "or leave blank"); ?>
+                              <?= gettext('This field can be used to modify ("spoof") the MAC address of ' .
+                                    'this interface. This may be required with some cable connections.') ?><br />
+                              <?=gettext('Enter a MAC address in the following format: xx:xx:xx:xx:xx:xx or leave blank.') ?>
                             </div>
                           </td>
                         </tr>

src/www/services_dhcp.php

@@ -708,13 +708,13 @@ include("head.inc");
                       <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Enable");?> </td>
                       <td>
                         <input name="enable" id="enable" type="checkbox" value="yes" <?=!empty($pconfig['enable']) ? "checked=\"checked\"" : ""; ?> />
-                        <strong><?php printf(gettext("Enable DHCP server on the %s interface"),!empty($config['interfaces'][$if]['descr']) ? htmlspecialchars($config['interfaces'][$if]['descr']) : strtoupper($if));?></strong>
+                        <strong><?= sprintf(gettext("Enable DHCP server on the %s interface"),!empty($config['interfaces'][$if]['descr']) ? htmlspecialchars($config['interfaces'][$if]['descr']) : strtoupper($if));?></strong>
                       </td>
                     </tr>
 <?php
                     else: ?>
                     <tr>
-                      <td colspan="2"><?php echo gettext("Editing Pool-Specific Options. To return to the Interface, click its tab above."); ?></td>
+                      <td colspan="2"><?= gettext('Editing Pool-Specific Options. To return to the Interface, click its tab above.') ?></td>
                     </tr>
                     <tr>
                       <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Pool Description");?></td>

src/www/services_dhcpv6.php

@@ -480,7 +480,7 @@ include("head.inc");
                       <td><i class="fa fa-info-circle text-muted"></i>  <?=gettext("Enable");?></td>
                       <td>
                         <input name="enable" type="checkbox" value="yes" <?php if ($pconfig['enable']) echo "checked=\"checked\""; ?> />
-                        <strong><?php printf(gettext("Enable DHCPv6 server on " . "%s " ."interface"),!empty($config['interfaces'][$if]['descr']) ? htmlspecialchars($config['interfaces'][$if]['descr']) : strtoupper($if));?></strong>
+                        <strong><?= sprintf(gettext("Enable DHCPv6 server on " . "%s " ."interface"),!empty($config['interfaces'][$if]['descr']) ? htmlspecialchars($config['interfaces'][$if]['descr']) : strtoupper($if));?></strong>
                       </td>
                     </tr>
                     <tr>

src/www/services_dnsmasq.php

@@ -242,7 +242,7 @@ $( document ).ready(function() {
                     <input name="regdhcp" type="checkbox" id="regdhcp" value="yes" <?=!empty($pconfig['regdhcp']) ? "checked=\"checked\"" : "";?> />
                     <strong><?=gettext("Register DHCP leases in DNS forwarder");?></strong>
                     <div class="hidden" for="help_for_regdhcp">
-                      <?php printf(gettext("If this option is set, then machines that specify".
+                      <?= sprintf(gettext("If this option is set, then machines that specify".
                       " their hostname when requesting a DHCP lease will be registered".
                       " in the DNS forwarder, so that their name can be resolved.".
                       " You should also set the domain in %sSystem:".
@@ -256,7 +256,7 @@ $( document ).ready(function() {
                     <input name="regdhcpstatic" type="checkbox" id="regdhcpstatic" value="yes" <?=!empty($pconfig['regdhcpstatic']) ? "checked=\"checked\"" : "";?> />
                     <strong><?=gettext("Register DHCP static mappings in DNS forwarder");?></strong>
                     <div class="hidden" for="help_for_regdhcpstatic">
-                      <?php printf(gettext("If this option is set, then DHCP static mappings will ".
+                      <?= sprintf(gettext("If this option is set, then DHCP static mappings will ".
                           "be registered in the DNS forwarder, so that their name can be ".
                           "resolved. You should also set the domain in %s".
                           "System: General setup%s to the proper value."),'<a href="system_general.php">','</a>');?>
@@ -269,7 +269,7 @@ $( document ).ready(function() {
                     <input name="dhcpfirst" type="checkbox" id="dhcpfirst" value="yes" <?=!empty($pconfig['dhcpfirst']) ? "checked=\"checked\"" : "";?> />
                     <strong><?=gettext("Resolve DHCP mappings first");?></strong>
                     <div class="hidden" for="help_for_dhcpfirst">
-                      <?php printf(gettext("If this option is set, then DHCP mappings will ".
+                      <?= sprintf(gettext("If this option is set, then DHCP mappings will ".
                           "be resolved before the manual list of names below. This only ".
                           "affects the name given for a reverse lookup (PTR)."));?>
                     </div>

src/www/services_dyndns_edit.php

@@ -425,7 +425,7 @@ include("head.inc");
                   <tr>
                     <td>&nbsp;</td>
                     <td><span class="vexpl"><span class="red"><strong><?= gettext("Note:") ?><br />
-                      </strong></span><?php printf(gettext("You must configure a DNS server in %sSystem:
+                      </strong></span><?= sprintf(gettext("You must configure a DNS server in %sSystem:
                       General setup%s or allow the DNS server list to be overridden
                       by DHCP/PPP on WAN for dynamic DNS updates to work."),'<a href="system_general.php">','</a>');?></span></td>
                   </tr>

src/www/services_rfc2136_edit.php

@@ -242,7 +242,7 @@ include("head.inc");
                     <td>&nbsp;</td>
                     <td>
                       <span class="text-danger"><strong><?=gettext("Note:");?><br />
-                      </strong></span><?php printf(gettext("You must configure a DNS server in %sSystem: " .
+                      </strong></span><?= sprintf(gettext("You must configure a DNS server in %sSystem: " .
                       "General setup %sor allow the DNS server list to be overridden " .
                       "by DHCP/PPP on WAN for dynamic DNS updates to work."),'<a href="system_general.php">', '</a>');?>
                     </td>

src/www/services_router_advertisements.php

@@ -243,9 +243,9 @@ include("head.inc");
                         </option>
                       </select>
                       <div class="hidden" for="help_for_ramode">
-                        <strong><?php printf(gettext("Select the Operating Mode for the Router Advertisement (RA) Daemon."))?></strong>
-                        <?php printf(gettext("Use \"Router Only\" to only advertise this router, \"Unmanaged\" for Router Advertising with Stateless Autoconfig, \"Managed\" for assignment through (a) DHCPv6 Server, \"Assisted\" for DHCPv6 Server assignment combined with Stateless Autoconfig"));?>
-                        <?php printf(gettext("It is not required to activate this DHCPv6 server when set to \"Managed\", this can be another host on the network")); ?>
+                        <strong><?= sprintf(gettext("Select the Operating Mode for the Router Advertisement (RA) Daemon."))?></strong>
+                        <?= sprintf(gettext("Use \"Router Only\" to only advertise this router, \"Unmanaged\" for Router Advertising with Stateless Autoconfig, \"Managed\" for assignment through (a) DHCPv6 Server, \"Assisted\" for DHCPv6 Server assignment combined with Stateless Autoconfig"));?>
+                        <?= sprintf(gettext("It is not required to activate this DHCPv6 server when set to \"Managed\", this can be another host on the network")); ?>
                       </div>
                     </td>
                   </tr>
@@ -264,7 +264,7 @@ include("head.inc");
                         </option>
                       </select>
                       <div class="hidden" for="help_for_rapriority">
-                        <?php printf(gettext("Select the Priority for the Router Advertisement (RA) Daemon."))?>
+                        <?= sprintf(gettext("Select the Priority for the Router Advertisement (RA) Daemon."))?>
                       </div>
                     </td>
                   </tr>
@@ -290,7 +290,7 @@ include("head.inc");
                       endforeach;?>
                       </select>
                       <div class="hidden" for="help_for_rainterface">
-                        <?php printf(gettext("Select the Interface for the Router Advertisement (RA) Daemon."))?>
+                        <?= sprintf(gettext("Select the Interface for the Router Advertisement (RA) Daemon."))?>
                       </div>
                     </td>
                   </tr>

