From 5ef16773c89df25be4c10b8adf38988b549b3f71 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gina=20H=C3=A4u=C3=9Fge?= <gina@octoprint.org>
Date: Wed, 11 May 2022 13:03:40 +0200
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=EF=B8=8F=20Escape=20requested=20us?=
 =?UTF-8?q?er=20id?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes an XSS issue.
---
 src/octoprint/templates/login.jinja2 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/octoprint/templates/login.jinja2 b/src/octoprint/templates/login.jinja2
index adca8c6131..252e33dbd7 100644
--- a/src/octoprint/templates/login.jinja2
+++ b/src/octoprint/templates/login.jinja2
@@ -69,12 +69,12 @@
             <div id="login-offline" class="alert alert-error">{{ _('Server is currently offline.') }} <a id="login-reconnect" href="javascript:void(0)">{{ _('Reconnect...') }}</a></div>
 
             {% if user_id %}<p>
-                {{ _('The following account is required:') }} {{ user_id }}
+                {{ _('The following account is required:') }} {{ user_id|e }}
             </p>{% elif logged_in %}<p>
                 {{ _('An account with the following permissions is required:') }} {{ permission_names|join(", ") }}
             </p>{% endif %}
 
-            <input type="text" id="login-user" data-test-id="login-username" class="input-block-level" placeholder="{{ _('Username')|edq }}" {% if user_id %}value="{{ user_id }}" disabled{% endif %} autofocus autocapitalize="none">
+            <input type="text" id="login-user" data-test-id="login-username" class="input-block-level" placeholder="{{ _('Username')|edq }}" {% if user_id %}value="{{ user_id|edq }}" disabled{% endif %} autofocus autocapitalize="none">
             <input type="password" id="login-password" data-test-id="login-password" class="input-block-level" placeholder="{{ _('Password')|edq }}">
             <span class="pull-right"><small><a href="https://faq.octoprint.org/forgotten-password" id="login-forgotpassword" target="_blank" tabindex="-1">{{ _('Forgot password?') }}</a></small></span>
             <label class="checkbox">