fix: escape service_name in order.php to prevent XSS; modernize admin JS

Agent-Logs-Url: https://github.com/GameServerPanel/GSP/sessions/28b4019a-734d-418e-8002-8c1ff0c0f564

Co-authored-by: iaretechnician <2749183+iaretechnician@users.noreply.github.com>

modules/billing/adminserverlist.php

@@ -576,11 +576,11 @@ while ($svcRes && ($row = $svcRes->fetch_assoc())) {
 
 <script>
 // Toggle fallback text input when image dropdown changes
-document.querySelectorAll('select[data-fallback-id]').forEach(function (sel) {
+document.querySelectorAll('select[data-fallback-id]').forEach((sel) => {
     sel.addEventListener('change', function () {
-        var fb = document.getElementById(this.dataset.fallbackId);
+        const fb = document.getElementById(this.dataset.fallbackId);
         if (!fb) return;
-        var show = (this.value === '__other__');
+        const show = (this.value === '__other__');
         fb.classList.toggle('img-fallback-visible', show);
         if (!show) fb.value = '';
     });

modules/billing/order.php

@@ -108,7 +108,7 @@ THIS IS WHAT WE DISPLAY ON THE SHOP PAGE AT THE TOP
   
 <img src="<?php echo htmlspecialchars(billing_image_url((string)($row['img_url'] ?? '')), ENT_QUOTES, 'UTF-8');?>" width="460" height="225" >
 <br>
-<?php echo $row['service_name'];?>
+<?php echo htmlspecialchars((string)$row['service_name'], ENT_QUOTES, 'UTF-8');?>
 <br>
 <?php 
 if ($row['price_monthly'] == 0.0) {
@@ -144,7 +144,7 @@ if ($row['price_monthly'] == 0.0) {
 			<div class="float-left decorative-bottom">
 			
 			<img src="<?php echo htmlspecialchars(billing_image_url((string)($row['img_url'] ?? '')), ENT_QUOTES, 'UTF-8');?>" width="230" height="112">
-			<center><b>	<?php echo $row['service_name'];?></b></center>
+			<center><b>	<?php echo htmlspecialchars((string)$row['service_name'], ENT_QUOTES, 'UTF-8');?></b></center>
 			<?php
 			
 			//$isAdmin = if( current_user_can('administrator')){