src/www/services_unbound.php

@@ -205,7 +205,7 @@ include_once("head.inc");
                           <input name="regdhcp" type="checkbox" id="regdhcp" value="yes" <?=!empty($pconfig['regdhcp']) ? "checked=\"checked\"" : "";?> />
                           <strong><?=gettext("Register DHCP leases in the DNS Resolver");?></strong>
                           <div class="hidden" for="help_for_regdhcp">
-                            <?php printf(gettext("If this option is set, then machines that specify".
+                            <?= sprintf(gettext("If this option is set, then machines that specify".
                             " their hostname when requesting a DHCP lease will be registered".
                             " in the DNS Resolver, so that their name can be resolved.".
                             " You should also set the domain in %sSystem:".
@@ -219,7 +219,7 @@ include_once("head.inc");
                           <input name="regdhcpstatic" type="checkbox" id="regdhcpstatic" value="yes" <?=!empty($pconfig['regdhcpstatic']) ? "checked=\"checked\"" : "";?> />
                           <strong><?=gettext("Register DHCP static mappings in the DNS Resolver");?></strong>
                           <div class="hidden" for="help_for_regdhcpstatic">
-                            <?php printf(gettext("If this option is set, then DHCP static mappings will ".
+                            <?= sprintf(gettext("If this option is set, then DHCP static mappings will ".
                                 "be registered in the DNS Resolver, so that their name can be ".
                                 "resolved. You should also set the domain in %s".
                                 "System: General setup%s to the proper value."),'<a href="system_general.php">','</a>');?>

src/www/status_interfaces.php

@@ -430,7 +430,7 @@ include("head.inc");
                   endif;
                   if (!empty($ifinfo['bridge'])): ?>
                     <tr>
-                      <td><?php printf(gettext("Bridge (%s)"),$ifinfo['bridgeint']) ?></td>
+                      <td><?= sprintf(gettext('Bridge (%s)'), $ifinfo['bridgeint']) ?></td>
                       <td>
                         <?= $ifinfo['bridge'] ?>
                       </td>

src/www/status_ntpd.php

@@ -221,8 +221,8 @@ include("head.inc");
                 </thead>
                 <tbody>
                   <tr>
-                    <td><?php echo sprintf("%.5f", $gps_lat); ?> (<?php echo sprintf("%d", $gps_lat_deg); ?>&deg; <?php echo sprintf("%.5f", $gps_lat_min*60); ?><?php echo $gps_vars[4]; ?>)</td>
-                    <td><?php echo sprintf("%.5f", $gps_lon); ?> (<?php echo sprintf("%d", $gps_lon_deg); ?>&deg; <?php echo sprintf("%.5f", $gps_lon_min*60); ?><?php echo $gps_vars[6]; ?>)</td>
+                    <td><?= sprintf("%.5f", $gps_lat); ?> (<?= sprintf("%d", $gps_lat_deg); ?>&deg; <?= sprintf("%.5f", $gps_lat_min*60); ?><?= $gps_vars[4]; ?>)</td>
+                    <td><?= sprintf("%.5f", $gps_lon); ?> (<?= sprintf("%d", $gps_lon_deg); ?>&deg; <?= sprintf("%.5f", $gps_lon_min*60); ?><?= $gps_vars[6]; ?>)</td>
                     <?php if (isset($gps_alt)) { echo '<td>' . $gps_alt . ' ' . $gps_alt_unit . '</td>';}?>
                     <td>
 <?php
@@ -233,7 +233,7 @@ include("head.inc");
                     </td>
                   </tr>
                   <tr>
-                    <td colspan="<?php echo $gps_goo_lnk; ?>"><a target="_gmaps" href="http://maps.google.com/?q=<?php echo $gps_lat; ?>,<?php echo $gps_lon; ?>">Google Maps Link</a></td>
+                    <td colspan="<?= html_safe($gps_goo_lnk) ?>"><a target="_gmaps" href="http://maps.google.com/?q=<?= html_safe($gps_lat) ?>,<?= html_safe($gps_lon) ?>">Google Maps Link</a></td>
                   </tr>
                 </tbody>
               </table>

