fix(ncp-web): prevent XSS via log output and undefined array key warning by aroldobossoni · Pull Request #2096

fix(ncp-web): prevent XSS via log output and undefined array key warning by aroldobossoni · Pull Request #2096 · nextcloud/nextcloudpi

This commit addresses two issues in the NextCloudPi web panel:

1. HTML injection via ncp.log content (XSS vulnerability)
   - When /var/log/ncp.log contains HTML-like content (e.g., <strftime_format>
     from certain backup operations), the unescaped output breaks the HTML parser
   - This causes the browser to ignore subsequent <script> tags, preventing
     minified.js and ncp.js from loading
   - Result: the dashboard never loads and shows infinite "System Info" spinner
   - Fix: wrap file_get_contents() with htmlspecialchars() in index.php line 290

2. PHP warning for undefined HTTP_ACCEPT_LANGUAGE
   - When requests lack Accept-Language header (e.g., API calls, curl),
     PHP emits "Undefined array key" warning
   - This warning can corrupt JSON responses from ncp-launcher.php
   - Fix: use null coalescing operator (?? '') in both index.php and
     ncp-launcher.php

Tested on NextCloudPi running in LXC container on Proxmox.

Made-with: Cursor