From f33d82ffc11ed3438609d4e7a6baa78cb3305bc3 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Wed, 3 Jul 2024 15:50:17 +0200
Subject: [PATCH 1/3] [Web] use correct user to fetch TFA authenticators

---
 data/web/inc/functions.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 8e0ac580b..b81bf34ff 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -1560,7 +1560,7 @@ function unset_tfa_key($_data) {
 }
 function get_tfa($username = null, $id = null) {
   global $pdo;
-  if (isset($_SESSION['mailcow_cc_username'])) {
+  if (empty($username) && isset($_SESSION['mailcow_cc_username'])) {
     $username = $_SESSION['mailcow_cc_username'];
   }
   elseif (empty($username)) {

From 66aa28b5de282fc037e0d2f02fbdc84539b614a1 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 22 Jul 2024 15:04:29 +0200
Subject: [PATCH 2/3] [Web] escapeHtml in api_log table

---
 data/web/js/site/debug.js | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/data/web/js/site/debug.js b/data/web/js/site/debug.js
index 512d9551e..8229e9f66 100644
--- a/data/web/js/site/debug.js
+++ b/data/web/js/site/debug.js
@@ -325,7 +325,10 @@ jQuery(function($){
           title: 'URI',
           data: 'uri',
           defaultContent: '',
-          className: 'dtr-col-md dtr-break-all'
+          className: 'dtr-col-md dtr-break-all',
+          render: function (data, type) {
+            return escapeHtml(data);
+          }
         },
         {
           title: 'Method',

From efb2572f0fa57628ad98a76a4ae884a10cac0a1a Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 22 Jul 2024 15:05:43 +0200
Subject: [PATCH 3/3] [Web] escapeHtml in relayhosts table

---
 data/web/js/site/admin.js | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/data/web/js/site/admin.js b/data/web/js/site/admin.js
index 80da64167..a2c7954dc 100644
--- a/data/web/js/site/admin.js
+++ b/data/web/js/site/admin.js
@@ -397,7 +397,10 @@ jQuery(function($){
         {
           title: lang.host,
           data: 'hostname',
-          defaultContent: ''
+          defaultContent: '',
+          render: function (data, type) {
+            return escapeHtml(data);
+          }
         },
         {
           title: lang.username,