src/www/status_openvpn.php

@@ -152,7 +152,7 @@ $( document ).ready(function() {
                 </tr>
 <?php
                 foreach ($server['conns'] as $conn): ?>
-                <tr id="<?php echo "r:{$server['mgmt']}:{$conn['remote_host']}"; ?>">
+                <tr id="<?= html_safe("r:{$server['mgmt']}:{$conn['remote_host']}") ?>">
                   <td><?=$conn['common_name'];?></td>
                   <td><?=$conn['remote_host'];?></td>
                   <td><?=$conn['virtual_addr'];?></td>
@@ -202,7 +202,7 @@ $( document ).ready(function() {
                         <tbody>
 <?php
                           foreach ($server['routes'] as $conn): ?>
-                          <tr id="<?php echo "r:{$server['mgmt']}:{$conn['remote_host']}"; ?>">
+                          <tr id="<?= html_safe("r:{$server['mgmt']}:{$conn['remote_host']}") ?>">
                             <td><?=$conn['common_name'];?></td>
                             <td><?=$conn['remote_host'];?></td>
                             <td><?=$conn['virtual_addr'];?></td>
@@ -242,7 +242,7 @@ $( document ).ready(function() {
                 </tr>
 <?php
                 foreach ($sk_servers as $sk_server): ?>
-                <tr id="<?php echo "r:{$sk_server['port']}:{$sk_server['vpnid']}"; ?>">
+                <tr id="<?= html_safe("r:{$sk_server['port']}:{$sk_server['vpnid']}") ?>">
                   <td><?=$sk_server['name'];?></td>
                   <td><?=$sk_server['remote_host'];?></td>
                   <td><?=$sk_server['virtual_addr'];?></td>
@@ -282,7 +282,7 @@ $( document ).ready(function() {
                 </tr>
 <?php
                 foreach ($clients as $client): ?>
-                <tr id="<?php echo "r:{$client['port']}:{$client['vpnid']}"; ?>">
+                <tr id="<?= html_safe("r:{$client['port']}:{$client['vpnid']}") ?>">
                   <td><?=$client['name'];?></td>
                   <td><?=$client['connect_time'];?></td>
                   <td><?=$client['virtual_addr'];?></td>

src/www/status_upnp.php

@@ -57,7 +57,7 @@ include("head.inc");
 <?php
           if (empty($config['installedpackages']['miniupnpd']['config'][0]['iface_array']) || empty($config['installedpackages']['miniupnpd']['config'][0]['enable'])): ?>
           <header class="content-box-head container-fluid">
-            <h3><?php echo gettext("UPnP is currently disabled."); ?></h3>
+            <h3><?= gettext('UPnP is currently disabled.') ?></h3>
           </header>
 <?php
           else: ?>

src/www/system_advanced_admin.php

@@ -409,13 +409,13 @@ include("head.inc");
                     <input name="noantilockout" type="checkbox" value="yes" <?= empty($pconfig['noantilockout']) ? '' : 'checked="checked"' ?>/>
                     <strong><?=gettext("Disable webConfigurator anti-lockout rule"); ?></strong>
                     <div class="hidden" for="help_for_noantilockout">
-                      <?php printf(gettext("When this is unchecked, access to the webConfigurator " .
+                      <?= sprintf(gettext("When this is unchecked, access to the webConfigurator " .
                                           "on the %s interface is always permitted, regardless of the user-defined firewall " .
                                           "rule set. Check this box to disable this automatically added rule, so access " .
                                           "to the webConfigurator is controlled by the user-defined firewall rules " .
                                           "(ensure you have a firewall rule in place that allows you in, or you will " .
                                           "lock yourself out!)"), (empty($config['interfaces']['lan']) ? gettext("WAN") : gettext("LAN"))); ?>
-                      <em> <?= gettext('Hint: the "Set interface(s) IP address" option in the console menu resets this setting as well.'); ?> </em>
+                      <em><?= gettext('Hint: the "Set interface(s) IP address" option in the console menu resets this setting as well.'); ?></em>
                     </div>
                   </td>
                 </tr>

src/www/system_advanced_firewall.php

@@ -512,7 +512,7 @@ include("head.inc");
                 <tr>
                   <td><a id="help_for_maximumtableentries" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Firewall Maximum Table Entries");?></td>
                   <td>
-                    <input name="maximumtableentries" type="text" id="maximumtableentries" value="<?php echo $pconfig['maximumtableentries']; ?>" />
+                    <input name="maximumtableentries" type="text" id="maximumtableentries" value="<?= html_safe($pconfig['maximumtableentries']) ?>"/>
                     <div class="hidden" for="help_for_maximumtableentries">
                       <strong><?=gettext("Maximum number of table entries for systems such as aliases, sshlockout, snort, etc, combined.");?></strong>
                       <br />

