Bad HTML escaping in footer #6768
Description
Contribution guidelines
- I've read the contribution guidelines and wholeheartedly agree
I've found a bug and checked that ...
- ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
- ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
- ... I have understood that answers are voluntary and community-driven, and not commercial support.
- ... I have verified that my issue has not been already answered in the past. I also checked previous issues.
Description
While the customizable footer claims to support HTML, escaping is run over it which breaks certain elements.
&is misescaped as&nzc;.&is valid HTML yet gets transformed to&nzc;amp;
Logs:
*n/a*
Steps to reproduce:
- Log in to the admin portal.
- Navigate to
/admin/system. - Go to Options › Customize.
- Scroll down to the text area labeled Footer (HTML allowed).
- Enter something like
foo & bar. - Hit Save changes.
Which branch are you using?
master
Which architecture are you using?
x86
Operating System:
Debian 12
Server/VM specifications:
8 GB RAM, 8 GB Swap, 4 vCores
Is Apparmor, SELinux or similar active?
yes
Virtualization technology:
KVM
Docker version:
28.4.0
docker-compose version or docker compose version:
v2.39.2
mailcow version:
2025-09b
Reverse proxy:
none
Logs of git diff:
*n/a*
Logs of iptables -L -vn:
*n/a*
Logs of ip6tables -L -vn:
*n/a*
Logs of iptables -L -vn -t nat:
*n/a*
Logs of ip6tables -L -vn -t nat:
*n/a*
DNS check:
104.18.32.7
172.64.155.249