escape LDAP attribute values

[simonLeary42]

This is not really a concern because we trust the attribute values provided by incommon IDPs.

[Copilot]

Pull request overview

This PR adds HTML escaping using htmlspecialchars() to LDAP attribute values before they are output to prevent Cross-Site Scripting (XSS) vulnerabilities. The changes apply escaping to user data from LDAP sources (usernames, email addresses, names, organizations, etc.) across admin panels, user-facing pages, and email templates.

• Adds htmlspecialchars() to LDAP-sourced values displayed in admin management pages
• Applies HTML escaping to user data shown in email templates
• Refactors variable assignments to escape values before output

Reviewed changes

Copilot reviewed 23 out of 23 changed files in this pull request and generated 10 comments.

Show a summary per file

File	Description
webroot/panel/pi.php	Adds HTML escaping to uid, name, and email fields displayed in PI request table
webroot/admin/user-mgmt.php	Applies escaping to user attributes (uid, gecos, org, mail, gid) in user management table
webroot/admin/pi-mgmt.php	Escapes user data in PI request and owner management tables
webroot/admin/ajax/get_group_members.php	Adds escaping to group member data displayed in tables and forms
resources/mail/user_sshkey.php	Escapes SSH key data in email template
resources/mail/user_loginshell.php	Escapes login shell value in email template
resources/mail/user_flag_removed_admin.php	Applies escaping to username in admin notification emails
resources/mail/user_flag_added_admin.php	Applies escaping to username in admin notification emails
resources/mail/user_flag_added.php	Escapes username and organization in user activation email
resources/mail/group_user_request_owner.php	Escapes group name and user details in owner notification email
resources/mail/group_user_request.php	Escapes group name in user confirmation email
resources/mail/group_user_removed_owner.php	Escapes group name and user details in owner notification email
resources/mail/group_user_removed.php	Escapes group name in user notification email
resources/mail/group_user_denied_owner.php	Escapes group name and user details in owner notification email
resources/mail/group_user_denied.php	Escapes group name in user notification email
resources/mail/group_user_added_owner.php	Escapes group name and user details in owner notification email
resources/mail/group_user_added.php	Escapes group name in user notification email
resources/mail/group_request_cancelled.php	Escapes uid in cancellation notification email
resources/mail/group_request_admin.php	Escapes user details in admin notification email
resources/mail/group_join_request_cancelled.php	Escapes uid in cancellation notification email
resources/mail/group_disband.php	Escapes group name in disband notification email
resources/mail/account_deletion_request_cancelled_admin.php	Escapes user details in admin notification email
resources/mail/account_deletion_request_admin.php	Escapes user details in admin notification email

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 25 out of 25 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.