src/www/system_crlmanager.php

@@ -627,12 +627,12 @@ include("head.inc");
                   <td>
 <?php
                   if (!empty($ca['prv'])) :?>
-                    <a href="system_crlmanager.php?act=new&amp;caref=<?=$ca['refid']; ?>" data-toggle="tooltip" title="<?php printf(gettext("Add or Import CRL for %s"), htmlspecialchars($ca['descr']));?>" class="btn btn-default btn-xs">
+                    <a href="system_crlmanager.php?act=new&amp;caref=<?=$ca['refid']; ?>" data-toggle="tooltip" title="<?= html_safe(sprintf(gettext('Add or Import CRL for %s'), $ca['descr'])) ?>" class="btn btn-default btn-xs">
                       <span class="glyphicon glyphicon-plus"></span>
                     </a>
 <?php
                   else :?>
-                    <a href="system_crlmanager.php?act=new&amp;caref=<?=$ca['refid']; ?>&amp;importonly=yes" data-toggle="tooltip" title="<?php printf(gettext("Import CRL for %s"), htmlspecialchars($ca['descr']));?>" class="btn btn-default btn-xs">
+                    <a href="system_crlmanager.php?act=new&amp;caref=<?=$ca['refid']; ?>&amp;importonly=yes" data-toggle="tooltip" title="<?= html_safe(sprintf(gettext('Import CRL for %s'), $ca['descr'])) ?>" class="btn btn-default btn-xs">
                       <span class="glyphicon glyphicon-plus"></span>
                     </a>
 <?php

src/www/system_usermanager_settings_ldapacpicker.php

 <?php
+
 /*
     Copyright (C) 2014-2015 Deciso B.V.
     Copyright (C) 2007 Scott Ullrich <sullrich@gmail.com>
@@ -28,6 +29,7 @@
 
 require_once("guiconfig.inc");
 require_once("auth.inc");
+
 include('head.inc');
 
 $ous = array();
@@ -63,7 +65,7 @@ if (isset($_GET['basedn']) && isset($_GET['host'])) {
  <body>
   <script type="text/javascript">
       function post_choices() {
-        var ous = <?php echo count($ous); ?>;
+        var ous = <?= html_safe(count($ous)) ?>;
         var i;
         var values = $("#ou:checked").map(function(){
                         return $(this).val();

src/www/vpn_ipsec.php

@@ -481,7 +481,7 @@ $( document ).ready(function() {
                         }?>
                         <div id="shph2but-<?=$i?>">
                           <button class="act_show_p2 btn btn-xs" type="button" data-id="<?=$i?>">
-                            <i class="fa fa-plus"></i> <?php printf(gettext("Show %s Phase-2 entries"), $phase2count); ?>
+                            <i class="fa fa-plus"></i> <?= sprintf(gettext('Show %s Phase-2 entries'), $phase2count) ?>
                           </button>
                         </div>
                         <div id="tdph2-<?=$i?>" style="display:none">

src/www/vpn_ipsec_phase2.php

@@ -756,7 +756,7 @@ if (isset($input_errors) && count($input_errors) > 0) {
                       </option>
                     </select>
                     <div class="hidden" for="help_for_natlocalid_nattype">
-                        <?php echo gettext("Enforce the type of NAT by choosing either NAT or BINAT. Leave it to Auto to let OPNsense automatically choose the best NAT option."); ?>
+                        <?= gettext('Enforce the type of NAT by choosing either NAT or BINAT. Leave it to Auto to let OPNsense automatically choose the best NAT option.') ?>
                     </div>
                   </td>
                 </tr>
@@ -775,7 +775,7 @@ if (isset($input_errors) && count($input_errors) > 0) {
                       </option>
                     </select>
                     <div class="hidden" for="help_for_natlocalid_type">
-                        <?php echo gettext("In case you need NAT/BINAT on this network specify the address to be translated"); ?>
+                        <?= gettext('In case you need NAT/BINAT on this network specify the address to be translated.') ?>
                     </div>
                   </td>
                 </tr>

