Fix xss on account settings page

res/include/md/acknowledgements.md

@@ -30,7 +30,8 @@
 
  * 2020-12-06 Security researcher Arian Firoozfar reported a cross-site
    scripting vulnerability on the file viewer page. The issue was fixed the
-   following day.
+   following day. On the 26th another XSS vulnerability was found on the account
+   settings page, it was fixed later that day.
 
  * 2017-12-04 Security researcher Hangyi reported a cross-site scripting
    vulnerability on the file viewer page. The issue was fixed on the 6th.

res/template/server_status.html

@@ -16,8 +16,8 @@
 
 	<body>
 		{{template "page_menu" .}}
-		<div class="page_body" style="padding: 0; top: 0; bottom: 0;">
+		<div id="page_body" class="page_body" style="padding: 0; top: 0; bottom: 0;">
-			<iframe id="page_body" src="https://status.pixeldrain.com" class="status_frame"></iframe>
+			<iframe src="https://status.pixeldrain.com" class="status_frame"></iframe>
 		</div>
 		{{template "analytics"}}
 	</body>

webcontroller/user_settings.go

@@ -2,6 +2,7 @@ package webcontroller
 
 import (
 	"fmt"
+	"html"
 	"html/template"
 	"net/http"
 
@@ -211,7 +212,7 @@ func (wc *WebController) usernameForm(td *TemplateData, r *http.Request) (f Form
 			// Request was a success
 			f.SubmitSuccess = true
 			f.SubmitMessages = []template.HTML{template.HTML(
-				"Success! You are now " + f.FieldVal("new_username"),
+				"Success! You are now " + html.EscapeString(f.FieldVal("new_username")),
 			)}
 		}
 	}