hardening: escape request variables in JavaScript string contexts

## Description

Several locations in `notify_lists.php` interpolate `get_request_var('id')` directly into JavaScript string literals without `html_escape()` or `intval()`.

## Affected Files

- `notify_lists.php` lines 1141, 1151, 1512, 1523, 1803, 1811

## Risk

Post-authentication reflected XSS if `id` is not validated as integer in all code paths. The `page` hidden inputs at `thold_graph.php` lines 254 and 1267 have the same pattern but are integer-validated, making them very low risk.

## Suggested Fix

Wrap all `get_request_var('id')` outputs in JS context with `intval()` or use `html_escape()` at the output site.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

hardening: escape request variables in JavaScript string contexts #763

Description

Affected Files

Risk

Suggested Fix

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

hardening: escape request variables in JavaScript string contexts #763

Description

Description

Affected Files

Risk

Suggested Fix

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions