From 9740cdd33b1e490bf8cd76447a4cd8f52f29c35f Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 3 May 2026 23:04:59 +0000
Subject: [PATCH] fix: escape service_name in order.php to prevent XSS;
 modernize admin JS

Agent-Logs-Url: https://github.com/GameServerPanel/GSP/sessions/28b4019a-734d-418e-8002-8c1ff0c0f564

Co-authored-by: iaretechnician <2749183+iaretechnician@users.noreply.github.com>
---
 modules/billing/adminserverlist.php | 6 +++---
 modules/billing/order.php           | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/modules/billing/adminserverlist.php b/modules/billing/adminserverlist.php
index 5f44a28f..afd4e033 100644
--- a/modules/billing/adminserverlist.php
+++ b/modules/billing/adminserverlist.php
@@ -576,11 +576,11 @@ while ($svcRes && ($row = $svcRes->fetch_assoc())) {
 
 <script>
 // Toggle fallback text input when image dropdown changes
-document.querySelectorAll('select[data-fallback-id]').forEach(function (sel) {
+document.querySelectorAll('select[data-fallback-id]').forEach((sel) => {
     sel.addEventListener('change', function () {
-        var fb = document.getElementById(this.dataset.fallbackId);
+        const fb = document.getElementById(this.dataset.fallbackId);
         if (!fb) return;
-        var show = (this.value === '__other__');
+        const show = (this.value === '__other__');
         fb.classList.toggle('img-fallback-visible', show);
         if (!show) fb.value = '';
     });
diff --git a/modules/billing/order.php b/modules/billing/order.php
index c5db8340..d07b02ca 100644
--- a/modules/billing/order.php
+++ b/modules/billing/order.php
@@ -108,7 +108,7 @@ THIS IS WHAT WE DISPLAY ON THE SHOP PAGE AT THE TOP
   
 <img src="<?php echo htmlspecialchars(billing_image_url((string)($row['img_url'] ?? '')), ENT_QUOTES, 'UTF-8');?>" width="460" height="225" >
 <br>
-<?php echo $row['service_name'];?>
+<?php echo htmlspecialchars((string)$row['service_name'], ENT_QUOTES, 'UTF-8');?>
 <br>
 <?php 
 if ($row['price_monthly'] == 0.0) {
@@ -144,7 +144,7 @@ if ($row['price_monthly'] == 0.0) {
 			<div class="float-left decorative-bottom">
 			
 			<img src="<?php echo htmlspecialchars(billing_image_url((string)($row['img_url'] ?? '')), ENT_QUOTES, 'UTF-8');?>" width="230" height="112">
-			<center><b>	<?php echo $row['service_name'];?></b></center>
+			<center><b>	<?php echo htmlspecialchars((string)$row['service_name'], ENT_QUOTES, 'UTF-8');?></b></center>
 			<?php
 			
 			//$isAdmin = if( current_user_can('administrator')){