src/www/vpn_openvpn_export.php

@@ -468,7 +468,7 @@ function server_changed() {
     cell2.innerHTML += "<button type='button' class='btn btn-primary btn-xs' onclick='download_begin(\"confinlineios\"," + i + ", -1)'>OpenVPN Connect (iOS/Android)</button>";
     cell2.innerHTML += "&nbsp;&nbsp; ";
     cell2.innerHTML += "<button type='button' class='btn btn-primary btn-xs' onclick='download_begin(\"confinline\"," + i + ", -1)'>Others</button>";
-    cell2.innerHTML += "<br\/>- Windows Installers (<?php echo $current_openvpn_version . '-Ix' . $current_openvpn_version_rev;?>):<br\/>";
+    cell2.innerHTML += "<br\/>- Windows Installers (<?= $current_openvpn_version . '-Ix' . $current_openvpn_version_rev ?>):<br\/>";
     cell2.innerHTML += "<button type='button' class='btn btn-primary btn-xs' onclick='download_begin(\"inst-x86-xp\"," + i + ", -1)'>x86-xp</button>";
     cell2.innerHTML += "&nbsp;&nbsp; ";
     cell2.innerHTML += "<button type='button' class='btn btn-primary btn-xs' onclick='download_begin(\"inst-x64-xp\"," + i + ", -1)'>x64-xp</button>";
@@ -502,7 +502,7 @@ function server_changed() {
     cell2.innerHTML += "<button type='button' class='btn btn-primary btn-xs' onclick='download_begin(\"confinlineios\",-1," + j + ")'>OpenVPN Connect (iOS/Android)</button>";
     cell2.innerHTML += "&nbsp;&nbsp; ";
     cell2.innerHTML += "<button type='button' class='btn btn-primary btn-xs' onclick='download_begin(\"confinline\",-1," + j + ")'>Others</button>";
-    cell2.innerHTML += "<br\/>- Windows Installers (<?php echo $current_openvpn_version . '-Ix' . $current_openvpn_version_rev;?>):<br\/>";
+    cell2.innerHTML += "<br\/>- Windows Installers (<?= $current_openvpn_version . '-Ix' . $current_openvpn_version_rev ?>):<br\/>";
     cell2.innerHTML += "&nbsp;&nbsp; ";
     cell2.innerHTML += "<button type='button' class='btn btn-primary btn-xs' onclick='download_begin(\"inst-x86-xp\",-1," + j + ")'>x86-xp</button>";
     cell2.innerHTML += "&nbsp;&nbsp; ";
@@ -550,7 +550,7 @@ function server_changed() {
     cell2.innerHTML += "&nbsp;&nbsp; ";
     cell2.innerHTML += "<button type='button' class='btn btn-primary btn-xs' onclick='download_begin(\"confinline\"," + i + ")'>Others</button>";
     cell2.innerHTML += "<a href='javascript:download_begin(\"confinline\"," + i + ")'>Others<\/a>";
-    cell2.innerHTML += "<br\/>- Windows Installers (<?php echo $current_openvpn_version . '-Ix' . $current_openvpn_version_rev;?>):<br\/>";
+    cell2.innerHTML += "<br\/>- Windows Installers (<?= $current_openvpn_version . '-Ix' . $current_openvpn_version_rev ?>):<br\/>";
     cell2.innerHTML += "&nbsp;&nbsp; ";
     cell2.innerHTML += "<button type='button' class='btn btn-primary btn-xs' onclick='download_begin(\"inst-x86-xp\"," + i + ")'>x86-xp</button>";
     cell2.innerHTML += "&nbsp;&nbsp; ";
@@ -645,7 +645,7 @@ endforeach; ?>
 ?>
                         <?php foreach ($config['dyndnses']['dyndns'] as $ddns) :
 ?>
-                        <option value="<?php echo $ddns["host"] ?>"><?=gettext("Dynamic DNS");
+                        <option value="<?= $ddns["host"] ?>"><?=gettext("Dynamic DNS");
 ?>: <?= htmlspecialchars($ddns["host"]); ?></option>
                         <?php
 endforeach; ?>
@@ -655,7 +655,7 @@ endif; ?>
 ?>
                         <?php foreach ($config['dnsupdates']['dnsupdate'] as $ddns) :
 ?>
-                        <option value="<?php echo $ddns["host"] ?>"><?=gettext("Dynamic DNS");
+                        <option value="<?= $ddns["host"] ?>"><?=gettext("Dynamic DNS");
 ?>: <?= htmlspecialchars($ddns["host"]); ?></option>
                         <?php
 endforeach; ?>

src/www/vpn_openvpn_server.php

@@ -1130,7 +1130,7 @@ endif; ?>
                         endforeach; ?>
                         </select>
                         <div class="hidden" for="help_for_digest">
-                            <?php echo gettext("NOTE: Leave this set to SHA1 unless all clients are set to match. SHA1 is the default for OpenVPN."); ?>
+                            <?= gettext('Leave this set to SHA1 unless all clients are set to match. SHA1 is the default for OpenVPN.') ?>
                         </div>
                       </td>
                     </tr>

src/www/widgets/widgets/log.widget.php

@@ -151,13 +151,13 @@ handle_ajax($nentries, $nentries + 20);
 
