From 054f66d07ff71307be38be0f00a15c29f915eb7e Mon Sep 17 00:00:00 2001
From: HB9HIL <fabian.berg@hb9hil.org>
Date: Mon, 16 Mar 2026 00:57:34 +0100
Subject: [PATCH] escape some api stuff

---
 application/controllers/Api.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/application/controllers/Api.php b/application/controllers/Api.php
index 4ae4f64d5..c56436f87 100644
--- a/application/controllers/Api.php
+++ b/application/controllers/Api.php
@@ -74,9 +74,9 @@ class API extends CI_Controller {
 		} else {
 			// Success!
 
-			$this->api_model->update_key_description($this->input->post('api_key'), $this->input->post('api_desc'));
+			$this->api_model->update_key_description($this->input->post('api_key', true), $this->input->post('api_desc', true));
 
-			$this->session->set_flashdata('notice', sprintf(__("API Key %s description has been updated."), "<b>".$this->input->post('api_key')."</b>"));
+			$this->session->set_flashdata('notice', sprintf(__("API Key %s description has been updated."), "<b>" . htmlspecialchars($this->input->post('api_key', true), ENT_QUOTES, 'UTF-8') . "</b>"));
 
 			redirect('api');
 		}
@@ -118,7 +118,7 @@ class API extends CI_Controller {
 
 		$this->api_model->delete_key($key);
 
-		$this->session->set_flashdata('notice', sprintf(__("API Key %s has been deleted"), "<b>".$key."</b>" ));
+		$this->session->set_flashdata('notice', sprintf(__("API Key %s has been deleted"), "<b>" . htmlspecialchars($key, ENT_QUOTES, 'UTF-8') . "</b>" ));
 
 		redirect('api');
 	}