fix(security): sanitize remote IP headers and escape log viewer output

#4135
2026-06-05 11:59:35 +00:00 · 2026-05-04 16:36:33 +02:00
parent 9f96ef83ec
commit c90f8a05bf
23 changed files with 147 additions and 85 deletions
--- a/web/html/modals/client_modal.html
+++ b/web/html/modals/client_modal.html
@@ -7,7 +7,7 @@
            :style="{ marginBottom: '10px', display: 'block', textAlign: 'center' }">Account
            is (Expired|Traffic Ended) And Disabled</a-tag>
    </template>
-    {{template "form/client"}}
+    {{template "form/client" .}}
 </a-modal>
 <script>
    const clientModal = {
--- a/web/html/modals/inbound_modal.html
+++ b/web/html/modals/inbound_modal.html
@@ -2,7 +2,7 @@
 <a-modal id="inbound-modal" v-model="inModal.visible" :title="inModal.title" :dialog-style="{ top: '20px' }"
    @ok="inModal.ok" :confirm-loading="inModal.confirmLoading" :closable="true" :mask-closable="false"
    :class="themeSwitcher.currentTheme" :ok-text="inModal.okText" cancel-text='{{ i18n "close" }}'>
-    {{template "form/inbound"}}
+    {{template "form/inbound" .}}
 </a-modal>
 <script>
    // Make inModal globally available to ensure it works with any base path
--- a/web/html/modals/xray_outbound_modal.html
+++ b/web/html/modals/xray_outbound_modal.html
@@ -3,7 +3,7 @@
    :confirm-loading="outModal.confirmLoading" :closable="true" :mask-closable="false"
    :ok-button-props="{ props: { disabled: !outModal.isValid } }" :style="{ overflow: 'hidden' }"
    :ok-text="outModal.okText" cancel-text='{{ i18n "close" }}' :class="themeSwitcher.currentTheme">
-    {{template "form/outbound"}}
+    {{template "form/outbound" .}}
 </a-modal>
 <script>
    const outModal = {