From 07cc9f4cdc2973d2029a20249ff6bcd55789101e Mon Sep 17 00:00:00 2001
From: Tony Murray <murraytony@gmail.com>
Date: Tue, 1 Nov 2022 05:20:08 -0500
Subject: [PATCH] Fix XSS in api access (#14551)

api access page didn't escape username allowing for injection.
---
 includes/html/pages/api-access.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/includes/html/pages/api-access.inc.php b/includes/html/pages/api-access.inc.php
index 8e3f34c341..1a6898fb1d 100644
--- a/includes/html/pages/api-access.inc.php
+++ b/includes/html/pages/api-access.inc.php
@@ -59,7 +59,7 @@ if (Auth::user()->hasGlobalAdmin()) {
                 <select class="form-control" id="user_id" name="user_id">
     <?php
     foreach ($userlist = User::all() as $user) {
-        echo '<option value="' . $user->user_id . '">' . $user->username . ' (' . $user->auth_type . ')</option>';
+        echo '<option value="' . $user->user_id . '">' . htmlentities($user->username) . ' (' . htmlentities($user->auth_type) . ')</option>';
     } ?>
                 </select>
               </div>