 <script type="text/javascript">
 //<![CDATA[
-lastsawtime = '<?php echo time(); ?>';
+lastsawtime = '<?= html_safe(time()) ?>';
 var lines = Array();
 var timer;
 var updateDelay = 30000;
 var isBusy = false;
 var isPaused = false;
-var nentries = <?php echo $nentries; ?>;
+var nentries = <?= html_safe($nentries) ?>;
 
 <?php
 if (isset($config['syslog']['reverse'])) {
@@ -175,8 +175,8 @@ function format_log_line(row) {
     '<td class="listMRr ellipsis" title="' + row[3] + '">' + row[3] + '<\/td>' +
     '<td class="listMRr ellipsis" title="' + row[4] + '">' + row[4] + '<\/td>';
 
-  var nentriesacts = "<?php echo $nentriesacts; ?>";
-  var nentriesinterfaces = "<?php echo $nentriesinterfaces; ?>";
+  var nentriesacts = "<?= html_safe($nentriesacts) ?>";
+  var nentriesinterfaces = "<?= html_safe($nentriesinterfaces) ?>";
 
   var Action = row[0].match(/alt=.*?(pass|block|reject)/i).join("").match(/pass|block|reject/i).join("");
   var Interface = row[2];
@@ -204,9 +204,9 @@ function format_log_line(row) {
         <select name="filterlogentries" class="formfld unknown" id="filterlogentries">
         <?php for ($i = 1; $i <= 20; $i++) {
 ?>
-          <option value="<?php echo $i;?>" <?php if ($nentries == $i) {
+          <option value="<?= html_safe($i) ?>" <?php if ($nentries == $i) {
                         echo "selected=\"selected\"";
-}?>><?php echo $i;?></option>
+}?>><?= html_safe($i) ?></option>
         <?php
 } ?>
         </select>
@@ -293,20 +293,20 @@ endforeach;
     ?>
     <tr class="<?=$evenRowClass?>">
       <td class="listMRlr nowrap" align="center">
-      <a href="#" onclick="javascript:getURL('diag_logs_filter.php?getrulenum=<?php echo "{$filterent['rulenum']},{$filterent['act']}"; ?>', outputrule);">
-      <span class="<?php echo find_action_image($filterent['act']);?>" alt="<?php echo $filterent['act'];?>" title="<?php echo $filterent['act'];?>" ></span>
+      <a href="#" onclick="javascript:getURL('diag_logs_filter.php?getrulenum=<?= html_safe("{$filterent['rulenum']},{$filterent['act']}") ?>', outputrule);">
+      <span class="<?= html_safe(find_action_image($filterent['act'])) ?>" alt="<?= html_safe($filterent['act']) ?>" title="<?= html_safe($filterent['act']) ?>"></span>
       </a>
       </td>
-      <td class="listMRr ellipsis nowrap" title="<?php echo htmlspecialchars($filterent['time']);?>"><?php echo substr(htmlspecialchars($filterent['time']), 0, -3);?></td>
-      <td class="listMRr ellipsis nowrap" title="<?php echo htmlspecialchars($filterent['interface']);?>"><?php echo htmlspecialchars($filterent['interface']);?></td>
-      <td class="listMRr ellipsis nowrap" title="<?php echo htmlspecialchars($filterent['src']);?>">
-        <a href="#" onclick="javascript:getURL('widgets/widgets/log.widget.php?host=<?php echo "{$filterent['srcip']}";
-?>&amp;dialog_output=true', outputrule);" title="<?=gettext("Reverse Resolve with DNS");?>">
-        <?php echo htmlspecialchars($filterent['srcip']);?></a></td>
-      <td class="listMRr ellipsis nowrap" title="<?php echo htmlspecialchars($filterent['dst']);?>">
-        <a href="#" onclick="javascript:getURL('widgets/widgets/log.widget.php?host=<?php echo "{$filterent['dstip']}";
-?>&amp;dialog_output=true', outputrule);" title="<?=gettext("Reverse Resolve with DNS");?>">
-        <?php echo htmlspecialchars($filterent['dstip']);?></a><?php echo ":" . htmlspecialchars($filterent['dstport']);?></td>
+      <td class="listMRr ellipsis nowrap" title="<?= html_safe($filterent['time']) ?>"><?= html_safe(substr($filterent['time'], 0, -3)) ?></td>
+      <td class="listMRr ellipsis nowrap" title="<?= html_safe($filterent['interface']) ?>"><?= html_safe($filterent['interface']) ?></td>
+      <td class="listMRr ellipsis nowrap" title="<?= html_safe($filterent['src']) ?>">
+        <a href="#" onclick="javascript:getURL('widgets/widgets/log.widget.php?host=<?= html_safe($filterent['srcip']) ?>&amp;dialog_output=true', outputrule);"
+          title="<?= html_safe(gettext('Reverse Resolve with DNS')) ?>"><?= html_safe($filterent['srcip']) ?></a>
+      </td>
+      <td class="listMRr ellipsis nowrap" title="<?= html_safe($filterent['dst']) ?>">
+        <a href="#" onclick="javascript:getURL('widgets/widgets/log.widget.php?host=<?= html_safe($filterent['dstip']) ?>&amp;dialog_output=true', outputrule);"
+          title="<?= html_safe(gettext('Reverse Resolve with DNS')) ?>"><?= html_safe($filterent['dstip']) ?></a>:<?= html_safe($filterent['dstport']) ?>
+      </td>
       <?php
             if ($filterent['proto'] == "TCP") {
                 $filterent['proto'] .= ":{$filterent['tcpflags']}";

