From 3bdb2b0a6a1302ce5bd65b8084aea03567d29132 Mon Sep 17 00:00:00 2001
From: Christos Choutouridis <hoo2@hoo2.net>
Date: Sun, 11 Jan 2026 15:40:59 +0200
Subject: [PATCH] Fix XSS by applying context-aware encoding

---
 passman-dev/php/passman/notes.php | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/passman-dev/php/passman/notes.php b/passman-dev/php/passman/notes.php
index 4b3131c..bebfcec 100644
--- a/passman-dev/php/passman/notes.php
+++ b/passman-dev/php/passman/notes.php
@@ -72,12 +72,17 @@ $result = $conn->query($sql_query);
 echo "<h3>List of notes/comments</h3>";
 
 if (!empty($result) && $result->num_rows >= 1) {
-	while ($row = $result -> fetch_assoc()) {
-		echo "<div class='note'>";
-		echo	"<div class='note-content'>" . $row["note"] . "</div>";
-		echo	"<div class='note-signature'> by " . $row["username"] . "</div>";
-		echo "</div>";
-	}
+    while ($row = $result -> fetch_assoc()) {
+        // Escape output to prevent stored XSS (DB content must be treated as untrusted).
+        $safe_note = htmlspecialchars($row["note"], ENT_QUOTES | ENT_SUBSTITUTE, "UTF-8");
+        $safe_user = htmlspecialchars($row["username"], ENT_QUOTES | ENT_SUBSTITUTE, "UTF-8");
+
+        echo "<div class='note'>";
+        echo    "<div class='note-content'>" . $safe_note . "</div>";
+        echo    "<div class='note-signature'> by " . $safe_user . "</div>";
+        echo "</div>";
+    }
+
 
 	// Free result set
 	$result -> free_result();