From 49d66fa31b43acef02eaa09ee9af15fe7e16cd03 Mon Sep 17 00:00:00 2001
From: Tony Murray <murraytony@gmail.com>
Date: Wed, 13 Sep 2023 23:10:37 -0500
Subject: [PATCH] Fix improperly escaped output in outages page (#15310)

Fixes XSS reported by https://huntr.dev/users/hainguyen0207
---
 includes/html/common/outages.inc.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/includes/html/common/outages.inc.php b/includes/html/common/outages.inc.php
index b8574dcf69..947a8f28f0 100644
--- a/includes/html/common/outages.inc.php
+++ b/includes/html/common/outages.inc.php
@@ -39,8 +39,8 @@ var outages_grid = $("#outages").bootgrid({
     {
         return {
             device: ' . (empty($vars['device']) ? 'null' : (int) $vars['device']) . ',
-            to: "' . addcslashes($vars['to'], '"') . '",
-            from: "' . addcslashes($vars['from'], '"') . '",
+            to: "' . htmlspecialchars($vars['to']) . '",
+            from: "' . htmlspecialchars($vars['from']) . '",
         };
     },
     url: "' . url('/ajax/table/outages') . '"