src/www/widgets/widgets/ntp_status.widget.php

@@ -134,7 +134,7 @@ if ($_REQUEST['updateme']) {
       <?php
 else :
 ?>
-        <?php echo $syncsource; ?>
+        <?= $syncsource ?>
       <?php
 endif; ?>
       </td>
@@ -144,7 +144,7 @@ endif; ?>
       <tr>
         <td width="40%" class="vncellt"><?= gettext('Clock location') ?></td>
         <td width="60%" class="listr">
-          <a target="_gmaps" href="http://maps.google.com/?q=<?php echo $gps_lat; ?>,<?php echo $gps_lon; ?>">
+          <a target="_gmaps" href="http://maps.google.com/?q=<?= html_safe($gps_lat) ?>,<?= html_safe($gps_lon) ?>">
           <?php
                     echo sprintf("%.5f", $gps_lat) . " " . $gps_la . ", " . sprintf("%.5f", $gps_lon) . " " . $gps_lo; ?>
           </a>
@@ -225,7 +225,7 @@ function clockTimeString($inDate, $showSeconds)
 /* set up variables used to init clock in BODY's onLoad handler;
    should be done as early as possible */
 var clockLocalStartTime = new Date();
-var clockServerStartTime = new Date(<?php echo(getServerDateItems($gDate))?>);
+var clockServerStartTime = new Date(<?= html_safe(getServerDateItems($gDate)) ?>);
 
 /* stub functions for older browsers;
    will be overridden by next JavaScript1.2 block */
@@ -469,7 +469,7 @@ function clockUpdate()
       <td width="40%" class="vncellt">Server Time</td>
       <td width="60%" class="listr">
         <div id="ClockTime">
-          <b><?php echo(clockTimeString($gDate, $gClockShowsSeconds));?></b>
+          <b><?= clockTimeString($gDate, $gClockShowsSeconds) ?></b>
         </div>
       </td>
     </tr>

src/www/widgets/widgets/system_log.widget.php

@@ -54,7 +54,7 @@ if(is_numeric($_POST['logfiltercount'])) {
         <td>
           <select name="logfiltercount" id="logfiltercount">
             <?php for ($i = 1; $i <= 50; $i++) {?>
-            <option value="<?php echo $i;?>" <?php if ($syslogEntriesToFetch == $i) { echo "selected=\"selected\"";}?>><?php echo $i;?></option>
+            <option value="<?= html_safe($i) ?>" <?php if ($syslogEntriesToFetch == $i) { echo "selected=\"selected\"";}?>><?= html_safe($i) ?></option>
             <?php } ?>
           </select>
         </td>

src/www/wizard.php

@@ -857,7 +857,7 @@ function showchange() {
 	}
 ?>
 
-	var customarray=new Array(<?php echo $aliases; ?>);
+	var customarray=new Array(<?= $aliases ?>);
 
 	window.onload = function () {