Escape generated password in mobileconfig

Escape ampersand, less than, greater than to avoid generating invalid XML. Fixes #7171
2026-05-27 05:03:52 +00:00 · 2026-05-02 16:24:01 +02:00
parent 886dbcc419
commit ffbc37a00c
1 changed files with 1 additions and 0 deletions
--- a/data/web/mobileconfig.php
+++ b/data/web/mobileconfig.php
@@ -65,6 +65,7 @@ if (isset($_GET['app_password'])) {
      $attr['protocols'][] = 'dav_access';
  }
  app_passwd("add", $attr);
+  $password = htmlspecialchars($password, ENT_NOQUOTES);
 } else {
  $app_password = false;
 }