hardening(cycle): html_escape rfilter and leaf title before HTML output

## Summary

`cycle.php:312` echoes `$leaf['title']` (from the database) and `cycle.php:323` echoes `$rfilter` (from a request variable) into HTML without `html_escape()`. Either value can contain HTML/JavaScript that executes in the browser of authenticated users viewing the plugin.

## Details

| Field | Value |
|-------|-------|
| File | cycle.php |
| Lines | 312, 323 |
| Auth required | Yes — authenticated Cacti user |
| CWE | CWE-79 |

```php
// Line 312 — before
echo $leaf['title'];
// after
echo html_escape($leaf['title']);

// Line 323 — before
value="<?php echo $rfilter; ?>"
// after
value="<?php echo html_escape($rfilter); ?>"
```

Fix applied in branch `security/cycle-html-escape-output`.

## Acceptance criteria

- [ ] `html_escape()` applied to `$leaf['title']` at line 312
- [ ] `html_escape()` applied to `$rfilter` at line 323
- [ ] Regression tests in `tests/Security/CycleParamTest.php`

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

hardening(cycle): html_escape rfilter and leaf title before HTML output #22

Summary

Details

Acceptance criteria

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Field	Value
File	cycle.php
Lines	312, 323
Auth required	Yes — authenticated Cacti user
CWE	CWE-79

hardening(cycle): html_escape rfilter and leaf title before HTML output #22

Description

Summary

Details

Acceptance criteria

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions